Clustering and supervised response for XACML policy evaluation and management

作者:

Highlights:

摘要

To meet the increasingly complex requirements in access control using XACML (eXtensible Access Control Markup Language), it is necessary for a policy decision engine to deal with large-scale policy sets and intensively abundant requests efficiently. A practical policy evaluation engine, namely CSRM, is proposed to tackle this problem. The PDP (Policy Decision Point) in traditional policy decision engines is replaced by a new component ESPDP (Efficient Searching Policy Decision Point). CK-means algorithm is studied in this paper to perform clustering among all policies in a policy set. ESPDP is adopted to construct a virtual mapping table on the basis of the result of the CK-means algorithm. The virtual mapping table stores the relationship between subject attributes and policies, such that the irrelevant polices are excluded when rule search is carried out. Besides, the rules in every policy are merged according to particular principles, thus saving storage space and greatly speeding up rule search. When responding to intensive requests, a supervised response method is applied to determine an optimal rule search order by analyzing the response to the requests in a short period. The experimental results on four practical datasets demonstrate that our proposed CSRM outperforms some classic and state-of-the-art methods when dealing with large-scale policy sets. With high practicality and wide applicability, CSRM effectively eliminates the bottlenecks of improving PDP evaluation performance, and can respond to requests efficiently when handling large-scale policy sets.

论文关键词:Clustering algorithm,Large-scale policy sets,Policy Decision Point (PDP),Supervised learning,XACML

论文评审过程:Received 10 December 2019, Revised 6 June 2020, Accepted 22 July 2020, Available online 29 July 2020, Version of Record 1 August 2020.

论文官网地址:https://doi.org/10.1016/j.knosys.2020.106312