Research On Security Policy Optimization In Attribute-Based Access Control

With the rapid development of computer and communication network,It's convenient for people by using the diversified Internet applications.At the same time,more and more privacy information is exposed to the Internet,which brings great challenges to information security.Access control is one of the important means to ensure information security.ABAC(Attribute based access control)as a model suitable for distributed environment in access control,which has become the focus of research.Furthermore,the XACML(e Xtensible Access control Markup Language)has rich and flexible policy expression capabilities as the primary language standard for describing ABAC policies.Based on the background above,this paper focus on optimization of ABAC policy.Through the Unified Modeling of entity attributes,the ABAC model realizes the flexibility and scalability of access control authorization.However,the growth of subjects and resources leads to the expansion of their policy repository.Further,access requests are less efficient to match applicable policies in the policy repository,and the performance of policy assessments is severely affected and urgently needs to be optimized to ensure the availability of ABAC.Therefore,Aiming at the performance problem of policy evaluation,Based on the ABAC model and XACML standard,this paper optimizes from two aspects of matching process and policy structure respectively.The core work of this paper has the following points:Firstly,by analyzing the structure characteristics of ABAC evaluation process and XACML policy,this paper summarizes several factors that affect the performance of the policy.We analyze different factors respectively.Then,some feasible direction of performance optimization is pointed out.According to the existing policy optimization methods,this paper summarizes and classifies them.At the same time,the advantages and disadvantages of them is pointed out.Secondly,in order to optimize the performance of policy matching,we propose the matching tree structure and the corresponding evaluation method.Besides,It is the first time to support the dynamic change of policy.The matching tree maps the policy repository and simplifies its index information greatly,which can improve the matching efficiency while maintaining the same semantics.This approach speeds up the acquisition of applicable policies.Aiming at the performance problem of policy changes at run time,a policy management solution based on matching tree is proposed,which can change the policy at run time without disabling the policy repository.Thirdly,in order to optimize the process of policy structure,we propose the structure of fine-grained decision graph.On the basis of matching tree,fine-grained decision graph not only makes up for the defects that the decision graph structure is difficult to maintain,but also retains the characteristics of high efficiency of decision graph evaluation.Furthermore,considering the possibility that the fine-grained decision graph will conflict in the evaluation process,we propose an instant merge policy.Then,we prove the consistency between the fine-grained decision graph and the original policy semantics.Lastly,in the simulation experiment and the result analysis,this paper realizes the two kinds of optimization research and carries on the performance test,and carries on the simulation experiment according to the change of the runtime policy and the change of the decision graph.Experimental results show that the matching tree matching method and the RX-MIDD decision graph method have different degrees of improvement in performance compared with the traditional evaluation methods.In terms of policy changes at run time,the matching tree method is far superior to the traditional method.In terms of policy changes in decision diagrams,RX-MIDD reduces the difficulty of policy maintenance.The matching tree structure proposed in this paper has a wide range of applicability,not only can effectively improve the performance of policy matching,but also supports the policy changes in the runtime policy repository,greatly improving the practicality of the evaluation engine.Besides,the fine-grained decision graph solves the shortcoming that the decision graph is difficult to maintain,takes into account the efficient evaluation performance of the decision graph,and provides the idea for the practical application of the ABAC model.