An Attribute-Based Access Control Policy Retrieval Method Based on Binary Sequence

With the widespread application of new technologies, fine-grained authorization requires a large number of access control policies. However, the existing policy retrieval method applied to a large-scale policy environment has the problem of low retrieval efficiency. /erefore, this paper proposes an attribute access control policy retrieval method based on the binary sequence. /is method uses binary identification and binary code to express access control requests and policies. When the policy is retrieved, the appropriate group is selected through the logical operation of the access control request and the policy binary identification. Within the group, the binary code of the access control request is matched with the binary code of all rules to find suitable rules, thereby reducing the number of matching attribute-value pairs in the rule and improving the efficiency of policy retrieval. Experimental results show that the policy retrieval method proposed in this paper has higher retrieval efficiency.


Introduction
e rise and development of new technologies such as cloud computing and the Internet of ings provide us with convenient data sharing, integrated computing, and other services and improve the efficiency of data processing, making full use of computing and storage resources. IoT devices increasingly prefer to synchronize all data resources to the cloud [1]. ese resources contain a large amount of user privacy data, but the protection of this information by relevant agencies is not satisfactory [2]. Once such private information is leaked, it may cause immeasurable losses to individuals and organizations. For example, the private information of nearly 100,000 Westpac customers was leaked, and the data of 49 million Instagram users was exposed. ese are all due to illegal access by illegal users and unauthorized access to resources by legitimate users. In recent years, as an effective means to prevent users from illegally accessing resources, access control technology has attracted the attention of domestic and foreign researchers. e object resources are protected by standardizing and restricting access to the requestor by verifying the visitor's identity information and establishing appropriate policies.
is ensures that legitimate users can access and use resource services in complex network environments, while preventing illegal users from stealing and abusing resources and illegal access by legitimate users. As the number of users increases and the access environment changes dynamically, discretionary access control, mandatory access control, and role-based access control [3] are no longer suitable for the current dynamic and real-time network environment due to their lack of dynamics and finegraininess. However, because of its fine-grained and flexible nature, attribute-based access control (ABAC) [4] is an ideal access control solution for application scenarios such as cloud computing and the Internet of ings. Although the existing ABAC model has a relatively large advantage in the expression and formulation of security policies, the application of the ABAC model to a computing environment with a huge amount of information will have the problem of low retrieval efficiency. According to the related theories of ABAC and XACML (extensible Access Control Markup Language), when a user initiates a request to access object resources, the policy decision point will call related attributes to analyze and match all policies.
is means that the evaluation of XACML-based access control policies needs to traverse all policies to make judgments, and attribute matching requires comparing all attribute information of the access control request with the attribute information of the rules in the policy set. All the above information matching includes string matching and numerical comparison. Only when all the attribute information of this rule matches the attributed-based access request (AAR) will the subject be granted the privilege to access the object. In addition, when the last attribute of the rule is detected, the rule is found to be inappropriate. If there are too many such rules, it will cause a waste of retrieval time.
is paper proposes a method of attribute access control policy retrieval based on binary sequence to improve the efficiency of policy retrieval. e rest of this paper is organized as follows: Section 1 describes the related research based on attribute access control. Section 2 introduces the related theories of ABAC. Section 3 describes the retrieval method of attribute access control policy based on the binary sequence. Section 4 focuses on the experiments and analysis. Finally, Section 5 presents the conclusion.

