A Graph and Clustering-Based Framework for Efficient XACML Policy Evaluation

Abstract

EXtensible Access Control Markup Language (XACML) is one of the standardized languages for specifying access control policies. Policies described by the XACML are used to express the security requirement in the network and information system when we study authorization access control. With the aim to improve the Policy Decision Point (PDP) evaluation performance, we put forward a Graph and Clustering-Based Framework, employing the aggregate function. First, we partition the rule set into subsets. For the single value, we select the best partition quantity based on the aggregate function. As for the interval value, we handle with the start point and the finish point, respectively, in the same way as single value. Second, the policy set is split according to the partition of rule set. In this way, not only single values, but also interval values are taken into consideration. After that, we explore the searching tree to obtain the possibly matched rules. Finally, we construct the combining tree and output the policy decision on the basis of it. The experimental results show that our approach is orders of magnitude better than the Sun PDP. A comparison in evaluation performance between the redundancy detecting and eliminating engine and the Sun PDP, as well as XEngine and SBA-XACML, is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating redundancies.