摘要
访问控制策略的描述与执行是信息系统资源保护的一种重要方式,影响到系统的业务化运行。针对目前评估效率较低的问题,研究人员提出了基于属性缓存和重排序等策略的评估方法,该方法提高了策略的评估效率,但尚未解决策略评估需要遍历所有相关规则的问题。针对此问题,在分析XACML(eRxtensible Access Control Markup Language)描述特点的基础上,利用属性与或矩阵和类型分析,提出一种基于属性与或矩阵和类型分析的XACML策略查询方法,以减少策略评估实施时的规则匹配数量。该方法修改了现有Context Handler的处理过程,增加了一个访问控制规则匹配预处理环节,在该环节中计算得出每个规则属性的区分度,利用区分度和属性与或矩阵筛选掉与当前访问控制请求无关的规则,然后对筛选后的规则集合进行匹配,提高策略评估效率。最后通过实验验证了所提方法的有效性。
The description and execution of access control policy is an important way of information resource protection,which affects system’s operational running.In view of the poor efficiency of evaluation,some researchers have proposed the policy evaluation methods based on attribute cache and reordering,which improve the efficiency of policy eva-luation,but they still fail to solve the problem that the policy evaluation needs to traverse all relevant rules.To focus on this problem,after the analysis about the characteristics of the XACML policy description,a XACML policy query method based on attribute and/or matrix and type analysis was proposed in this paper,which can reduce the number of matching during policy evaluation.This method modifies the processing of the existing Context Handler,and adds a preprocessing phase which will match access control rule.During the preprocessing phase,the discriminations are calculated for each rule attributes.The irrelative rules for current access control request can be filtered by the attribute and/or matrix and the discriminations.The proposed method can improve the efficiency of policy evaluation by matching the filtered rule set.Experimental results verify its efficiency.
作者
韩道军
原万里
段晓宇
张磊
HAN Dao-jun;YUAN Wan-li;DUAN Xiao-yu;ZHANG Lei(Institute of Data and Knowledge Engineering,Henan University,Kaifeng,Henan 475004,China;School of Computer and Information Engineering,Henan University,Kaifeng,Henan 475004,China)
出处
《计算机科学》
CSCD
北大核心
2018年第9期224-229,共6页
Computer Science
基金
国家自然科学基金资助项目(61272545
61402149)
河南省科技攻关计划基金资助项目(142102210390)
河南省教育厅科技攻关计划基金资助项目(14A520026)
河南省博士后科研项目(2015036)资助