Related Work
ABAC is an access control model that allows or denies user access based on the access control policy formulated by the administrator. e successful deployment of an attributebased access control model requires two key parts. e first is a well-defined policy description language, and the second requires an effective policy retrieval method for attributebased access control. A good policy description language helps prevent cloud platform resource data leakage and unauthorized access, and an effective policy retrieval method can ensure that access control requests are responded to in a time when they arrive. Regarding how to define a good access control authorization policy description language, scholars have studied different access control models and application scenarios and proposed a universal access control policy language XACML [5], a graph-based application for web services policy visual description language [6], and policy description language RestPL [7] suitable for RESTful interface and so on. Among them, the most commonly used is XACML, which is suitable for ABAC models, but in actual cloud deployment, each enterprise prefers its own policy description language. In order to make the policy language suitable for different access control models, Luo et al. [8] proposed a metamodel-based access control policy description language PML and implementation mechanism PML-EM. e policy description language supports multiple access control models such as RBAC and ABAC and has better flexibility. Matthew et al. [9] proposed a rule-based ABAC policy mining algorithm for the moderate problem of privilege. is algorithm can generate the least privilege ABAC policies that balance between underprivilege and overprivilege assignment errors.
For some large organizations, the scale of ABAC policies is getting bigger and bigger, and the number of users making access requests at the same time is also increasing. erefore, effective retrieval of these policies is essential for real-time response to user access control requests and directly affects user experience. On how to effectively retrieve these policies, researchers have achieved some results. ese research work can be roughly divided into two categories. e first category is an improvement of the policy retrieval method based on the XACML standard for the policy access control language, and the second category is an improved policy retrieval method based on the next-generation access control NGAC [10] standard.
Since XACML's policy description language was proposed in 2003, there have been many studies on how to improve the efficiency of policy retrieval. In the retrieval process of the traditional policy retrieval method, when there is an access control request, all policies need to be traversed. If there are policy redundancy and conflicts, XACML supports four combination algorithms which are (1) permit-override, (2) deny-overrides, (3) first applicable, and (4) only-one-applicable [11]. Li et al. [12] proposed a retrieval method with a priority policy for access control.
is method establishes an associated policy table for each access object, adopts the optimization principle of space for time, and has high retrieval efficiency. However, when the number of access objects is huge, this method needs to establish a large number of policy tables, and it is relatively difficult to establish and maintain the policy tables. Zhou et al. [13] proposed a policy retrieval method based on a prefix-based tag, which adds binary prefixes based on policy attributes to narrow the scope of policy retrieval. is retrieval method does improve retrieval efficiency. However, when the access control policy matches the attribute name of the access request, this prefix calculation causes a waste of time. In response to this problem. Liu et al. [14] added binary identification based on the attribute access control policy and then introduced a policy decision tree at the attribute value level to improve retrieval efficiency. is method has good scalability, but it has certain limitations when there are many attributes. Huang et al. [15] conducted research on the basis of [13], grouping according to the first three subject attribute values of the policy prefix and further narrowing the search scope of the policy to improve retrieval efficiency.
It is mentioned in the next-generation access control standard [16] that the policy decision point is responsible for retrieving the rules that meet the access control request in the access control policy. When performing policy retrieval, it is necessary to compare the attribute information of the access control request with the attribute information of each rule in the access control policy until a matching rule is found. is is undoubtedly time-consuming. To this end, Nath et al. [10] proposed a data structure called PolTree, which uses two variants, PolTree and N-PolTree, to store ABAC policies and reduce the number of attribute-value pair comparisons during policy retrieval. erefore, the retrieval efficiency of the policy is improved.
Most of the policy retrieval methods mentioned above need to match the attribute value of the access control request with the corresponding attribute value of each access control rule when performing the policy retrieval. If every time the last attribute value of the rule is detected, it is found that it does not match the access control request, which will cause a waste of retrieval time. erefore, this paper considers the processing of rule attributes and attribute values and proposes a new policy retrieval method. is method performs binary identification on the policies, groups them according to the binary identification, forms several policy groups, and performs binary coding on the policies. When accessing, first, we perform binary identification and encoding on the access control request. en, through the logical operation of AAR and policy, the appropriate group is selected to filter out a large number of irrelevant policies. Finally, the binary code value of the access control request is logically operated with the binary code value of the rule in the group to avoid a single match of the attribute information in the policy and improve the retrieval efficiency.

ABAC Policy Model.
ABAC is an access control model that decides whether to grant the subject access to the object based on whether the attribute information of the subject, object, environment, and privilege attributes conforms to the established access control policy. We refer to [4,17] to make the following definitions of ABAC. e environment (E) represents the context state when the visit occurs, which includes the location and time when the subject initiates the visit, E � {e 1 , e 2 , e 3 ,. . ..e j }. Privilege (P) indicates the operations that the subject will perform on the object, including read, write, and modify. P � {p 1 , p 2 , p 3 , . . .,p k }. Among them, n, m, j, and k are all greater than or equal to 1.
Definition 2 (attribute). Attributes are used to describe the characteristics of the subject, object, environment, and privilege. Attributes are represented by attribute-value pairs. We use SA, EA, OA, and PA to represent the subject attribute, object attribute, environment attribute, and privilege attribute, respectively. Attr(SA), Attr(OA), Attr(EA), and Attr(PA) represent the value range of subject attribute, object attribute, environment attribute, and privilege attribute, respectively. Avsa, Avoa, Avea, and Avpa represent the attribute-value pairs of the subject, object, environment, and privilege, respectively, namely, two-tuples (SA, attr(SA)), (OA, attr(EA)), and (PA, attr(PA)).
Definition 3 (policy). ABAC policies are represented by attributes, and attribute values can be divided into discrete and continuous types. e access control policy is defined as (permit, deny) ← (Avsa, Avoa, Avea, Avpa).
Access control rules stipulate the attribute information that users must have when they want to access a particular resource. It is the basic unit of policy and the smallest policy execution unit p � {r 1 ,r 2 ,r 3 ,...,r k }.

