Elimination of the Redundancy Related to Combining Algorithms to Improve the PDP Evaluation Performance

If there are lots of redundancies in the policies loaded on the policy decision point (PDP) in the authorization access control model, the system will occupy more resources in operation and consumes plenty of evaluation time and storage space. In order to detect and eliminate policy redundancies and then improve evaluation performance of the PDP, a redundancy related to combining algorithms detecting and eliminating engine is proposed in this paper.This engine cannot only detect and eliminate the redundancy related to combining algorithms, but also evaluate access requests. A Resource Brick Wall is constructed by the engine according to the resource attribute of a policy’s target attributes. By the Resource Brick Wall and the policy/rule combining algorithms, three theorems for detecting redundancies related to combining algorithms are proposed. A comparison of the evaluation performance of the redundancy related to combining algorithms detecting and eliminating engine with that of Sun PDP is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating the redundancy related to combining algorithms.


Introduction
Currently, access control is an important protection mechanism in the network and information security [1].And using the security policy to describe security requirements in information systems has been the main method for authorization access control [2].A policy can be defined as a group of descriptive principles implemented on the basis of practical requirements.These principles are the constraints for authorizing the system to make a decision.The XACML (eXtensible Access Control Markup Language) [3] is widely used in a distributed application system [4] in the SOA (Service-Oriented Architecture) [5] environment so that the security policy can be better expressed.The XACML is an open-standard language based on the XML and is used to standardize access control implemented in the XML (eXtensible Markup Language).It provides a uniform policy description language and improves the efficiency of collaboration among different organizations in the SOA environment.The XACML's characteristics are as follows: (i) Great adaptability: the XACML can be normally applied in multiple application environment.
(ii) Preferable compatibility: the XACML supports multiple data types and policy/rule combining algorithms.
(iii) Outstanding expression ability: the XACML can accurately express access control requirements with different complexities and fine grains.
The XACML is a policy describing language with strong adaptability, universality, and extensibility and it supports distributed applications [6].However, it does not have a standard agreement on factors such as granularity size, resource level, and condition interval [7].Some rules in a policy may lose their effect because of policy/rule combining algorithms [8].And a policy set may be formulated and edited by multiple administrators, each of whom has a different understanding of the policy and a different opinion on policy setting, which could lead to redundancies in a policy set's rules [9].Thus, detecting and eliminating the redundancy related to combining algorithms is the core and key point of our research.
On the other hand, the XACML assumes that all the rules can be trusted, so a request might be responded to repeatedly [10].In the authorization access control model, if the policy loaded on the PDP contains lots of redundancies related to policy/rule combining algorithms, it not only consumes and wastes lots of system resources, but also greatly increases the time the PDP spends in evaluating access requests.And then the evaluation performance of the PDP is affected.In policy management [11] based on the XACML, as many redundancies related to policy/rule combining algorithms must be eliminated as possible to accelerate the speed of policy matching so that the PDP in the authorization center can effectively make authorization decisions and feed authorization results back [12].
To sum up, the important and critical problem to be solved is how to find an effective way to detect and eliminate the redundancy related to combining algorithms accurately and then improve the evaluation performance of the PDP.
This paper makes the following contributions.
(1) A redundancy related to combining algorithms detecting and eliminating engine is presented, which not only can detect and eliminate the redundancy related to combining algorithms in a policy and between policies, but also has the same ability as the PDP.This engine can evaluate the access control by loading policies whose redundancies related to combining algorithms have been eliminated.
(2) A Resource Brick Wall is constructed by the redundancy related to combining algorithms detecting and eliminating engine according to the resource attribute in a policy's target attributes.The Resource Brick Wall can effectively express the dependent relationship between resource attributes and detecting and eliminating the redundancy related to combining algorithms by the additional subject attribute, condition attribute, and effect information.
(3) By the Resource Brick Wall and policy/rule combining algorithms, the corresponding detecting and eliminating algorithm is proposed aiming at different types of redundancies related to combining algorithms.This algorithm only compares a rule with those which are likely to generate redundancies and this could avoid a large number of unnecessary comparisons with irrelative rules.And it optimizes the traditional traversal redundancy detection and greatly improves the efficiency of detecting and eliminating redundancies.
The remainder of this paper is organized as follows.Section 2 reviews the related work on policy analysis, management, and high performance evaluation.Section 3 introduces definitions used in the research on the redundancy related to combining algorithms detection and elimination.In Section 4, a redundancy related to combining algorithms detecting and eliminating engine is introduced which can detect and eliminate the redundancy related to combining algorithms in a policy and between policies and evaluate access requests.In Section 5, a Resource Brick Wall is proposed when we discuss the redundancy related to combining algorithms detecting and eliminating algorithm.Section 6 focuses on the theorems for detecting redundancies related to combining algorithms.A relevant detection and elimination algorithm for the redundancy related to combining algorithms is given in Section 7. Section 8 makes a comparison in evaluation performance between the redundancy related to combining algorithms detecting and eliminating engine and Sun PDP.Finally, Section 9 presents some conclusions and directions for our future work.

