An efficient policy evaluation engine for XACML policy management

Abstract

In recent years, XACML (eXtensible Access Control Markup Language) has been widely used in the development of various applications, especially Web services. The evaluation time of a PDP (Policy Decision Point) grows significantly when the PDP loads a large-scale policy set coded in XACML. In order to improve the PDP evaluation performance, we propose an optimized policy evaluation engine, namely XDLEngine, and make the following contributions. First, XDLEngine has an advantage in the process of handling a large-scale policy set, and innovatively adopts the LDA (Latent Dirichlet Allocation) topic model to cluster policies. Second, according to the clustering results of the LDA model, we digitize and vectorize all rules in policy sets, which facilitates the rule matching. Third, the cosine similarity is introduced to classify the rules under each topic, which greatly reduces the number of comparisons in the process of rule matching and improves the matching efficiency of XDLEngine. Finally, due to the independence between different topics, we use a multi-threaded parallel search in the process of rule matching, which significantly lowers the evaluation time of XDLEngine. The experimental results show that when the number of requests reaches 20,000, the evaluation time of XDLEngine for a practical large-scale policy set with 120,000 rules is approximately 2.48%, 3.47% and 3.68% of that of the Sun PDP, XEngine and HPEngine, respectively.