A Policy Query Optimization And Rule Conflict Detection Method Based On Special Matrix

With the rapid development of computers,the number of users and information resources in all kinds of software is increasing rapidly,and the types of users' identities and information are increasingly complex.More fine-grained access control policies are required to control the users' access resources.Finegrained access control facilitates the fine management of the system to information resources.However,that inevitably leads to an increase in the number of policies in the policy base When system's access control policies become large-scale,there will be another unavoidable problem: Policy query efficiency and strategic conflict,which will affect the efficiency and results of the strategy evaluation.Therefore,the focus of the paper is how to optimize the efficiency of policy query and quickly detect the existing policy conflict.When the number of policies is small,a simple traversal of the policy base can also be completed in a short time.However,as the number of strategies increases,simple traversal will result in a serious decline in efficiency.To solve this problem,we need to optimize the policy query method.Among the optimization ideas proposed by researchers,dynamic reordering is more common.This method can effectively improve the hit rate and shorten the process of the policy evaluation,but the problem is still not solved that policy evaluation needs to traverse all the relevant rules.At the same time,continuous calculation of priorities requires computational cost.The increase in the number of policies can also lead to an increase in the frequency of rule conflicts.In a non-rule-conflicts set,the values of each attribute(including the Effect element)must not be all equal.It is difficult to conform to the condition that the rules are not conflicting when a new rule is added to the existing set whose scale is huge.In conflict detection,the researchers propose the methods based on vector intersection and directed graph model,but because of the complexity of the model,they take a long time to build and use the model to detect conflict,which have no advantage to rapid detection.The results of the contribution of this paper are the following two points:A method optimizing policy query is proposed.Based on the analysis of the characteristics of XACML policy,this paper presents a XACML policy query method based on the attribute And/Or matrix and type is proposed,which can reduce the number of rule match in the process the implementation of policy evaluation.This method modifies the process of the existing Context Handler,and adds a matching preprocessing of the access control rules In this link,the discrimination of each rule's attribute is calculated,which can be used in filtering rules irrelated to current access control request,then match the filtered rule set.The above process can improve the efficiency of the strategy evaluation.An efficient rule conflict detection method is proposed.The coverage state on the corresponding subinterval is calculated for each rule attribute.Accordingly,a coverage state matrix will be obtained after calculating the coverage state of each attribute for a rule set.Whether the range of values of the same attribute overlap between two rules,it only needs to compare coverage states.When detecting conflicts among rules,it only needs to traverse the constructed matrix which can avoid the low detection efficiency caused by the complexity of other methods and improve efficiency for policy conflict detection.