A Method for Optimizing Access Control Policy

Abstract

The invention discloses an access control strategy optimization method, and belongs to the field of network safety. The method mainly comprises the steps of defining rule conflicts and redundancy, andbefore a rule is found, newly defining conflicts of an XACML rule; splitting multiple attributes of the rule to reduce granularity of the rule to the lowest level; splicing main body, resource and behavior rule element character strings to form a new triple rule information character string based on the finding of the rule conflicts and redundancy sets of the XACML triple Hash, calculating a Hashvalue of the rule information character string, wherein if the Hash values of the different character strings are conflicted, this is the conflict or the redundancy set; selectively deleting the ruleconflict or redundancy based on the Maximum number of matching times of the rule: selectively deleting the rule by calculating engine performance cost of the rule after the conflict or redundancy iseliminated; and inversely compressing the split rule.

Description

technical field [0001] The invention relates to an access control policy optimization method, which belongs to the field of network security. Background technique [0002] In the 2016 document "XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization", Qi Yong, Chen Jun and others were inspired by the rule compression of the document "An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption" and first proposed detailed A granular rule redundancy analysis method, but this method does not take into account the change in the maximum number of matches before and after splitting and merging rules. If the number of matches becomes larger, it will directly affect the performance of the rule engine. This paper makes an in-depth analysis of this problem in the stages of rule conflict and redundancy elimination, and proposes a scheme for selection optimization. [0003] Secondly, the definition in the document "X...

AI Technical Summary

Problems solved by technology

[0002] Qi Yong, Chen Jun and others were inspired by the rule compression in the document "An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption" in the 2016 document "XACML Policy Sets by Recursive Subsumption". A granular rule redundancy analysis method, but this method does not take into account the change in the maximum number of matches before and after the rule is split and merged. If the number of matches becomes larger, it will directly affect the performance of the rule engine

[0003] Secondly, the definition in the document "XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization" still adopts the definition of the document "A XACML Rule Conflict and Redundancy Analysis Method" in the rule discovery stage, and fails to follow the rule Changes in rule characteristics after splitting to consider rule conflicts and redundancy issues

Moreover, in the existing literature, the adjustment of rules according to the combination algorithm is proposed separately to improve performance. For example, in the document "XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology", a rule refinement method based on combination algorithm reordering is proposed. However, the rule conflicts in this paper are based on rule-level conflicts, and all rule conflicts cannot be found further based on the reordering results

Images