发明名称 |
Context-based security policy evaluation using weighted search trees |
摘要 |
A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements. |
申请公布号 |
US9514286(B2) |
申请公布日期 |
2016.12.06 |
申请号 |
US201012749665 |
申请日期 |
2010.03.30 |
申请人 |
International Business Machines Corporation |
发明人 |
Forster Craig Robert William |
分类号 |
G06F7/00;G06F21/10 |
主分类号 |
G06F7/00 |
代理机构 |
|
代理人 |
LaBaw Jeffrey S.;Judson David H. |
主权项 |
1. A method for evaluating a context-based policy for access control, the policy having a set of attributes, the method comprising:
identifying a frequency of each of a set of attribute values with respect to one another to define a relative frequency distribution; sorting the set of attribute values according to the relative frequency distribution; assigning an identifier to each of the sorted attribute values; using the identifiers assigned to the sorted attribute values, generating a search tree weighted according to the identifiers assigned to the sorted attribute values, each leaf of the search tree defining a rule, and wherein a depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable; evaluating a request against the search tree weighted according to the identifiers assigned to the sorted attribute values to generate a response; and having an access control mechanism that uses the response to perform an access control operation; at least one of the identifying, generating, evaluating and using steps being carried out in software executing on a hardware element. |
地址 |
Armonk NY US |