Related Work
There are numerous prior works on access control policies that mainly focus on policy evaluation, analysis, and testing to detect and eliminate redundancy.Masi et al. [13] formalized the XACML 2.0 semantics and proposed an alternative syntax supporting policy composition.They implemented a tool to compile policies into Java classes following the proposed semantic rules, where these classes are executed to compute policy decisions.Liu et al. [14] proposed XEngine, which can convert a textual XACML policy to a numerical policy and can convert a numerical policy with complex structures to a numerical policy with a normalized structure.Also, XEngine can convert the normalized numerical policy to tree data structures for efficient processing of requests.Marouf et al. [15] applied a clustering technique to policy sets based on the -means algorithm.The proposed clustering technique categorizes policies and rules within a policy set and policy, respectively, in respect to target subjects.When a request is received, it is redirected to applicable policies and rules that correspond to its subjects, hence, avoiding unnecessary evaluations from occurring.Mourad and Jebbaoui [16] proposed (1) a mathematical intermediate representation of policies based on set theory that maintains the same XACML structure and accounts for all its elements and their subelements including rule conditions, obligations, policy request, and policy response and (2) a formal semantics that takes advantage of the mathematical operations to provide efficient evaluation of policy elements and constructs through deductive logic and inference rules.Jebbaoui et al. [17] resolve the complexity of policies by elaborating an intermediate set-based representation to which the elements of XACML are automatically converted.Moreover, it allows detecting flaws, conflicts, and redundancies between rules by offering new mechanisms to analyze the meaning of policy rules through semantics verification by inference rule structure and deductive logic.
Recently, people focus more and more on studying the methods for detecting and eliminating policy redundancies.And researches on the policy redundancies can be categorized into two groups.
(1) The first group detect and eliminate redundancies by optimizing the XACML or improving the policy itself.
Chen and Xu [18] analyzed the reason why policy redundancies exist first.Then they proposed formal methods based on the descriptive logic so that the machine can understand a policy's semantics and context.On the basis of this, policy expansion and reasoning were carried on, which made the XACML gain better reasoning ability and semantics expressing ability.The method based on the descriptive logic can detect policy redundancies and eliminate these redundancies according to policy/rule combining algorithms.But every attribute in a policy's target elements may cause redundancies and this problem was not fully considered in this paper.Lei et al. [19] indicated that although the XACML provides a convenient way to describe the security policy, this method still has its weakness.This paper analyzed the fact that using the XACML to express the inheritance relationship of rules will lead to policy redundancies and introduced atomic privilege to eliminate policy redundancies.Martin [20] indicated that if a rule is unreachable because of a group of constraints that this rule cannot meet, then it becomes a redundancy rule.A policy redundancy detection method based on Chang-Impact analysis was presented in this paper; however, no corresponding detection model was proposed and the support and application of this detection technique were absent.Besides the above researches, policy redundancies can be detected by classifying the subject based on the security level and role [21,22], and then all policy redundancies can be eliminated by revising policies.
(2) The second group put forward policy redundancy detecting methods by establishing research models and relevant mechanisms.Aiming at this problem, Hu et al. [23] indicated that the Internet provides users with more convenient services, and at the same time the information system suffers from security attacks caused by unauthorized operations in business service.Besides, the design and management of the Web access control policy are always prone to errors for lack of efficient analysis mechanisms and tools.
A policy analyzing method based on the Web access control was proposed in this paper.Also, a splitting technique based on the XACML policy was introduced to identify policy redundancies accurately and then policy redundancies could be eliminated.Dinu et al. [24] indicated that the XACML itself does not support policy redundancy analysis, though it has the great expression ability.The thought of state coverage was utilized to analyze the cause of policy redundancy, and a judging theorem that can be applied for redundancies within a policy or between policies under multiple policy/rule combining algorithms was put forward.The target element of a policy was considered when detecting redundancies in this paper while the condition factor's effect on policy redundancies was ignored, which lead to the imperfection of redundancy detection.Zhang et al. [25] focused on security policy integration and redundancy elimination among different medical institutions.They emphasized that eliminating policy redundancies before healthcare institutions collaborate with each other is vitally important and pointed out that the present research does not consider how to eliminate redundancies in the dynamically loaded policy set according to the type of redundancy in the healthcare collaborative procedure.On thepremise of taking both the constraint condition and metadata information, they also proposed a method based on the role-based access control policy model to eliminate redundancies in the XACML policy.Finally, they proposed a method of filtering and collecting the policies the user needs among different organizations and institutions.Guarnieri et al. [26] proposed three methods of eliminating redundancies in the access control policy and these methods reduced the authorization operation frequency in a policy step by step.They also indicated that problems relevant to redundancy belong to an NP-hard problem.Aiming at the Minimum Policy Problem and Minimum Irreducible Policy Problem in these problems, they proposed solutions for eliminating redundancies in the security policy.
Mainly on the basis of optimizing the XACML or improving the policy itself, the above researches pointed out the great flexibility of the XACML policy structure and the difficulty in detecting policy redundancies.Detection was only applied to part of a policy while how to detect and eliminate the redundancy related to policy/rule combining algorithms was not considered.And their research did not go in depth and rarely considered the complex situation.Then, although the above researches can detect redundancies in a policy and between policies, they traverse rules in a policy many times in the process of detecting policy redundancies, which unavoidably increases the detection time.The Resource Brick Wall proposed in our paper carries out the reasonable partition and hierarchical process on resources.These processes can effectively avoid unnecessary comparisons among resources in different levels.Thus, they can optimize comparisons among rules and reduce the frequency of traversing each rule in a policy set when detecting redundancies and then improve the efficiency of detecting policy redundancies and lay a foundation for an efficient evaluation of the PDP.

Related Definitions
Since redundancy exists in rules within a policy or between different policies, the formal description of the relative definition of rules will be given first and the rules needed in detecting redundancies are also presented.

