基于属性轻量级可重构的访问控制策略

谢绒娜; 李晖; 史国振; 郭云川

doi:10.11959/j.issn.1000-436x.2020035

您当前的位置：

首页 >

文章列表页 >

基于属性轻量级可重构的访问控制策略

学术论文 | 更新时间：2024-06-05

- 基于属性轻量级可重构的访问控制策略
- Attribute-based lightweight reconfigurable access control policy
- 通信学报 2020年41卷第2期页码：112-122
- 作者机构：
  
  1. 西安电子科技大学网络与信息安全学院，陕西西安 710071
  2. 北京电子科技学院电子与通信工程系，北京 100070
  3. 中国科学院信息工程研究所，北京 100093
- 作者简介：
  
  [ "谢绒娜（1976- ），女，山西永济人，西安电子科技大学博士生，主要研究方向为网络与系统安全、访问控制、密码工程" ]
  [ "李晖（1968- ），男，河南灵宝人，博士，西安电子科技大学教授、博士生导师，主要研究方向为密码信息安全、信息论与编码理论" ]
  [ "史国振（1974- ），男，河南济源人，博士，北京电子科技学院副教授、硕士生导师，主要研究方向为网络与系统安全、嵌入式安全" ]
  [ "郭云川（1977- ），男，四川营山人，博士，中国科学院副研究员、博士生导师，主要研究方向为访问控制、形式化方法" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2017YFB0802705);国家重点研发计划基金资助项目(2016QY06X1203);国家自然科学基金资助项目(61672515)
- DOI：10.11959/j.issn.1000-436x.2020035
  中图分类号： TP302
- 网络出版日期：2020-02，
  
  纸质出版日期：2020-02-25
- 稿件说明：
移动端阅览
谢绒娜, 李晖, 史国振, 等. 基于属性轻量级可重构的访问控制策略[J]. 通信学报, 2020,41(2):112-122.

Rongna XIE, Hui LI, Guozhen SHI, et al. Attribute-based lightweight reconfigurable access control policy[J]. Journal on communications, 2020, 41(2): 112-122.
谢绒娜, 李晖, 史国振, 等. 基于属性轻量级可重构的访问控制策略[J]. 通信学报, 2020,41(2):112-122. DOI： 10.11959/j.issn.1000-436x.2020035.

Rongna XIE, Hui LI, Guozhen SHI, et al. Attribute-based lightweight reconfigurable access control policy[J]. Journal on communications, 2020, 41(2): 112-122. DOI： 10.11959/j.issn.1000-436x.2020035.

摘要

针对复杂网络环境下访问控制策略冗余与冲突检测、访问控制策略评估的效率面临的严峻挑战，提出了基于属性轻量级可重构的访问控制策略。以基于属性的访问控制策略为范例，根据访问控制策略中的操作类型、主体属性、客体属性和环境属性将基于属性的访问控制策略划分为多个不相交的原子访问控制规则，并通过与、或等逻辑关系构成的代数表达式，将原子访问控制规则重构出复杂访问控制策略；提出原子访问控制规则冗余与冲突检测方法，将复杂访问控制策略分解为等效的原子访问控制规则和代数表达式，通过对等效的原子访问控制规则和代数表达式进行冗余与冲突检测实现对复杂访问控制策略进行冗余与冲突检测；从时间复杂度和空间复杂度2个不同角度对等效转化的访问控制策略进行评估。结果表明，所提方法大大降低了访问控制策略的长度、数量和复杂度，提高了访问控制策略冗余与冲突检测的效率以及访问控制策略评估的效率。

Abstract

Aiming at the severe challenges of access control policy redundancy and conflict detection

the efficiency of access control policy evaluation in complex network environment

an attribute-based lightweight reconfigurable access control policy was proposed.Taking the attribute-based access control policy as an example

the attribute-based access control policy was divided into multiple disjoint atomic access control rules according to the operation type

subject attribute

object attribute

and environment attribute in the access control policy.Complex access control policies were constructed through atomic access control rules and an algebraic expression formed by AND

OR logical relationships.A method for redundancy and collision detection of atomic access control rules was proposed.A method was proposed for decompose a complex access control policy into equivalent atomic access control rules and an algebraic expression.The method for redundancy and collision detection of complex access control policies were proposed through redundancy and collision detection of equivalent atomic access control rules and algebraic expressions.From time complexity and space complexity

the efficiency of the equivalent transformation access control policy was evaluated.It showes that the reconstruction method for access control policy greatly reduces the number

size and complexity of access control policy

improves the efficiency of access control policy redundancy and collision detection

and the efficiency of access control evaluation.

