In order to ensure the security of data access, enterprises need to set up access control policies to address risks and abnormal data access behaviors in the internet. Access control policies consist of one or more rules, each of which is a Boolean expression that describes logical relationships and conditional judgments. When the result of the rule is true, the corresponding action is executed. Enterprises set one or more sets of rules to detect whether the data generated by users accessing the internet is secure, in order to regulate users' access behavior.
However, existing access control methods require matching each condition to obtain the final Boolean expression result. The matching time determines the speed of the entire access connection. If the matching time is long, it will affect the operational performance of the device. On the contrary, when the matching speed of access control policies is fast, users can obtain authorization or reject information faster, reduce waiting time, access without delay, and improve the user experience. Therefore, we need a faster way to match access control policies.
Access control policies consist of expressions and logical operators (AND, OR NOT). They are used to define access requests, validate responses, authorize, and record rules or conditions.
By combining expressions and logical operators, access control policies can flexibly define which resources "who" can access under what conditions and determine what permissions they have. This ensures that only authorized users or entities can obtain legitimate access rights, while preventing unauthorized access and potential security threats.
Complex expressions typically use suffix expressions (inverse Polish expressions) to match sequentially to determine whether access control rules and conditions are met.
In access control strategies, ordered binary decision graphs (OBDD) can be used to represent Boolean expressions as a directed acyclic graph, where each node represents the value of a Boolean variable, and edges represent the assignment of variables. By simplifying and merging Boolean expressions, a compact OBDD can be obtained, where the same sub expressions only need to be evaluated once. According to the structure of OBDD, partial calculations can be skipped directly, and the results can be determined in advance to avoid unnecessary calculation steps and improve computational efficiency.
This patent is applicable to Enhanced Web Security Gateway (ASWG) products and can significantly improve the processing performance of the system. Traditional access control strategies require matching conditions and logical operators one by one to determine the result of the entire expression. This calculation process may take a long time and computational resources. The use of this patent enables faster verification of access requests and decision-making, thereby improving the performance of the entire system. The waiting time and access latency of users and applications will be reduced, improving the overall user experience. At the same time, it also reduces the consumption of computing resources and provides more resources for other important tasks and functions.
This invention patent can bring the following value to users:
1. Improving computing performance
2. Simplify the calculation process
3. Strengthen information security protection
Article Resource:https://mp.weixin.qq.com/s/8yPZ8YXZ1PZOnAyzipJC2A