ABAC Process.
e access control mechanism is composed of four key parts, which are mainly responsible for the retrieval and management of policies, and the management of attributes. ey cooperate with each other to complete the authorization process for access control requests. e four key service sites shown in Figure 1 are Policy Administration Point (PAP), Policy Information Point (PIP), Policy Decision Point (PDP), and Policy Enforcement Point (PEP). According to the types of operations performed by the ABAC system, it can be divided into two stages: the preparation stage and the execution stage [17]. e dotted line in Figure 1 is an extension of the original access control model. BI is binary identification; BC is binary coding. BI and BC are both for access control requests and policies. e functions of these two modules will be described in Section 3.

Attribute Access Control Policy Retrieval
Method Based on Binary Sequence

Build Policy and Attribute AARs Based on Binary
Identification. Binary identification of ABAC policies and AARs is as follows. is method counts all the attributes that appear in the access control policy set and arranges the attributes in a specific order of subject, object, environment, and privilege. Moreover, the values of the subject, object, environment, and privilege attributes are also arranged in a certain order to ensure the validity and uniqueness of the binary identification. Attributes are divided into category attributes and noncategory attributes [18]. Category attributes refer to some decision information attribute values, usually including {permit, deny}; each rule has only one decision attribute. Noncategory attributes refer to the attribute information that needs to be measured to make a decision, including subject attributes, object attributes, environment attributes, and privilege attributes. Binary identification and encoding are for noncategory attributes.
On cloud computing and Internet of ings platforms, users request services through their respective terminal devices [19]. erefore, we can construct the attribute information shown in Table 1 and use attribute information to construct ABAC policies (as shown in Table 2). e dimension of the binary identifier is the number of nondirectory attributes; that is, the total number of all attributes in the access control policy is the number of bits of the binary identifier. For example, the maximum number of noncategory attributes in a single rule in Table 2 is 6, so 6 binary bits are used to encode the policy.
As mentioned in Section 2, ABAC's access control process is divided into a preparation phase and an execution phase. In the preparation phase, PAP needs to perform binary identification for each rule in the policy set. When performing a policy retrieval, only binary identification of the access control request is required, and then, a logical AND operation is performed with the binary identification of the policy. When the operation result is consistent with the binary identifier of the access control rule, other attributes of the rule are checked; that is, it is judged whether the attribute of the access control request conforms to the attribute information of the rule. In order to further reduce the policy retrieval time, grouping is carried out according to the binary identification of ABAC policy. As shown in Figure 2, the root node represents all rule information of the policy set. Each node except the root node of the first level represents a group. Rules with the same binary identifier are in the same group, and rules with different identifiers are in different groups. e number of rule groups is determined by the complexity of the policy. If the complexity is n, the rule set can be divided into 2 n -1 groups at most. e attributes of the access control rule represent the requirements for the access control request; that is, to successfully match the access control rule, the access request needs to have the attributes and attribute values required by the rule. is means that the matching of access control requests and rules is not a completely consistent match. In fact, the access control policy only detects the attributes required by the rules in the access request, and the additional attributes in the access request do not affect the success of its matching. Assuming that an access control request is (SA_Role � "student," SA_trust � "low," OA_type � "personal," OA_trust � "low,"t EA_Network � "public," PA_permisssion � "delete"), according to the matching rules, R 2 in Table 2     with the corresponding value of the access control request and check whether the access control request satisfies the rule. e worst case is that every time the last attribute of the rule is detected, the rule does not match, which will cause a waste of time. If there are too many such rules, it will take too long to retrieve the policy. For this reason, we propose to binary code the access control policy of each group. In this way, only the binary code based on the attribute access control request and the binary code based on the attribute access control policy need to be logically operated to make an authorization decision, and there is no need to judge each attribute value of each rule in the policy set. erefore, this retrieval method saves the time of policy retrieval and improves the efficiency of policy retrieval. e attribute value based on attribute access control consists of two types, namely, discrete attribute value and continuous attribute value. For example, the value range of the attribute value of the subject attribute SA_Role mentioned above is {student, teacher, admin}, which is a discrete attribute value. In a specific access control environment, it is necessary to specify users to access resources in a certain interval, which requires setting continuous attributes. e process of mapping discrete attribute values and continuous attribute values into a binary sequence is called binary encoding of attribute values.
where n, m, c, and d are the number of attributes contained in s i, o i , e i , and p i . e dimension of the binary identifier required by the encoding rule is Assuming that s i has two attributes, sa 1 and sa 2 , the value range of sa 1 is {sa 1 v 0 , sa 1 v 1 , sa 1 v 2 ,v}, and the value range of sa 2 is {sa 1 v 0 , sa 1 v 1 , v}, and the dimension required to encode s i is 4 + 3 -2 � 5.
Definition 5 (attribute encoding rules). Arrange the attribute names of all attributes in a specific order, and the attribute values contained in the attributes also need to be arranged in a specific order to form a large attribute array. If a specific attribute value appears in the rule, the corresponding position is set to 1. If the subject, object, environment, and privilege attributes appear in a rule at the same time, the attributes of the rule are arranged in a specific order of subject, object, environment, and privilege attributes. If the attribute value ha i v j appears in the rule, the Pth position of V total is set to 1 according to e encoding of subject s i according to the encoding rules is shown in Table 3.