Definition 1 (rule
There are three aspects needed to be made clear. (1) Each resource discussed in this paper has a unique resource path.Resources on different resource paths are identified as different resources.In other words, we think that two identical resources can only appear on an identical resource path and cannot appear on different resource paths.
(2) We just focus on the clock time when studying the condition attribute.
(3) The environment attribute will be ignored in the following analysis and discussion, because it does not cause the redundancy related to combining algorithms, which is studied in this paper.
Definition 2 (state satisfaction).If a subject attribute  1 in   can access the resource attribute  2 with action  3 in the condition of  4 and its effect is   (Deny or Permit), then one has the definition that   satisfies ( 1 ,  2 ,  3 ,  4 ,   ), as shown in Formula (2) as follows: Definition 3 (atomic attribute).If an attribute in a rule has no more than one element which may be absent, then one calls this attribute the atomic attribute.
Definition 4 (composite attribute).If an attribute in a rule has more than one element, then one calls it the composite attribute.
Since rules containing the atomic attribute are easier to store and process than those containing the composite attribute, so we need to apply attribute atomization to rules containing composite rules.
Rule 1 (rule attribute atomization).If there are composite attributes in a rule, one can divide a composite attribute into several atomic attributes and then composite it with other attributes' elements.Finally, one can get several rules which only contain atomic attribute.
By Rule 1, we can carry out attribute atomization on all rules in a policy and transfer them into rules containing only the atomic attribute.Thus, we lay the foundation for building and theoretical analysis of the redundancy related to combining algorithms detecting and eliminating engine.
Definition 5 (dependent relationship of resources).For resource attributes  1 and  2 , if  1 is in the upper level compared to  2 , then one says that resource attributes  1 and  2 satisfy the dependent relationship of resources. 2 's dependency on  1 is denoted as  1  →  2 .
Definition 6 (overlapping relationship of conditions).For condition attributes  1 and  2 , if  1 ∩  2 ̸ = ⌀, one says that condition attributes  1 and  2 satisfy the overlapping relationship of conditions.The intersection between  1 and  2 is denoted as  1 ⊙  2 .
Definition 7 (redundancy).For a rule in a policy, if its function cannot work, namely, this rule will not affect the result of evaluating access requests, then one calls this rule a redundancy rule: ( Definition 8 (common resource redundancy).For two rules  1 and  2 as shown in Formula (3), they belong to the same policy or two different policies.If  1 and  2 have the same subject attribute, resource attribute, action attribute, and environment attribute (the environment attribute will be ignored), and without loss of generality, their condition attributes have an overlapping relationship ( 1 ∩  2 ̸ = ⌀) and their effects are the same (i.e., to say these two rules'   should be Deny or Permit at the same time); then the common resource redundancy happens between  1 and  2 .These conditions could be expressed by Formula (4) as follows: Definition 9 (dependent resource redundancy).For two rules  1 and  2 as shown in Formula (3), they belong to the same policy or two different policies.If  1 and  2 have the same subject attribute, action attribute, and environment attribute (the environment attribute will be ignored), and without loss of generality, there exists the dependent relationship of resources between  1 and  2 ( 1  →  2 ), their condition attributes have an overlapping relationship ( 1 ∩ 2 ̸ = ⌀), and their effects are both Deny; then the dependent resource redundancy happens between  1 and  2 .These conditions could be expressed by Formula (5) as follows: ( Definition 10 (redundancy related to combining algorithms).For a redundancy identified as the redundancy related to combining algorithms, the prerequisite is that the detection is on the basis of the policy/rule combining algorithms.
This paper aims at statically detecting and eliminating the redundancy related to combining algorithms in the policies loaded on the PDP, so that the evaluation performance of the PDP can be improved.The research in this paper focuses on the redundancy related to combining algorithms and its detecting and eliminating algorithm is proposed to solve this kind of problem.

Redundancy Related to Combining Algorithms Detecting and Eliminating Engine XDPRE
Our proposed redundancy related to combining algorithms detecting and eliminating engine termed the XDPRE (XiDian Policy Redundancy Engine) is shown in Figure 1.The XDPRE is able to detect and eliminate the redundancy related to combining algorithms within a policy or between policies.The XDPRE receives all the policies  1 ,  2 , . . .,   in the policy set PolicySet as the input and its responsibilities are shown in the following three aspects.
(1) Detect and eliminate the redundancy related to combining algorithms within a policy.
(2) Detect and eliminate the redundancy related to combining algorithms between policies.
(3) The XDPRE itself has the function of the PDP.By loading policies whose redundancies related to combining algorithms have been eliminated, the XDPRE can evaluate access requests and return the authorization result to context processors and the PDP.
The output of the XDPRE is a new policy set termed   .And there is no redundancy related to combining algorithms in the policy   1 ,   2 , . . .,    of the policy set   .
We adopt the XDPRE to detect and eliminate the redundancy related to combining algorithms within a policy and between policies successively.

