Research on Preprocessing Policies in XACML Admin

Li Xiaofeng; Feng Dengguo; He Yongzhong

Journal of Computer Research and Development > 2007 > 44(5): 729-736.

Li Xiaofeng, Feng Dengguo, He Yongzhong. Research on Preprocessing Policies in XACML Admin[J]. Journal of Computer Research and Development, 2007, 44(5): 729-736.

Citation:

Li Xiaofeng, Feng Dengguo, He Yongzhong. Research on Preprocessing Policies in XACML Admin[J]. Journal of Computer Research and Development, 2007, 44(5): 729-736.

Citation:

Li Xiaofeng, Feng Dengguo, He Yongzhong. Research on Preprocessing Policies in XACML Admin[J]. Journal of Computer Research and Development, 2007, 44(5): 729-736.

PDF (476 KB)

Research on Preprocessing Policies in XACML Admin

1(State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080) 2(State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing 100049) 3(Inistitue of Computer Science, Beijing Jiaotong University, Beijing 100044)

More Information

Published Date: May 14, 2007

Graphical Abstract

Abstract

Abstract

Access policies and administrative policies are mixed together in XACML administrative policy schema. It would worsen the performance of making decision. In XACML administrative policy, whether a policy is trusted is checked when making access request decision. It would cause denial-of-service (DoS) attack. In this paper, a scheme is presented to improve the on-line decision performance through dividing policy tree into an access policy tree and an administrative policy tree in policy decision point or in policy repository. According to logic implication of delegation, a method of constructing delegation graph is proposed. The invalid policies in which there doesn't exist a path to trusted policy are deleted. Deleting invalid policies makes the policies created by attackers applicable in making access request decision so that policy decision point can resist such DoS attack. In XACML administrative policy, the delegation element process is different with elements in XACML. It is recognized as a bug in XACML administrative policy. An improved policy schema definition is presented to correct the bugs, which makes the processing of delegations be in conformance with the elements of subject, resources, etc in XACML core, and defines administrative policies more efficiently. Through these improvements, the performance of making decision is accelerated. Policy decision point can resist DoS attack in some sense.
- delegation policy,
- administrative policy,
- access control,
- XACML,
- information security

FullText(HTML)

References (0)

[1]	Ma Zhaojia, Shao En, Di Zhanyuan, Ma Lixian. Porting and Parallel Optimization of Common Operators Based on Heterogeneous Programming Models[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202330869
[2]	Zhou Ze, Sun Yinghui, Sun Quansen, Shen Xiaobo, Zheng Yuhui. An Adversarial Detection Method Based on Tracking Performance Difference of Frequency Bands[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202440428
[3]	Li Maowen, Qu Guoyuan, Wei Dazhou, Jia Haipeng. Performance Optimization of Neural Network Convolution Based on GPU Platform[J]. Journal of Computer Research and Development, 2022, 59(6): 1181-1191. DOI: 10.7544/issn1000-1239.20200985
[4]	Xie Zhen, Tan Guangming, Sun Ninghui. Research on Optimal Performance of Sparse Matrix-Vector Multiplication and Convoulution Using the Probability-Process-Ram Model[J]. Journal of Computer Research and Development, 2021, 58(3): 445-457. DOI: 10.7544/issn1000-1239.2021.20180601
[5]	Zhang Jun, Xie Jingcheng, Shen Fanfan, Tan Hai, Wang Lümeng, He Yanxiang. Performance Optimization of Cache Subsystem in General Purpose Graphics Processing Units: A Survey[J]. Journal of Computer Research and Development, 2020, 57(6): 1191-1207. DOI: 10.7544/issn1000-1239.2020.20200113
[6]	Gu Rong, Yan Jinshuang, Yang Xiaoliang, Yuan Chunfeng, and Huang Yihua. Performance Optimization for Short Job Execution in Hadoop MapReduce[J]. Journal of Computer Research and Development, 2014, 51(6): 1270-1280.
[7]	Zhang Fengjun, Zhao Ling, An Guocheng, Wang Hongan, Dai Guozhong. Mean Shift Tracking Algorithm with Scale Adaptation[J]. Journal of Computer Research and Development, 2014, 51(1): 215-224.
[8]	Lü Na and Feng Zuren. Adaptive Multi-Resolutional Image Tracking Algorithm[J]. Journal of Computer Research and Development, 2012, 49(8): 1708-1714.
[9]	Li Shanqing, Tang Liang, Liu Keyan, Wang Lei. A Fast and Adaptive Object Tracking Method[J]. Journal of Computer Research and Development, 2012, 49(2): 383-391.
[10]	Zheng Ruijuan, Wu Qingtao, Zhang Mingchuan, Li Guanfeng, Pu Jiexin, Wang Huiqiang. A Self-Optimization Mechanism of System Service Performance Based on Autonomic Computing[J]. Journal of Computer Research and Development, 2011, 48(9): 1676-1684.