Graph-based XACML evaluation
- 20 June 2012
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
The amount of private information in the Internet is constantly increasing with the explosive growth of cloud computing and social networks. XACML is one of the most important standards for specifying access control policies for web services. The number of XACML policies grows really fast and evaluation processing time becomes longer. The XEngine approach proposes to rearrange the matching tree according to the attributes used in the target sections, but for speed reasons they only support equality of attribute values. For a fast termination the combining algorithms are transformed into a first applicable policy, which does not support obligations correctly. In our approach all comparison functions defined in XACML as well as obligations are supported. In this paper we propose an optimization for XACML policies evaluation based on two tree structures. The first one, called Matching Tree, is created for a fast searching of applicable rules. The second one, called Combining Tree, is used for the evaluation of the applicable rules. Finally, we propose an exploring method for the Matching Tree based on the binary search algorithm. The experimental results show that our approach is orders of magnitude better than Sun PDP.Keywords
This publication has 12 references indexed in Scilit:
- Designing Fast and Scalable XACML Policy Evaluation EnginesIEEE Transactions on Computers, 2010
- Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy EvaluationIEEE Transactions on Services Computing, 2010
- XengineACM SIGMETRICS Performance Evaluation Review, 2008
- Automated xacml policy reconfiguration for evaluation optimisationPublished by Association for Computing Machinery (ACM) ,2008
- XACML Policy Integration AlgorithmsACM Transactions on Information and System Security, 2008
- An Effective and Secure Buyer-Seller Watermarking ProtocolPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- An approach to evaluate policy similarityPublished by Association for Computing Machinery (ACM) ,2007
- Extending query rewriting techniques for fine-grained access controlPublished by Association for Computing Machinery (ACM) ,2004
- Zero-suppressed BDDs for set manipulation in combinatorial problemsPublished by Association for Computing Machinery (ACM) ,1993
- Graph-Based Algorithms for Boolean Function ManipulationIEEE Transactions on Computers, 1986