在面向服务体系架构的环境中，访问控制是网络安全和信息安全研究领域中非常重要的研究对象；而在研究授权访问控制时，人们越来越多地采用策略描述网络和信息系统的安全需求。授权中心中的策略决策点评估访问请求时，其评估性能受到多方面因素的影响：一方面，由于策略中可能存在冲突和冗余，导致授权中心的策略决策点加载策略后可能做出不恰当的授权决策，影响网络和信息系统的运行效率。另一方面，传统的集中式授权模型只含有唯一策略决策点，当策略决策点加载的策略中包含的规则数逐渐增多时，其评估性能将大幅度下降。因此，提高策略决策点的评估性能具有重要的研究意义。本文分析了策略冲突和冗余的分类，构造了策略冲突和冗余的检测与消除引擎，完成了对策略中存在的“形式冲突”、“形式冗余”和“与组合算法相关的冗余”的检测与消除工作；提出了分布式策略评估引擎，采用“策略分解”的方法，对策略进行分解以减少单个策略包含的规则数，并能够均衡部署到每个策略决策点的子策略的开销。上述工作均实现了策略决策点高效评估访问请求的目标。论文的主要研究工作及创新点包括：(1) 针对策略冲突影响策略决策点评估性能问题构造“资源索引树”检测与消除策略冲突本文提出了“形式冲突”的检测与消除引擎，该引擎既能够检测与消除策略中存在的“形式冲突”，也具有策略决策点的功能，通过加载消除“形式冲突”后的策略，可以实现对访问请求的评估。在“形式冲突”的检测与消除引擎中通过建立“资源索引树”，将XACML标签语言描述的策略中的规则转化为“资源索引树”中的结点信息。结合“资源索引树”，根据策略中规则的资源从属关系、条件重叠关系和效用异同等因素，在同层资源结点之间检测与消除“同资源冲突”，并在不同层次的资源结点之间检测与消除“从属资源冲突”。实验对比了“形式冲突”的检测与消除引擎和Sun PDP的评估性能。实验结果表明策略冲突的消除能够显著提高策略决策点的评估性能。(2) 针对策略冗余影响策略决策点评估性能问题构造“资源砖墙”检测与消除策略冗余本文提出了策略冗余的检测与消除引擎，该引擎不但可以检测与消除策略中存在的“形式冗余”和“与组合算法相关的冗余”，而且具有策略决策点的功能，通过加载消除“形式冗余”和“与组合算法相关的冗余”后的策略，可以实现对访问请求的评估。策略冗余的检测与消除引擎根据策略的目标属性中的资源属性构造“资源砖墙”。本文充分考虑了因资源属性、条件属性和效用等因素造成的策略冗余问题，结合“资源砖墙”和策略/规则组合算法，提出了“形式冗余”和“与组合算法相关的冗余”的检测与消除方法。实验对比了策略冗余检测与消除引擎和Sun PDP的评估性能。实验结果表明消除策略中存在的冗余能够大幅度提高策略决策点的评估性能。(3) 针对传统集中式授权模型中策略决策点评估性能低的问题采用“策略分解”方法构造分布式策略评估引擎本文提出了一个分布式策略评估引擎，其具有分解策略和分配请求的功能。采用了增加策略决策点的方法，改善了传统的集中式授权模型中只含有唯一策略决策点的不足，并将策略分解成多个子策略，使得每个子策略包含较少的规则数，并均衡部署到每个策略决策点的子策略的开销。在分析策略分解标准的基础上，讨论了策略分解的离散优化模型及其特定性质，并构造了一个具有良好时间复杂度的贪心算法用于求解该离散优化模型。实验将实际应用中的测试策略按照贪心算法分解成多个子策略，策略分解方法使得部署到每个策略决策点的子策略的开销相等或近似相等。实验对比了分布式策略评估引擎和Sun PDP的评估性能。实验结果表明：1）策略分解的方法有效提高了策略决策点的评估性能；2）策略决策点的评估时间随着策略决策点数目的增多而降低。论文为面向服务的体系架构环境下策略决策点的高效评估提出了策略冲突的检测与消除、策略冗余的检测与消除和策略分解三种方法。综合实验针对三种不同的典型测试策略，在采用策略分解方法的分布式策略评估引擎的多个策略决策点中加载消除了冲突和冗余的策略，对比了其和Sun PDP的评估性能。综合实验结果表明，加载消除了冲突和冗余的策略的分布式策略评估引擎比加载未消除冲突和冗余的策略的分布式策略评估引擎的评估性能平均提高的百分率约为50%，而比Sun PDP的评估性能平均提高的百分率约为70%。

In the Service-Oriented Architecture (SOA) environment, access control is an extremely important research object in the research field of network security and information security. Using policies to describe the security requirements of information system has become a major approach of studying authorization access control. When the Policy Decision Point (PDP) in authorization center evaluates an access request, its evaluation performance is affected by many factors. On one hand, the PDP may make an inappropriate authorization decision or the operating efficiency of the network and information system may be influenced, because there might be conflicts and redundancies in the policies loaded on the PDP. On the other hand, the traditional centralized authorization model has only one PDP. The evaluation performance of PDP will decrease obviously when the number of rules in a policy increases considerably. Therefore, the evaluation performance improvement of PDP is of great importance. Based on analyzing the categories of conflict and redundancy, the engine of detecting and eliminating conflicts and redundancies in a policy are constructed . The form conflict, form redundancy and redundancy related to combining algorithms are detected and eliminated. Moreover, a distributed policy evaluation engine is presented. A policy should be decomposed into multiple sub-policies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of sub-policies deployed to each PDP. The work above achieve the goal that the PDP can evaluate access requests with high efficiency. The major research work and innovations are as follows:(1) The Resource Index Tree is constructed to detect and eliminate conflicts for solving the problem that policy conflicts affect the evaluation performance of PDP.The form conflict detecting and eliminating engine is presented, which not only can detect and eliminate the form conflicts, but also has the the same ability with PDP. This engine can load the policies in which the form conflicts have been eliminated, and evaluate access requests. In the form conflict detecting and eliminating engine, Resource Index Tree is constructed to convert the rules in a policy defined by XACML to the node information in the Resource Index Tree. On the basis of the dependent relationship of resources, the overlapping relationship of conditions and effect information, both the common resource conflicts between the resource nodes in the same level and the dependent resource conflicts between the resource nodes in the different levels can be detected and eliminated by the Resource Index Tree model. Experiments make comparisons of the evaluation performance of the form conflict detecting and eliminating engine with that of Sun PDP. Experimental results show that the evaluation performance of PDP can be highly improved by eliminating conflicts.