An efficient policy evaluation engine with locomotive algorithm

Abstract

The evaluation performance of PDP (policy decision point), especially in large-scale policy sets, is one of the most significant challenges in XACML (eXtensible Access Control Markup Language). With high time-consuming and extensive storage policies, large-scale policy sets are becoming more complicated when their evaluation performance need to be improved. Based on numericalization and batch processing, a new locomotive algorithm is proposed to design and implement a novel policy evaluation engine called XDPNBE that can efficiently deal with large-scale policy sets and make authorization decisions in multiple circumstances. XDPNBE enables efficient decisions within an attributed-based access control framework that has a strong promotion of evaluation performance. By simulating requests, XDPNBE is compared with the Sun PDP, XEngine, HPEngine and SBA-XACML. Experimental results show that if the number of requests reaches 10,000, the evaluation time of XDPNBE on the large-scale policy set with 120,000 rules is approximately 0.21%, 4.69%, 5.67% and 9.66% of that of the Sun PDP, XEngine, HPEngine and SBA-XACML, respectively.