Continuous Attribute Coding.
For continuous attribute values that cannot be enumerated, we first discretize them and then encode them. As shown in Figure 3, assuming that the attribute named sa 3 is a continuous attribute, the discretization process of sa 3 is as follows.
(1) Traverse all the rules, divide the value range of sa 3 , remove duplicate attribute values, and arrange them in ascending order. Suppose we get{sa 3 v 1 , sa 3 v 2 ,..., sa 3 v n }. After the continuous attribute value is converted to the discrete attribute value, the encoding method is completely consistent with that of the discrete attribute, and the description will not be repeated here.

Analysis of Policy Retrieval Method Based on Binary
Sequence. We make the following definitions for the retrieval rules of the binary sequence-based policy retrieval method.
Definition 6 (group selection principle). Perform a logical AND operation based on the binary identification of the attribute access control request and the group number of the rule grouping. If the calculation result is consistent with the group number, the group is a suitable group; otherwise,e the group is not suitable.
Definition 7 (rule selection principle). Perform logical AND operation based on the binary code of the attribute access control request and the rule binary code. If the result is consistent with the binary code of the rule, the rule is the rule to be found; otherwise, the access control request does not comply with the rule.
In order to further describe the policy retrieval method mentioned in this article, we take the policy set in Table 2 as an example, select the attribute values in Table 1 to construct the attribute-based access control request, aar 1 � {SA_role � student, SA_trust � low, OA_trust � low, EA_Network �work, PA_permission � delete}, and complete the retrieval process.
In the access control preparation phase, the preparation work that PAP needs to complete is as follows: the results of the binary identification and coding of the rules in Table 2 according to the coding rules proposed in Section 4.2 are (R 1 , 111111, 10010010100100100), (R 2 , 011111, 00010010100001 100), (R 3 , 100111,10000000100010100), and (R 4 ,100111, 10000000100100100). e group numbers of R 1 and R 2 are 111111 and 011111, respectively. e group number of R 3 and R 4 is 100111, and they are in the same group. e access control execution phase is divided into two phases: processing the attribute-based access control request and retrieving the rule set. Processing of access control requests is as follows: the result of the binary identification of aar 1 according to the binary identification principle proposed in Section 4.1 is 110111; according to the encoding method mentioned in Section 4.2, the result of the binary encoding of aar 1 is (aar 1 , 10010000100010100).
Retrieve the rule set: the binary identification of aar 1 and the group number AA are logically ANDed according to the principles defined in Definition 6, namely, 110111 and 111111 � 110111≠111111, indicating that aar 1 does not meet the attribute combination requirements of the group. Query the group with the group number 011111, that is, 110111 and 011111 � 010111≠011111, so aar 1 does not meet the attribute combination requirements of the group, and the group is filtered out. Query the rule group with the group number 100111, 110111, and 100111 � 100111, indicating that this group meets the requirements, which needs further retrieval. e result of logical AND operation between the binary code of the R3 rule and the binary code of the access control request is equal to the binary code of the rule, that is, 10000000100010100 and 10010000100010100 � 1000000010 0010100. According to Definition 5, this rule meets the requirements. Because R 3 's decision attribute is deny, the decision result of the PDP will be to deny this access, and this policy retrieval ends. e specific policy retrieval process is shown in Figure 4.
In the preparation phase, PAP performs binary identification and coding on all access control policies and groups them according to the binary identification. When there is an access control request, the PEP obtains the attribute information from the PIP to construct the AAR and performs binary identification and encoding of the AAR. e PDP selects a group from the rule group to make a logical AND operation of its binary identifier and the binary identifier of the access control request and judges whether the result is equal to the binary identifier of the AAR. If they are not equal, then the binary identification of the next group is judged. If they are equal, make the binary code of each rule in the group and the binary code of the access control request do a logical AND operation, and judge whether it is equal to the binary code of the rule. If they are equal, it indicates that the rule is the rule to be searched; otherwise, the binary code of the next rule in the group is logically operated. e core Algorithm 1 of the attribute access control policy retrieval method based on binary sequence is as follows.

