改进的基于属性的访问控制策略评估管理决策图

针对多数据类型区间决策图（MIDD）方法不能正确表示、处理属性的重要性标记特性,以及表示、处理责任及忠告等不清晰,造成节点表示不一致并增加了处理的复杂性等问题,对MIDD方法进行改进和扩展。首先,将MIDD的以实体属性为单位的图节点修改为以元素为单位的图节点,精准地表示基于属性的访问控制元素,使原来不能正确处理重要标志的问题得以解决;然后,将责任及忠告作为元素,用节点表示出来;最后,把规则和策略的组合算法加到决策节点中,以便在策略决策点（PDP）对访问请求进行决策时使用。分析结果表明,改进方法与原方法的时空复杂度相当。两种方法的对比仿真实验结果表明,在每个属性只有1个附属属性时（最一般的应用情况）,两种方法每个访问请求的平均决策时间差异的数量级仅在0.01 μs。验证了复杂度分析的正确性,说明两种方法的性能相当。附属属性个数仿真实验表明,即使1个属性有10个附属属性（实际应用中十分稀少）,两种方法的平均决策时间差异也在相同的数量级。改进方法不但保证了原方法的正确性、一致性和方便性,更将其使用范围从可扩展访问控制标记语言（XACML）策略扩展到一般的基于属性的访问控制策略。

Improved decision diagram for attribute-based access control policy evaluation and management

The Multi-data-type Interval Decision Diagram (MIDD) approach express and deal with the critical marks of attribute incorrectly, while express and deal with the obligations and advices ambiguously, resulting in the inconformity of node expression and the increase of processing complexity. Aiming at these problems, some improvements and expansions were proposed. Firstly, the graph nodes in MIDD with entity attribute as the unit were converted to the nodes with element as the unit, so that the elements of attribute-based access control policy were able to be represented accurately, and the problem of dealing with the critical marks was solved. Secondly, the obligations and advices were employed as elements, and were expressed by nodes. Finally, the combining algorithm of rule and policy was added to the decision nodes, so that the Policy Decision Point (PDP) was able to use it to make decision on access requests. The analysis results show that the spatio-temporal complexity of the proposed approach is similar to that of the original approach. The result of the two approaches' comparative simulation show that when each attribute has only one subsidiary attribute (the most general application situation), the average decision time difference per access request of the two approaches is at 0.01 μs level. It proves the correctness of the complexity analysis, indicating the performances of the two approaches are similar. Simulation on the number of subsidiary attributes showed that, even with 10 subsidiary attributes (very rare in practical applications), the average decision time difference of the two approaches is at the same order of magnitude. The proposed approach not only ensures the correctness, consistency and convenience of the original approach, but also extends its application scope from eXtensible Access Control Markup Language (XACML) policy to general attribute-based access control policies.