Study Of High Efficiency Of PDP Evaluation Performance In SOA

In the Service-Oriented Architecture(SOA) environment, access control is an extremely important research object in the research field of network security and information security. Using policies to describe the security requirements of information system has become a major approach of studying authorization access control. When the Policy Decision Point(PDP) in authorization center evaluates an access request, its evaluation performance is affected by many factors. On one hand, the PDP may make an inappropriate authorization decision or the operating efficiency of the network and information system may be influenced, because there might be conflicts and redundancies in the policies loaded on the PDP. On the other hand, the traditional centralized authorization model has only one PDP. The evaluation performance of PDP will decrease obviously when the number of rules in a policy increases considerably.Therefore, the evaluation performance improvement of PDP is of great importance.Based on analyzing the categories of conflict and redundancy, the engine of detecting and eliminating conflicts and redundancies in a policy are constructed. The form conflict, form redundancy and redundancy related to combining algorithms are detected and eliminated. Moreover, a distributed policy evaluation engine is presented. A policy should be decomposed into multiple sub-policies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of sub-policies deployed to each PDP. The work above achieve the goal that the PDP can evaluate access requests with high efficiency. The major research work and innovations are as follows:(1) The Resource Index Tree is constructed to detect and eliminate conflicts for solving the problem that policy conflicts affect the evaluation performance of PDP.The form conflict detecting and eliminating engine is presented, which not only can detect and eliminate the form conflicts, but also has the the same ability with PDP. This engine can load the policies in which the form conflicts have been eliminated, and evaluate access requests. In the form conflict detecting and eliminating engine, Resource Index Tree is constructed to convert the rules in a policy defined by XACML to the node information in the Resource Index Tree. On the basis of the dependent relationship of resources, the overlapping relationship of conditions and effect information, both the common resource conflicts between the resource nodes in the same level and the dependent resource conflicts between the resource nodes in the different levels can be detected and eliminated by the Resource Index Tree model. Experiments make comparisons of the evaluation performance of the form conflict detecting and eliminating engine with that of Sun PDP. Experimental results show that the evaluation performance of PDP can be highly improved by eliminating conflicts.(2) The Resource Brick Wall is constructed to detect and eliminate redundancies for solving the problem that policy redundancies affect the evaluation performance of PDP.The policy redundancy detecting and eliminating engine is proposed, which not only can detect and eliminate the form redundancies and redundancies related to combining algorithms, but also has the the same ability with PDP. This engine can load the policies in which the form redundancies and redundancies related to combining algorithms have been eliminated, and evaluate access requests. In the policy redundancy detecting and eliminating engine, Resource Brick Wall is constructed according to the resource attributes in a policy. The policy redundancy problems caused by some factors such as resource attributes, condition attributes and effect information are fully considered.Combined with Resource Brick Wall and policy/rule combining algorithm, the methods for detecting and eliminating the form redundancies and redundancies related to combining algorithms are discussed. Comparisons of the evaluation performance of the policy redundancy detecting and eliminating engine with that of Sun PDP are made.Experimental results show that the evaluation performance of PDP can be prominently improved by eliminating redundancies.(3) A distributed policy evaluation engine applied with policy decomposition is constructed for solving the problem that the evaluation performance of PDP is lower in the conventional centralized authorization model.A distributed policy evaluation engine is presented, which has abilities of decomposing policies and distributing requests. In this engine, the unicity of PDP in the centralized authorization model is changed by increasing the number of PDPs. A policy should be decomposed into multiple sub-policies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of sub-policies deployed to each PDP. Based on analyzing the criteria of policy decomposition, a discrete optimization model of policy decomposition is presented, whose properties are analyzed.A greedy algorithm with a favorable time complexity for policy decomposition is constructed for solving the optimization model. In experiments, the test policies in real applications are decomposed separately into multiple sub-policies based on the greedy algorithm. Policy decomposition guarantees that the cost of sub-policies deployed to each PDP is equal or approximately equal. Comparisons of the evaluation performance of the distributed policy evaluation engine with that of Sun PDP are made. Experimental results show that 1) the method of policy decomposition improves the evaluation performance of PDPs effectively, and that 2) the evaluation time of PDPs reduces with the growing numbers of PDPs.The methods of policy conflict detection and elimination, policy redundancy detection and elimination as well as policy decomposition are shown for the evaluation performance improvement of PDPs. Based on three different typical test policies, the comprehensive experiments are made that policies in which conflicts and redundancies have been eliminated are loaded on multiple PDPs in the distributed policy evaluation engine applied with policy decomposition. The comprehensive experimental results show that the evaluation performance of the distributed policy evaluation engine loaded with policies in which conflicts and redundancies have been eliminated are averagely increased by approximately 50% and 70% respectively, compared with that of the distributed policy evaluation engine loaded with policies in which conflicts and redundancies have not been eliminated as well as Sun PDP.