Experimental Results and Analysis
In order to evaluate the efficiency of the retrieval method based on the binary sequence policy, this paper uses the C++ language to write the test code in Qt Creator on the Win10 platform and uses MATLAB as the data analysis tool. Evaluating the retrieval method proposed in this paper requires a large number of ABAC policies and AARs. Unfortunately, due to the confidentiality of the access control policy, we cannot obtain real industry data. erefore, referring to the attribute information mentioned above, a simple policy and AAR generator were implemented, and 4000 policies and 2000 AARs were generated. In order to ensure the validity of binary identification, we refer to the data classification method in [18] to standardize policies and access control requests. e experiment in this paper uses these data as the basis to test the efficiency of the binary sequence-based attribute access control strategy retrieval method in terms of policy preprocessing, policy evaluation time, and total strategy retrieval time. At the same time, in order to ensure the generality of the test results, the data obtained in the following experiments are the results of performing 10 experiments and averaging them. e experimental environment is as follows: CPU: 11 th Gen Intel(R)Core(TM)i5- The sa 3 attribute is processed in an ascending manner SG-PRM and AG-PRM in the following experiments refer to the prefix-based policy retrieval method mentioned in [13] and the attribute grouping-based access control policy retrieval method mentioned in [15]. B-S-PRM refers to the strategy retrieval method proposed in this article. Experimental comparisons are based on the same access control policy and access control request. Policy complexity refers to the number of attribute key-value pairs contained in each rule in the policy. e complexity of the policy used in all experiments is 6.

Policy Preprocessing Time.
e policy preprocessing time is completed in the preparation phase of the access control framework diagram in Figure 1, mainly deploying policy attributes. e policy preprocessing time of the policy retrieval method proposed in this paper refers to the time that PAP adds binary identification, grouping, and coding to each rule in the policy set. SG-PRM performs binary identification of the policy in the policy preprocessing stage. AG-PRM performs binary identification and grouping of policies in the policy preprocessing stage. It can be seen from Figure 5 that when the number of policies is set to 500, 1000, 1500, 2000, and 2500, the retrieval time of B-S-PRM, SG-PRM, and AG-PRM policies all increases with the increase of the number of policies. Among them, the policy preprocessing time of the AG-PRM and SG-PRM policy retrieval methods is relatively close and lower than that of the B-S-PRM policy retrieval method. is is because the Input: AAR Output: the decision //: Binary identification and encoding of AAR (1) Init(AAR.policy_groupbinary); (2) Init(AAR.policy_code); (3) for(i � 0;i < AAR.policy_groupbinary.size(); i++) do (4) if(AAR[i]) exist then (5) AAR.policy_groupbinary.setposition(p) � 1; (6) end if (7) end for (8) for(j � 0; j < AAR.policy_code.size(); j++) do (9)   policy retrieval method proposed in this paper adds a binary encoding process to the first two policy retrieval methods. However, the preprocessing of the attribute-based access control strategy occurs in the preparation phase of the access control system. erefore, the policy retrieval method in this article does not affect the user's real-time experience.  e number of policies is 2000, 2500, and 3000, respectively. SG-PRM performs a logical OR operation between the prefix of the access control request and the prefix of the policy in the policy retrieval phase, and the result of the operation is consistent with the prefix of the policy and then matches whether the attribute information matches. AG-PRM performs attribute-based grouping of policy sets to reduce the scope of policy retrieval. It can be seen from Figures 6(a)-6(c) that under different access control policy conditions, as the number of access control requests increases, the policy evaluation time of these three policy retrieval methods gradually increases. Among them, the policy evaluation time of the strategy retrieval method (B-S-PRM) proposed in this paper shows a downward trend as the number of policies increases. When the number of strategies is 3000, the evaluation time of the BS-PRM strategy is about half of that when the number of strategies is 2000, and the fluctuation range of the policy evaluation time is gradually reduced, while the policy evaluation time of the other two policy retrieval methods has not changed significantly. e strategy evaluation time of SG-PRM fluctuates between 4 and 32 ms, the policy evaluation time of AG-PRM fluctuates between 4 and 27 ms, and the B-S-PRM fluctuates between 1 and 11. It can be seen that the retrieval time of the policy retrieval method proposed in this paper is more stable, and the policy retrieval efficiency of B-S-PRM is about 3 times that of SG-PRM and AG-PRM.
is shows that the policy retrieval method proposed in this paper can be applied to high policy environments.

