Attribute-based lightweight reconfigurable access control policy

Rongna XIE; Hui LI; Guozhen SHI; Yunchuan GUO

doi:10.11959/j.issn.1000-436x.2020035

您当前的位置：

首页 >

文章列表页 >

Attribute-based lightweight reconfigurable access control policy

Papers | 更新时间：2024-06-05

- Attribute-based lightweight reconfigurable access control policy
- Journal on Communications Vol. 41, Issue 2, Pages: 112-122(2020)
- 作者机构：
  
  1. 西安电子科技大学网络与信息安全学院，陕西西安 710071
  2. 北京电子科技学院电子与通信工程系，北京 100070
  3. 中国科学院信息工程研究所，北京 100093
- 作者简介：
- 基金信息：
  
  The National Key Research Project and Development Program of China(2017YFB0802705);The National Key Research and Development Program of China(2016QY06X1203);The National Natural Science Foundation of China(61672515)
- DOI：10.11959/j.issn.1000-436x.2020035
  CLC： TP302
- Online First：2020-02，
  
  Published：25 February 2020
- 稿件说明：
移动端阅览
Rongna XIE, Hui LI, Guozhen SHI, et al. Attribute-based lightweight reconfigurable access control policy[J]. Journal on Communications, 2020, 41(2): 112-122.
DOI：

Rongna XIE, Hui LI, Guozhen SHI, et al. Attribute-based lightweight reconfigurable access control policy[J]. Journal on Communications, 2020, 41(2): 112-122. DOI： 10.11959/j.issn.1000-436x.2020035.

摘要

针对复杂网络环境下访问控制策略冗余与冲突检测、访问控制策略评估的效率面临的严峻挑战，提出了基于属性轻量级可重构的访问控制策略。以基于属性的访问控制策略为范例，根据访问控制策略中的操作类型、主体属性、客体属性和环境属性将基于属性的访问控制策略划分为多个不相交的原子访问控制规则，并通过与、或等逻辑关系构成的代数表达式，将原子访问控制规则重构出复杂访问控制策略；提出原子访问控制规则冗余与冲突检测方法，将复杂访问控制策略分解为等效的原子访问控制规则和代数表达式，通过对等效的原子访问控制规则和代数表达式进行冗余与冲突检测实现对复杂访问控制策略进行冗余与冲突检测；从时间复杂度和空间复杂度2个不同角度对等效转化的访问控制策略进行评估。结果表明，所提方法大大降低了访问控制策略的长度、数量和复杂度，提高了访问控制策略冗余与冲突检测的效率以及访问控制策略评估的效率。

Abstract

Aiming at the severe challenges of access control policy redundancy and conflict detection

the efficiency of access control policy evaluation in complex network environment

an attribute-based lightweight reconfigurable access control policy was proposed.Taking the attribute-based access control policy as an example

the attribute-based access control policy was divided into multiple disjoint atomic access control rules according to the operation type

subject attribute

object attribute

and environment attribute in the access control policy.Complex access control policies were constructed through atomic access control rules and an algebraic expression formed by AND

OR logical relationships.A method for redundancy and collision detection of atomic access control rules was proposed.A method was proposed for decompose a complex access control policy into equivalent atomic access control rules and an algebraic expression.The method for redundancy and collision detection of complex access control policies were proposed through redundancy and collision detection of equivalent atomic access control rules and algebraic expressions.From time complexity and space complexity

the efficiency of the equivalent transformation access control policy was evaluated.It showes that the reconstruction method for access control policy greatly reduces the number

size and complexity of access control policy

improves the efficiency of access control policy redundancy and collision detection

and the efficiency of access control evaluation.

关键词

Keywords

references

RIBEIRO C , ZUQUETE A , FERREIRA P , et al . SPL:an access control language for security policies and complex constraints [C ] // The Network and Distributed System Security Symposium(NDSS’01) . 2001 : 89 - 107 .

DAMIANOU N , DULAY N , LUPU E , et al . The ponder policy specification language [C ] // The International Workshop on Policies for Distributed Systems and Networks . 2001 : 18 - 38 .