Resource Brick Wall
In order to detect and eliminate the redundancy related to combining algorithms contained in the policies loaded on the PDP, so as to achieve the purpose of efficient evaluation of the PDP, in this section, we construct the Resource Brick Wall (RBW) in the XDPRE, an engine for detecting and eliminating the redundancy related to combining algorithms, based on the resources existing in the target attribute of policies, as shown in Figure 2.
Definition 11 (Resource Brick Wall).For each resource in the rules, one builds a resource brick, and then according to the dependent relationship between resources, one can build a Resource Brick Wall of all the bricks representing resources from top to bottom, as shown in Figure 2(a).The axis Con represents the condition attribute in the rules corresponding to each resource and the height of a resource brick is equal to the size of time distinct of its condition attribute.The axis Lev represents the level corresponding to each resource.The axis Res represents resources; the length of a resource brick in the th ( ≥ 1) layer equals the sum of all the resources which have the dependency with it in the ( + 1)th layer.Each resource brick has correlation with a Subject-Condition-Effect List (SCEL).The SCEL stores all the subject attributes' information corresponding to the resources the resource brick represents, as well as the condition attribute information and effect information of these subjects, as shown in Figure 2(b).As for the resource brick , its SCEL is denoted as the  ⟦⟧ in which any subject attribute  is denoted as  ⟦⟧ .In Figure 2(a),  0 is the first layer resource, and  1 ,  2 (   2 ), and  3 (   3 ) are all the lower resources of  0 , that is, the second layer resource. 2 and   2 are the same resource attribute of two different rules, whose condition attributes have an overlapping relationship. 3 and   3 are also the same resource attribute of two different rules whose condition attributes do not have an overlapping relationship.
It is worth noting that if two resource bricks are the same, we should view them as one and merge their corresponding SCELs to ensure that each of the resource bricks in the RBW is the only one.The RBW can efficiently represent the dependent relationship of resources.
There is a hierarchical relationship between resource attributes.For example, the hierarchical relationship of the system resource directory is represented by the dependent relationship between resource attributes.According to the definition specification of the target attribute in the XACML (Version 3.0) OASIS [27], together with the definition of state satisfaction, we give the transmission rules of access authority, as shown in Rule 2.
Rule 2 (transmission rules of access authority).As for the two resource attributes  1 and  2 in the two rules  1 and  2 , when  1 and  2 satisfy  1  →  2 , consider the following: A If a subject  0 of the subject set   ⟦ 1 ⟧ of the resource attribute  1 denies accessing resource attribute  1 , then it also denies accessing its dependent resource  2 , as shown in Formula (6) as follows: B If a subject  0 of the subject set   ⟦ 1 ⟧ of the resource attribute  1 permits accessing resource attribute  1 , then we cannot deduce what operation of access authority it has to the dependent resource attribute  2 (  is Deny or Permit), as shown in Formula (7) as follows: The transmission rules of access authority can be summarized as the form of Figure 3.In Figure 3, between  1 and  2 exists the dependent relationship  1  →  2 .If a subject  0 denies accessing the upper layer resource attribute, we can deduce that it also denies accessing the lower layer resource attribute  2 .The solid line marked Y in the figure indicates that Deny access authority can be transmitted from the upper resource attribute to the lower resource attribute.If a subject  0 permits accessing the upper resource attribute, we cannot deduce what operation of access authority it has to the lower resource attribute  2 , and the dotted line marked N in the figure indicates that Permit access authority cannot be transmitted from the upper resource attribute to the lower resource attribute.For example, if the subject  denies the writing operation to the resource E:\File, then we can deduce that it denies the writing operation to the resource E:\File\ProductFile.However, if the subject  permits the writing operation to the E:\File, then we cannot deduce what operation of access authority it has to the resource E:\File\ProductFile.

Detection and Elimination of Redundancy Related to Combining Algorithms
The eventual evaluation result of a rule in a policy depends on the evaluation of the condition attribute.If the return value of the condition is Indeterminate, the rule will return Indeterminate.If the return value of the condition is False, the rule will return NotApplicable.If the return value of the condition is True, the rule will return Effect, which can be Permit or Deny.
For a redundancy identified as the redundancy related to combining algorithms, the prerequisite is that the detection is on the basis of the policy/rule combining algorithms.The definition and application of the policy/rule combining algorithms are related to the return value of evaluation result, which is Indeterminate, NotApplicable, Permit, or Deny.Because the return value Indeterminate occurs when faults appear in evaluation and NotApplicable occurs when the matched rule is not found, the two return values are meaningless for discussing and analyzing whether there exists redundancy in rules.Therefore, in this section we only discuss and analyze redundancy when the return value is Permit or Deny and ignore Indeterminate or NotApplicable.This section proposes three theorems for detecting redundancies related to combining algorithms according to the "Deny-Overrides", "Permit-Overrides", and "First-Applicable" policy/rule combining algorithms supported by the XACML standards and gives the methods for eliminating redundancies related to combining algorithms.