Total Retrieval Time.
e total retrieval time based on the attribute access control policy includes the time for PEP to process AAR and the time for PDP to evaluate the policy. As shown in Figures 7 and 8 , the total number of policies is 3000. e complexity of this set of experimental policies is 6. With the increase in the number of access control requests, the processing time of the three policy retrieval methods for access control requests has gradually increased and is close to linear growth. e processing time of the policy is all milliseconds. Among them, the policy retrieval method proposed in this paper takes about twice the processing time of access control requests than SG-PRM and AG-PRM. is is because, in the process of access control, SG-PRM adds a prefix to the access control request, BS-PRM needs to binary code and identify the policy, and AG-PRM only needs to add the group identification and prefix identification to the access control request. However, it can be seen from Figure 8 that although the strategy retrieval method proposed in this article has a slower processing time for AAR in PEP, its total retrieval time has dropped significantly. Among them, the policy retrieval efficiency of B-S-PRM is about 4 times that of SG-PRM and 3.5 times that of AG-PRM. As the number of access control requests increases, the policy retrieval method proposed in this paper has more advantages and the strategy retrieval time becomes more stable. Because when the policy increases, unlike the other two policy retrieval methods, the attribute access control policy retrieval method  based on binary sequence does not traverse the attributevalue pairs in the rule but chooses the appropriate grouping to perform logical operations on the binary code in the group. erefore, the retrieval efficiency is greatly improved.
To sum up, although the policy retrieval method proposed in this paper takes longer than the other two policy retrieval methods in policy preprocessing time, the policy retrieval time is significantly shortened and the retrieval efficiency advantage is obvious. With the increase of the policy scale, the retrieval time of the policy retrieval method proposed in this paper has not changed significantly. In the deployment of attribute-based access control in cloud computing and Internet of ings environments, when a user's access control request comes, this method can shorten the user's waiting time and respond to the user's access control request in real time.

Conclusions
With the rise of cloud computing and Internet of ings technologies, today's computing environment is becoming more and more massive and dynamic, with a huge scale of users and resources, and real-time changes in the access environment of subject and object. ABAC is widely used as an effective technology to protect object resources. Users want to get the privilege to access object resources in a relatively short time. However, the existing retrieval methods based on attribute access control policies have certain deficiencies when applied to large-scale data. To solve this problem, this paper proposes an attribute access control policy retrieval method based on the binary sequence. is method uses one-hot and dummy variable encoding methods to perform binary identification and encoding of AAR and policies and group the policies according to the binary identification. AAR's binary identification and group binary identification perform a logical AND operation to select groups that meet the requirements and filter out a large number of irrelevant policies. en, the binary code of the AAR and the binary code of the rules in the group do logical operations to select the appropriate rules, which reduces the process of matching the attributes of the rules in the policy set with the AAR attributes. e experimental results also verify that the policy retrieval method proposed in this paper has lower policy retrieval time and higher retrieval efficiency. [20] Data Availability e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.