A Method for Optimizing Access Control Policy

A technology of access control strategy and optimization method, which is applied in the field of network security, and can solve problems such as rule conflicts, rule level conflicts, and changes in the maximum number of matching times of rules are not considered.

Active Publication Date: 2021-01-05
HARBIN ENG UNIV
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0002] Qi Yong, Chen Jun and others were inspired by the rule compression in the document "An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption" in the 2016 document "XACML Policy Sets by Recursive Subsumption". A granular rule redundancy analysis method, but this method does not take into account the change in the maximum number of matches before and after the rule is split and merged. If the number of matches becomes larger, it will directly affect the performance of the rule engine
[0003] Secondly, the definition in the document "XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization" still adopts the definition of the document "A XACML Rule Conflict and Redundancy Analysis Method" in the rule discovery stage, and fails to follow the rule Changes in rule characteristics after splitting to consider rule conflicts and redundancy issues
Moreover, in the existing literature, the adjustment of rules according to the combination algorithm is proposed separately to improve performance. For example, in the document "XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology", a rule refinement method based on combination algorithm reordering is proposed. However, the rule conflicts in this paper are based on rule-level conflicts, and all rule conflicts cannot be found further based on the reordering results

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A Method for Optimizing Access Control Policy
  • A Method for Optimizing Access Control Policy
  • A Method for Optimizing Access Control Policy

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0028] The present invention is described in detail below in conjunction with accompanying drawing example:

[0029] 1) Definition conflicts and redundancy.

[0030] Definition 4.1 Refuse to cover algorithm reordering: We define RS: {R 1 , R 2 ,...,R n} a policy set containing n rules, and the merging algorithm is Deny Coverage, then we put all the rules with the effect of Deny in front of all the Permit rules, which becomes: RS’: {[R D , R D ,...R D ],[R P , R P ,...,R P ]}, where RD represents all the rules whose effect is Deny in the RS, and RP represents all the rules whose effect is Permit in the RS.

[0031] Definition 4.2 allows overriding algorithm reordering: we define RS: {R 1 , R 2 ,...,R n} A policy set containing n rules, and the merging algorithm is to allow coverage, then we put all the rules with the effect of Permit in front of all the Deny rules, which becomes: RS': {[R P , R P ,...R P ],[R D , R D ,...,R D ]}, where R D Indicates all the ru...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an access control strategy optimization method, and belongs to the field of network safety. The method mainly comprises the steps of defining rule conflicts and redundancy, andbefore a rule is found, newly defining conflicts of an XACML rule; splitting multiple attributes of the rule to reduce granularity of the rule to the lowest level; splicing main body, resource and behavior rule element character strings to form a new triple rule information character string based on the finding of the rule conflicts and redundancy sets of the XACML triple Hash, calculating a Hashvalue of the rule information character string, wherein if the Hash values of the different character strings are conflicted, this is the conflict or the redundancy set; selectively deleting the ruleconflict or redundancy based on the Maximum number of matching times of the rule: selectively deleting the rule by calculating engine performance cost of the rule after the conflict or redundancy iseliminated; and inversely compressing the split rule.

Description

technical field [0001] The invention relates to an access control policy optimization method, which belongs to the field of network security. Background technique [0002] In the 2016 document "XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization", Qi Yong, Chen Jun and others were inspired by the rule compression of the document "An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption" and first proposed detailed A granular rule redundancy analysis method, but this method does not take into account the change in the maximum number of matches before and after splitting and merging rules. If the number of matches becomes larger, it will directly affect the performance of the rule engine. This paper makes an in-depth analysis of this problem in the stages of rule conflict and redundancy elimination, and proposes a scheme for selection optimization. [0003] Secondly, the definition in the document "X...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L9/06
Inventor 玄世昌苘大鹏王巍杨武靳小鹏杨国庆张超刘畅
Owner HARBIN ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products