关键词

Keywords

references

RIBEIRO C , ZUQUETE A , FERREIRA P , et al . SPL:an access control language for security policies and complex constraints [C ] // The Network and Distributed System Security Symposium(NDSS’01) . 2001 : 89 - 107 .

DAMIANOU N , DULAY N , LUPU E , et al . The ponder policy specification language [C ] // The International Workshop on Policies for Distributed Systems and Networks . 2001 : 18 - 38 .

OASIS XACML.eXtensible access control Markup language XACML version 3.0 [S ] . OASIS Standard , 2013 .

RAO P , LIN D , BERTINO E , et al . An algebra for fine-grained integration of XACML policies [C ] // The 14th ACM Symposium on Access Control Models and Technologies (SACMAT’09) . 2009 : 63 - 72 .

SHAHZAD M , . Towards composing access control policies [C ] // IEEE International Conference on Communications (ICC) . 2018 : 1 - 6 .

XU Z , STOLLER S . Mining attribute-based access control policies [J ] . IEEE Transactions on Dependable and Secure Computing , 2015 , 12 ( 5 ): 533 - 545 .

NGO C , DEMCHENKO Y , LAAT DE C . Decision diagrams for XACML policy evaluation and management [J ] . Computers ＆ Security , 2015 , 49 : 1 - 16 .

姚键 , 茅兵 , 谢立 . 一种基于有向图模型的安全策略冲突检测方法 [J ] . 计算机研究与发展 , 2005 , 42 ( 7 ): 1108 - 1114 .

YAO J , MAO B , XIE L . A DAG-based security policy conflicts detection method [J ] . Journal of Computer Research and Development , 2005 , 42 ( 7 ): 1108 - 1114 .

李瑞轩 , 鲁剑锋 , 李添翼 , 等 . 一种访问控制策略非一致性冲突消解方法 [J ] . 计算机学报 , 2013 , 36 ( 6 ): 1210 - 1223 .

LI R X , LU J F , LI T Y , et al . An approach for resolving inconsistency conflicts in access control policies [J ] . Chinese Journal of Computers , 2013 , 36 ( 6 ): 1210 - 1223 .

BECKERLE M , MARTUCCI L A . Formal definitions for usable access control rule sets from goals to metrics [C ] // The Ninth Symposium on Usable Privacy and Security (SOUPS) . 2013 : 1 - 11 .

IYER P , MASOUMZADEH A . Mining positive and negative attribute-based access control policy rules [C ] // The 23nd ACM Symposium on Access Control Models and Technologies (SACMAT’18) . 2018 : 161 - 172 .

CHAKRABORTY S , SANDHU R , KRISHNAN R . On the feasibility of attribute-based access control policy mining [C ] // The 20th IEEE Conference on Information Reuse and Integration (IRI) . 2019 : 1 - 8 .

BONATTI P , VIMERCATI S D C , SAMARATI P . An algebra for composing access control policies [J ] . ACM Transactions on Information and System Security (TISSEC) , 2002 , 5 ( 1 ): 1 - 35 .

LUPU E C , SLOMAN M . Conflicts in policy-based distributed systems management [J ] . IEEE Transactions on Software Engineering , 1999 , 25 ( 6 ): 852 - 869 .

ST-MARTIN M , FELTY A P . A verified algorithm for detecting conflicts in XACML access control rules [C ] // The 5th ACM SIGPLAN Conference on Certified Programs and Proofs . 2016 : 166 - 175 .

浏览量

667

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向医疗数据分享的轻量级且安全的搜索方案

V2G中基于PUF的轻量级匿名认证协议

融合多尺度深度卷积的轻量级Transformer交通场景语义分割算法

面向轻量级物联网设备的高效匿名身份认证协议设计

轻量级可搜索医疗数据共享方案