Redundancy Related to the Deny-Overrides Combining
Algorithm.The policy combining algorithms and rule combining algorithms supported by the XACML standards all contain "Deny-Overrides"; that is, if the effect of either of the policies (or rules) is Deny, the final authorized result is Deny.Next, we give the theorem for detecting the redundancy related to "Deny-Overrides" combing algorithm with the "Deny-Overrides" policy/rule combining algorithm: Theorem 12.In the condition of the "Deny-Overrides" policy/rule combining algorithm, for any two rules  1 and  2 in a policy or between policies, as represented by Formula (8), if  1 and  2 have the same subject attribute "" and action attribute "", and there is an overlapping relationship between the condition attributes of  1 and  2 ( 1 ∩  2 ̸ = ⌀), and if, without losing the generality, between the resource attributes of  1 and  2 exists the equation relationship ( 1 =  2 ) or dependent relationship ( 1  →  2 ) and the effect of  1 is "Deny", that is, Formula ( 9) is satisfied, then  2 is the redundancy rule: Proof.State satisfaction of rules  1 and  2 is as shown in Formula (10) as follows: According to the relationship of resource attributes of rules  1 and  2 and the different effect values of  2 , we give the proof in the following four situations: A When  1 =  2 and  2 = , then  1 =  2 .We have the formal derivation process as shown in Formula (11) as follows: According to the known condition and Definition 8, we deduct that rules  1 and  2 have the common resource redundancy in the overlapping condition  1 ⊙ 2 .What is more, since we use the "Deny-Overrides" policy/rule combining algorithm,  2 is the redundancy rule.
B When  1 =  2 and  2 = , then  1 ̸ =  2 .Because conditions  1 and  2 have an overlapping relationship ( 1 ∩  2 ̸ = ⌀), according to the definition of "Deny-Overrides" policy/rule combining algorithm, under the condition that there appear no faults, we finally should use the effect  1 =  of  1 as the authorization result.However, the rule  2 does not have any effect on the process of evaluation, so the function of the rule cannot be realized.Therefore, according to Definition 7, we conclude that  2 is the redundancy rule.
C When  1  →  2 and  2 = , then  1 =  2 .We have the formal derivation process as shown in Formula (12) as follows: According to the assumptions and Definition 9, we deduct that rules  1 and  2 have the dependent resource redundancy in the overlapping condition  1 ⊙  2 .What is more, since we use the "Deny-Overrides" policy/rule combining algorithm,  2 is the redundancy rule.
According to Rule 2 (the transmission rules of access authority), we can get Formula (13) as follows: From Formula (13), we can conclude that  1 satisfies the fact that the subject  ⟦ 1 ⟧ of  1 denies accessing to the resource  1 in the condition  1 , and from assumptions and Formula (10) we can conclude that  2 satisfies the fact that the same subject  ⟦ 2 ⟧ of  2 permits accessing to  2 which is the same as  1 in the condition  2 .Because conditions  1 and  2 have an overlapping relationship ( 1 ∩  2 ̸ = ⌀), according to the conclusion of proof B, we can conclude that  2 is the redundancy rule.
According to Theorem 12, we can obtain the form derivation of detecting the redundancy related to the "Deny-Overrides" combining algorithm, as shown in Formula ( 14), where that  1 satisfying the rule  1 and  2 satisfying the rule  2 have the redundancy related to the "Deny-Overrides" combining algorithm in the overlapping condition  1 ⊙  2 ; (ii)   ( 1 ,  2 ,  1 ⊙  2 ) indicates that the rule  1 corresponding to the  1 and the rule  2 corresponding to the  2 have the redundancy related to the "Deny-Overrides" combining algorithm in the overlapping condition  1 ⊙  2 : When detecting the redundancy related to the "Deny-Overrides" combining algorithm between the two rules  1 and  2 (as shown in Formula ( 8)) in a policy or between policies, the method for eliminating the redundancy is to reserve the rule  1 firstly.If  1 ⊙  2 =  2 , we will delete the rule  2 directly.If  1 ⊙  2 ̸ =  2 , we will update the condition attribute of the rule  2 to   2 =  2 −  1 ⊙  2 , that is, update the rule  2 to a new rule as shown in Formula (15) as follows:

Redundancy Related to the Permit-Overrides Combining
Algorithm.The policy combining algorithms and rule combining algorithms supported by the XACML standards all contain "Permit-Overrides"; that is, if the return effect of either of the policies (or rules) is Permit, the final authorized result is Permit.Next, we give the theorem for detecting the redundancy related to "Permit-Overrides" combing algorithm with the "Permit-Overrides" policy/rule combining algorithm: Theorem 13.In the condition of the "Permit-Overrides" policy/rule combining algorithm, for any two rules  1 and  2 in a policy or between policies, as shown in Formula ( 16), if  1 and  2 have the same subject attribute "", resource attribute "", and action attributes "", and there is an overlapping relationship between the condition attributes of  1 and  2 ( 1 ∩  2 ̸ = ⌀), without losing the generality, one supposes that the effect of  1 is Permit; that is, Formula ( 17) is satisfied, and then  2 is the redundancy rule: Proof.State satisfaction of rules  1 and  2 is as shown in Formula (18) as follows: In Formula (18),  1 =  2 .According to the different effect values of  2 , we give the proof in the following two situations: A When  2 = , then  1 ̸ =  2 .Because conditions  1 and  2 have an overlapping relationship ( 1 ∩  2 ̸ = ⌀), according to the definition of "Permit-Overrides" policy/rule combining algorithm, under the condition that there appear no faults, we should finally use the effect  1 =  of  1 as the authorization result.
However, the rule  2 does not have any effect on the process of evaluation, so the function of the rule cannot be realized.Therefore, according to Definition 7, we conclude that  2 is the redundancy rule in the "Permit-Overrides" policy/rule combining algorithm.
B When  2 = , then  1 =  2 .We have the form deduction process as shown in Formula (19) as follows: According to the known condition and Definition 8, we deduct that rules  1 and  2 have the common resource redundancy in the overlapping condition  1 ⊙ 2 .What is more, since we use the "Permit-Overrides" policy/rule combining algorithm,  2 is the redundancy rule.
According to Theorem 13, we can conclude that the form derivation of detecting the redundancy related to the "Permit-Overrides" combining algorithm is as shown in Formula (20), where that  1 satisfying the rule  1 and  2 satisfying the rule  2 have the redundancy related to the "Permit-Overrides" combining algorithm in the overlapping condition  1 ⊙  2 ; (ii)   ( 1 ,  2 ,  1 ⊙  2 ) indicates that the rule  1 corresponding to the  1 and the rule  2 corresponding to the  2 have the redundancy related to the "Permit-Overrides" combining algorithm in the overlapping condition  1 ⊙  2 : When detecting the redundancy related to the "Permit-Overrides" combining algorithm between the two rules  1 and  2 (as shown in Formula ( 16)) in a policy or between policies, the method for eliminating the redundancy is to reserve the rule  1 firstly.If  1 ⊙  2 =  2 , we will delete the rule  2 directly.If  1 ⊙  2 ̸ =  2 , we will update the condition attribute of the rule  2 to   2 =  2 −  1 ⊙  2 , that is, update the rule  2 to a new rule as shown in Formula ( 21) as follows:

