An evaluation and optimization method of xacml security policy

Abstract

The invention provides an evaluation and optimization method for an XACML (Extensible Access Control Markup Language) security strategy. The method comprises the following steps of: eliminating a redundancy rule; establishing a judgment result buffer pool and an XACML security strategy buffer pool; and dynamically changing the position of an XACML security strategy / rule. Specific to the performance defects and functional defects along with increase in the complexity of the strategy scale and strategy semantics in an existing XACML standard, the XACML security strategy evaluation and optimization method based on strategy redundancy elimination, caching and reordering is provided. Through adoption of the method, relevant optimum processing methods such as strategy analysis, rule matching and judgment response can be provided for performing fine-grained access control on resources; the efficiency during solving of the problems of strategy information retrieval, multi-strategy matching and the like with an XACML security strategy evaluation engine is increased effectively; and the system availability is enhanced. Moreover, the method can adapt to various strategy merging algorithms, and has high flexibility and availability.

Description

technical field [0001] The invention relates to an optimization method, in particular to an evaluation and optimization method of an XACML security policy. Background technique [0002] The access control markup language XACML (extensible access control markup language) has gradually become the actual standard for many enterprise applications and commercial products to implement security authorization functions. Emerging businesses such as distributed resource sharing, Web services, and inter-domain collaboration need to formulate a large number of XACML policy entries to implement fine-grained access control on resources. However, with the increase in policy size and policy semantic complexity, policy evaluation efficiency has become a constraint on system availability. key bottleneck. Although the XACML specification provides an implementation framework for access control, it does not provide related optimization processing methods such as policy analysis, rule matching, ...

AI Technical Summary

Problems solved by technology

Emerging businesses such as distributed resource sharing, Web services, and inter-domain collaboration need to formulate a large number of XACML policy entries to implement fine-grained access control on resources. However, with the increase in policy size and policy semantic complexity, policy evaluation efficiency has become a constraint on system availability. the key bottleneck of

Although the XACML specification provides an implementation framework for access control, it does not provide related optimization processing methods such as policy analysis, rule matching, and judgment response, which largely leads to the XACML policy evaluation engine's inability to process policy information retrieval, multi-policy, etc. The actual performance index is low when there are problems such as matching, which is manifested in large system resource overhead, long delay in response to access requests, and many remote communication interactions, so it cannot meet the high business throughput of commercial applications.

Images