OASIS XACML.eXtensible access control Markup language XACML version 3.0 [S ] . OASIS Standard , 2013 .

RAO P , LIN D , BERTINO E , et al . An algebra for fine-grained integration of XACML policies [C ] // The 14th ACM Symposium on Access Control Models and Technologies (SACMAT’09) . 2009 : 63 - 72 .

SHAHZAD M , . Towards composing access control policies [C ] // IEEE International Conference on Communications (ICC) . 2018 : 1 - 6 .

XU Z , STOLLER S . Mining attribute-based access control policies [J ] . IEEE Transactions on Dependable and Secure Computing , 2015 , 12 ( 5 ): 533 - 545 .

NGO C , DEMCHENKO Y , LAAT DE C . Decision diagrams for XACML policy evaluation and management [J ] . Computers ＆ Security , 2015 , 49 : 1 - 16 .

姚键 , 茅兵 , 谢立 . 一种基于有向图模型的安全策略冲突检测方法 [J ] . 计算机研究与发展 , 2005 , 42 ( 7 ): 1108 - 1114 .

YAO J , MAO B , XIE L . A DAG-based security policy conflicts detection method [J ] . Journal of Computer Research and Development , 2005 , 42 ( 7 ): 1108 - 1114 .

李瑞轩 , 鲁剑锋 , 李添翼 , 等 . 一种访问控制策略非一致性冲突消解方法 [J ] . 计算机学报 , 2013 , 36 ( 6 ): 1210 - 1223 .

LI R X , LU J F , LI T Y , et al . An approach for resolving inconsistency conflicts in access control policies [J ] . Chinese Journal of Computers , 2013 , 36 ( 6 ): 1210 - 1223 .

BECKERLE M , MARTUCCI L A . Formal definitions for usable access control rule sets from goals to metrics [C ] // The Ninth Symposium on Usable Privacy and Security (SOUPS) . 2013 : 1 - 11 .

IYER P , MASOUMZADEH A . Mining positive and negative attribute-based access control policy rules [C ] // The 23nd ACM Symposium on Access Control Models and Technologies (SACMAT’18) . 2018 : 161 - 172 .

CHAKRABORTY S , SANDHU R , KRISHNAN R . On the feasibility of attribute-based access control policy mining [C ] // The 20th IEEE Conference on Information Reuse and Integration (IRI) . 2019 : 1 - 8 .

BONATTI P , VIMERCATI S D C , SAMARATI P . An algebra for composing access control policies [J ] . ACM Transactions on Information and System Security (TISSEC) , 2002 , 5 ( 1 ): 1 - 35 .

LUPU E C , SLOMAN M . Conflicts in policy-based distributed systems management [J ] . IEEE Transactions on Software Engineering , 1999 , 25 ( 6 ): 852 - 869 .

ST-MARTIN M , FELTY A P . A verified algorithm for detecting conflicts in XACML access control rules [C ] // The 5th ACM SIGPLAN Conference on Certified Programs and Proofs . 2016 : 166 - 175 .

Views

1362

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Lightweight authentication key agreement protocol for Internet of vehicles

Lightweight image super-resolution network based on muti-domain information enhancement

Lightweight and secure search scheme for medical data sharing

Lightweight PUF-based anonymous authentication protocol in V2G

Lightweight Transformer traffic scene semantic segmentation algorithm integrating multi-scale depth convolution

Related Author

ZHOU Yi

WANG Pengchao

CHEN Dongdong

PANG Xiaohui

LIU Yali

JIANG He

KOU Qiqi

LIU Gui

Related Institution

School of Cyber Science and Engineering, Southeast University

Guangxi Key Laboratory of Cryptography and Information Security, Guilin University of Electronic Technology

State Key Laboratory for Novel Software Technology, Nanjing University

College of Computer Science and Technology, Jiangsu Normal University

School of Information and Control Engineering, China University of Mining and Technology

AI问答

⁰