Redundancy Related to the First-Applicable Combining
Algorithm.The policy combining algorithms and rule combining algorithms supported by the XACML standards all contain "First-Applicable"; that is, the final authorized result of policy (or rule) is the judgment result of the first matched policy (or rule).Next, we give the theorem for detecting the redundancy related to "First-Applicable" combing algorithm with the "First-Applicable" policy/rule combining algorithm: Theorem 14.In the condition of the "First-Applicable" policy/rule combining algorithm, for any two rules  1 and  2 in a policy or between policies, as shown in Formula ( 22), if  1 and  2 have the same subject attribute "", resource attribute "", and action attribute "", and there is an overlapping relationship between the condition attributes of  1 and  2 ( 1 ⊙  2 ̸ = ⌀), that is, Formula ( 23) is satisfied, without losing the generality, one supposes that  1 is the first applicable rule, and then  2 is the redundancy rule: Proof.State satisfaction of rules  1 and  2 is as shown in Formula (24) as follows: In Formula ( 24),  1 =  2 .According to the different effect values of  2 , we give the proof in the following three situations: A When  1 =  and  2 = , then  1 =  2 .We have the formal deduction process as shown in Formula (25) as follows: According to the known condition and Definition 8, we deduct that rules  1 and  2 have the common resource redundancy in the overlapping condition  1 ⊙ 2 .What is more, since we use the "First-Applicable" policy/rule combining algorithm and  1 is the first applicable rule,  2 is the redundancy rule.
B When  1 =  and  2 = , then  1 =  2 .We have the formal derivation process as shown in Formula ( 26) as follows: According to the known condition and Definition 8, we deduct that rules  1 and  2 have the common resource redundancy in the overlapping condition  1 ⊙  2 .What is more, since we use the "First-Applicable" policy/rule combining algorithm and  1 is the first applicable rule,  2 is the redundancy rule.
C  1 ̸ =  2 (i.e.,  1 =  and  2 = , or  1 =  and  2 = ) and  1 is the first applicable rule.Because conditions  1 and  2 have an overlapping relationship ( 1 ⊙  2 ̸ = ⌀), according to the definition of "First-Applicable" policy/rule combining algorithm, under the condition that there appear no faults, we finally should use the effect  1 of  1 as the authorization result.However, the rule  2 does not have any effect on the process of evaluation; the function of the rule cannot be realized.Therefore, according to Definition 7, we conclude that  2 is the redundancy rule in the "First-Applicable" policy/rule combining algorithm.
According to Theorem 14, we can conclude the form derivation of detecting the redundancy related to the "First-Applicable" combining algorithm, as shown in Formula (27), where (i)  1 is the first applicable rule; that  1 satisfying the rule  1 and  2 satisfying the rule  2 have the redundancy related to the "First-Applicable" combining algorithm in the overlapping condition  1 ⊙  2 ; (iii)   ( 1 ,  2 ,  1 ⊙  2 ) indicates that the rule  1 corresponding to the  1 and the rule  2 corresponding to the  2 have the redundancy related to the "First-Applicable" combining algorithm in the overlapping condition  1 ⊙  2 : When detecting the redundancy related to the "First-Applicable" combining algorithm by Theorem 14 between the two rules  1 and  2 (as Formula (22) shows) in a policy or between policies, without losing the generality, we suppose that  1 is the first applicable rule; the method for eliminating the redundancy is to reserve the rule  1 firstly.If  1 ⊙ 2 =  2 , we will delete the rule  2 directly.If  1 ⊙  2 ̸ =  2 , we will update the condition attribute of the rule  2 to   2 =  2 −  1 ⊙  2 , that is, update the rule  2 to a new rule as shown in Formula (28) as follows:

Detection and Elimination Algorithms for Redundancy Related to Combining Algorithms
By the relevant definitions introduced in the paper and RBW, as well as detection and elimination methods for the redundancy related to combining algorithms, in this section we present the detection and elimination algorithms for the redundancy related to combining algorithms, as shown in Algorithm 1.
In Algorithm 1, rows (1)∼(3) complete the detection and elimination of the redundancy related to combining algorithms in a policy, and row (4) completes the detection and elimination of the redundancy related to combining algorithms between policies.Algorithm 1 calls four subalgorithms in turn to finish the work.Here, row (1) is the initialization algorithm for the RBW, responsible for initializing the RBW.Row (2) is the algorithm for adding rules to the RBW, responsible for adding every rule to the RBW.Row (3) is the detection and elimination backtracking algorithm, used for detecting and eliminating redundancy related to combining algorithms by backtracking methods in the constructed RBW.
Next, we will introduce algorithms used in each step of Algorithm 1.We will give the time complexity of Algorithm 1 after discussing the four subalgorithms.

