关键词: 授权访问控制, 策略评估, 双阶段聚类, 规则结构优化, 哈希缓存

Abstract: To accelerate the response speed for user requests to access resources, this paper proposes an evaluation method for attribute-based access control policies that integrates clustering and structural optimization. Firstly, a rule distance weight matrix is constructed to calculate the actual distances between non-numeric rule data points. Secondly,  large-scale policy sets are processed using the CKmeans (canopy k-means) two-stage clustering method, dividing it into several small-scale policy clusters to reduce the scope of policy matching. Finally, based on a rule structure optimization and integration approach, the number of rule entries within clusters is compressed, minimizing the number of comparisons between access requests and cluster rules, and a hash cache table is introduced to expedite access for repeated requests. The effectiveness of the proposed method is validated using multiple XACML (extensible access control markup language) access control policies from real-world systems. Experimental results demonstrate that, compared to existing evaluation engines such as Sun’s XACML and Xengine, as well as four types of machine learning methods, the proposed method significantly reduces time overhead across three policy sets—LMS, VMS, and ASMS—with a maximum reduction of approximately three orders of magnitude, greatly enhancing policy evaluation efficiency.

Key words: authorized access control, policy evaluation, two-stage clustering, rule structural optimization, hash caching