(2) The Resource Brick Wall is constructed to detect and eliminate redundancies for solving the problem that policy redundancies affect the evaluation performance of PDP.The policy redundancy detecting and eliminating engine is proposed, which not only can detect and eliminate the form redundancies and redundancies related to combining algorithms, but also has the the same ability with PDP. This engine can load the policies in which the form redundancies and redundancies related to combining algorithms have been eliminated, and evaluate access requests. In the policy redundancy detecting and eliminating engine, Resource Brick Wall is constructed according to the resource attributes in a policy. The policy redundancy problems caused by some factors such as resource attributes, condition attributes and effect information are fully considered. Combined with Resource Brick Wall and policy/rule combining algorithm, the methods for detecting and eliminating the form redundancies and redundancies related to combining algorithms are discussed. Comparisons of the evaluation performance of the policy redundancy detecting and eliminating engine with that of Sun PDP are made. Experimental results show that the evaluation performance of PDP can be prominently improved by eliminating redundancies.(3) A distributed policy evaluation engine applied with policy decomposition is constructed for solving the problem that the evaluation performance of PDP is lower in the conventional centralized authorization model.A distributed policy evaluation engine is presented, which has abilities of decomposing policies and distributing requests. In this engine, the unicity of PDP in the centralized authorization model is changed by increasing the number of PDPs. A policy should be decomposed into multiple sub-policies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of sub-policies deployed to each PDP. Based on analyzing the criteria of policy decomposition, a discrete optimization model of policy decomposition is presented, whose properties are analyzed. A greedy algorithm with a favorable time complexity for policy decomposition is constructed for solving the optimization model. In experiments, the test policies in real applications are decomposed separately into multiple sub-policies based on the greedy algorithm. Policy decomposition guarantees that the cost of sub-policies deployed to each PDP is equal or approximately equal. Comparisons of the evaluation performance of the distributed policy evaluation engine with that of Sun PDP are made. Experimental results show that 1) the method of policy decomposition improves the evaluation performance of PDPs effectively, and that 2) the evaluation time of PDPs reduces with the growing numbers of PDPs.The methods of policy conflict detection and elimination, policy redundancy detection and elimination as well as policy decomposition are shown for the evaluation performance improvement of PDPs. Based on three different typical test policies, the comprehensive experiments are made that policies in which conflicts and redundancies have been eliminated are loaded on multiple PDPs in the distributed policy evaluation engine applied with policy decomposition. The comprehensive experimental results show that the evaluation performance of the distributed policy evaluation engine loaded with policies in which conflicts and redundancies have been eliminated are averagely increased by approximately 50% and 70% respectively, compared with that of the distributed policy evaluation engine loaded with policies in which conflicts and redundancies have not been eliminated as well as Sun PDP.