Initialization Algorithm for the Resource Brick Wall.
Before detecting and eliminating redundancy related to combining algorithms, we first need to iterate through each rule of each policy of all the policy sets and then get the resource directory structure of each rule.Finally, we initialize the RBW by the resource directory structure.The initialization algorithm for the Resource Brick Wall is as shown in Algorithm 2.
The functions contained in Algorithm 2 are as follows: A GetResPath( ): the parameter of the function is the rule , whose function is to parse the resource attribute information in the rule , eventually return the resource path related to the rule , and give the return value to ResPath variables.
B AddResPathToResDirectory( ): the parameter of the function is the resource path ResPath and resource directory ResDirectory, whose function is to store the resource path ResPath in the proper place of the resource directory ResDirectory.
C CovertResDirectoryToResBrickWall( ): the parameter of the function is the resource directory ResDirectory, whose function is to construct the corresponding RBW through the analysis of the resource directory ResDirectory and return the constructed RBW to the ResBrickWall variable.
Supposing that the policy set  has  policies with each policy   having  rules, then the time complexity of Algorithm 2 is ( * ).

Detection Algorithm for Redundancy Related to Combining
Algorithms.The detection algorithm for the redundancy related to combining algorithms is as shown in Algorithm 3. Algorithm 3 contains three situations as follows: (1) In the condition of the "Deny-Overrides" policy/rule combining algorithm, for any two rules  1 and  2 in a policy or between policies, if  1 and  2 have the same subject attribute and action attribute, there is an overlapping relationship between the condition attributes of  1 and  2 ,  1 and  2 have the same resource attribute, the effect of either of the two rules is Deny, or the resource attributes of  1 and  2 have a dependent relationship and the effect of  1 is Deny, then  1 and  2 have the redundancy related to the "Deny-Overrides" combining algorithm.
(2) In the condition of the "Permit-Overrides" policy/rule combining algorithm, for any two rules  1 and  2 in a policy or between policies, if  1 and  2 have the same subject attribute and action attribute, there is an overlapping relationship between the condition attributes of  1 and  The time complexity under the worst condition of Algorithm 5 is ().

Algorithm for Backtracking Detection and Elimination of
Redundancies.The algorithm for backtracking detection and elimination of redundancies is as shown in Algorithm 6.In Algorithm 6, rows (1)∼( 2) accomplish backtracking resource bricks from the lower layer to the upper layer through the postorder traversal.By calling the detection algorithm for the redundancy related to combining algorithms, rows (3)∼( 6) accomplish the detection and elimination of the redundancy related to combining algorithms between rule  1 of the upper layer resource bricks and rule  2 of the lower layer resource bricks.The time complexity under the worst condition of Algorithm 6 is ( 2 ).

Detection and Elimination Algorithm for Redundancy
Related to Combining Algorithms between Policies.The detection and elimination algorithm for the redundancy related to combining algorithms between policies is as shown in Algorithm 7. Firstly, we add each rule in  2 to the resource brick structure of  1 , that is, combine the two input RBWs to one RBW.Then we detect and eliminate the redundancy related to combining algorithms in the combined RBW.Finally, by the algorithm for backtracking detection and elimination of redundancies, we detect and eliminate the redundancy related to combining algorithms.In Algorithm 7, the time complexity of rows (1)∼( 2) is (), the time complexity of rows (3)∼(5) under the worst condition is (), and the time complexity of row (6) under the worst condition is ( 2 ).Thus, the time complexity of Algorithm 7 under the worst condition is ( *  +  2 ), that is, ( 2 ).
The problem of detecting and eliminating the redundancy related to combining algorithms between several policies and between policy sets all can be turned into the problem of detecting and eliminating the redundancy related to combining algorithms between two policies, and in this paper we do not go into details about it.

Experimental Results and Analysis
In order to assess the evaluation performance improvement of the PDP after detecting and eliminating the redundancy related to combining algorithms, the test policies are introduced first.We do the following experiments: (1) A comparison of the evaluation performance of the XDPRE before and after eliminating the redundancy related to combining algorithms is made.
(2) A comparison in evaluation performance between Sun PDP and the XDPRE after eliminating the redundancy related to combining algorithms is made.

Test Policies.
In order to simulate practical application scenarios, we select the following three XACML access control policies from practical systems [28][29][30]: (i) Library Management System (LMS).The LMS provides access control policies by which a public library can use the web to manage books.
(ii) Virtual Meeting System (VMS).The VMS provides access control policies by which the web conference services can be managed.
(iii) Auction Sale Management System (ASMS).The ASMS provides access control policies by which items can be bought or sold online.
The policy of the LMS contains 720 rules, that of the VMS 945 rules, and that of the ASMS 1760 rules.In the light of actual requirement, the policies of the LMS, VMS, and ASMS need to be expanded to contain more rules.What we do is that according to the Cartesian product of different subjects, actions, resources, and conditions in all rules of a policy, we construct new rules and add them to the original policy.The number of rules in the policies of the LMS, VMS, and ASMS is expanded separately to 3000, 6000, and 9000.
At present, Sun PDP is a widely used policy decision point [31] and can process redundancies in a policy selectively according to the internal rule matching mechanism [32].Sun PDP is adopted to evaluate requests as a decision engine in our following redundancy related to combining algorithms detecting and eliminating experiments.We choose Sun PDP in our experiments for two main reasons.First, Sun PDP is the first and the most widely deployed implementation of XACML evaluation engines.It has become the industrial standard.Second, Sun PDP is open source.To eliminate the performance factor of implementation languages, we implemented XDPRE in Java because Sun PDP is written in Java.The results of Sun PDP are compared with those of the XDPRE to verify that the XDPRE can effectively improve the evaluation performance of the policy decision point.

