Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation

The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. A policy evaluation engine can easily become a bottleneck when enforcing large policies. In this paper we propose an adaptive approach for XACML policy optimization. We proposed a clustering technique that categorizes policies and rules within a policy set and policy respectively in respect to target subjects. Furthermore, we propose a usage based framework that computes access request statistics to dynamically optimize the ordering of policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than the standard Sun PDP. Keywords-Policy Evaluation; Policy Categorization; XACML;