Generation of Test
Requests.Dan et al. [33] put forward that policies are analyzed by Change-Impact in order to automatically generate access requests that conform to Change-Impact.The purpose is to improve the coverage of the test.The main idea is that conflicting policies or rules can be obtained by conflict detection tools according to the fact that different policies or different rules in the same policy could make inconsistent results of evaluation for the same request, and that correlative access requests can be constructed for testing according to the conflicting policies or rules.
She et al. [34] proposed that access requests can be automatically generated to test the correctness of the PDP as well as the configured policies.They pointed out that the Context Shema which is defined by the XML Schema of the XACML describes all the structures of the access requests that might be accepted by the PDP, or all the valid input requests.This paper indicates that their developed X-CREATE can generate possible structures of access requests according to the Context Shema of the XACML.The policy analyzer obtains possible input values of every attribute from a policy.The policy manager adopts the method for random allocation to distribute the obtained input values into structures of access requests.Another test scheme is Simple Combinatorial, which can generate access requests according to all the possible combinations of attribute values of subject, action, and resource in the XACML policies.This paper also analyzes the advantages of these two schemes in debugging.
According to the actual requirement of the performance test, the method for combining Change-Imapct, Context Shema, and Simple Combinatorial is adopted to simulate the practical access requests.

Performance Tests and Comparisons.
The XDPRE itself can be viewed as a policy decision point, so the evaluation performance improvement of the XDPRE can verify the evaluation performance improvement of the PDP.

Comparison of Evaluation Performance of the XDPRE before and after
Eliminating the Redundancy Related to Combining Algorithms.In order to assess the evaluation performance improvement of the XDPRE after eliminating the redundancy related to combining algorithms in policies, a comparison of evaluation time of the XDPRE before and after eliminating the redundancy related to combining algorithms is made.We generate 500, 1000, . . ., 6000 access requests randomly to measure the evaluation time of the PDP.For the policies of the LMS, VMS, and ASMS, the variation of evaluation time of the XDPRE with the number of access requests is shown in Figure 4.
In Figure 4, we observe the following: (i) The evaluation time of the XDPRE increases when the number of access requests grows whether the redundancy related to combining algorithms in a policy is eliminated or not.(ii) The growth rate of the evaluation time of the XDPRE after eliminating the redundancy related to combining algorithms in a policy is less than that of the XDPRE without the redundancy related to combining algorithms elimination.(iii) For the policies of the LMS, VMS, and ASMS, when the number of access requests reaches 6000, the  evaluation time of the XDPRE after eliminating the redundancy related to combining algorithms in a policy is shortened by 9.09%, 11.78%, and 14.39%, respectively.Thus, the XDPRE can effectively enhance the PDP's evaluation performance by eliminating the redundancy related to combining algorithms in a policy.

Comparison in Evaluation Performance between Sun
PDP and the XDPRE after Eliminating the Redundancy Related to Combining Algorithms.In order to further assess the evaluation performance improvement of the XDPRE, we compare the evaluation performance of Sun PDP with that of the XDPRE after eliminatingthe redundancy related to combining algorithms.We generate 500, 1000, . . ., 6000 access requests randomly to measure the evaluation time of PDPs.
For the policies of the LMS, VMS, and ASMS, the variations with the number of access requests of the evaluation time of Sun PDP and the XDPRE after eliminating the redundancy related to combining algorithms are shown in Figure 5.
In Figure 5, we observe the following: (i) The evaluation time of Sun PDP and the XDPRE after eliminating the redundancy related to combining algorithms increases when the number of access requests grows.(ii) The growth rate of the evaluation time of the XDPRE after eliminating the redundancy related to combining algorithms is less than that of Sun PDP.(iii) For the policies of the LMS, VMS, and ASMS, when the number of access requests reaches 6000, the evaluation performance of the XDPRE after eliminating the redundancy related to combining algorithms has been improved by 10.01%, 10.95%, and 12.04%, respectively, compared to that of Sun PDP.Therefore, the evaluation performance of the XDPRE after eliminating the redundancy related to combining algorithms has been improved by 11% on average as compared with that of Sun PDP.So the XDPRE can effectively improve the evaluation performance of PDPs.

Conclusions
The redundancy related to combining algorithms detecting and eliminating engine termed the XDPRE is presented in this paper, which not only can detect and eliminate the redundancy related to combining algorithms within a policy, but also has the same ability as the PDP.This engine can evaluate access requests by loading the policies in which the redundancy related to combining algorithms has been eliminated and return the authorization result to the context processors and the PEP.A Resource Brick Wall is constructed by the XDPRE on the basis of the resource attribute of a policy's target attributes.By the Resource Brick Wall and the policy/rule combining algorithms, three theorems for detecting redundancies related to combining algorithms are presented.The Resource Brick Wall can effectively avoid unnecessary comparisons of resources at different levels, so it could optimize the comparison of rules and reduce traversing frequency of each rule in the policy set when detecting redundancies.As a result, it greatly improves the efficiency of detecting and eliminating redundancies and the evaluation performance of the PDP.Finally, a detection and elimination algorithm for the redundancy related to combining algorithms is proposed.There still remain some shortcomings in this paper.We simplified the discussion of the condition attribute in the process of detecting and eliminating the redundancy related to combining algorithms.And we focused on condition constraints of the clock time, but factors in practical life such as year and region were not considered.This part of work needs to be further solved and improved in our future research.

Figure 1 :Figure 2 :
Figure 1: Redundancy related to combining algorithms detecting and eliminating engine XDPRE.

Figure 3 :
Figure 3: Transmission relationship of access authority.

Figure 4 :
Figure 4: Variation of evaluation time with access requests before and after eliminating redundancy related to combining algorithms.

Figure 5 :
Figure 5: Comparison in evaluation performance between Sun PDP and XDPRE after eliminating redundancy related to combining algorithms.