改进的基于属性的访问控制策略评估管理决策图

doi:10.11772/j.issn.1001-9081.2019040603

计算机应用 ›› 2019, Vol. 39 ›› Issue (12): 3569-3574.DOI: 10.11772/j.issn.1001-9081.2019040603

改进的基于属性的访问控制策略评估管理决策图

罗霄峰¹, 杨兴春¹, 胡勇²

1. 四川警察学院计算机科学与技术系, 四川泸州 646000;
2. 四川大学网络空间安全学院, 成都 610065

收稿日期:2019-04-12 修回日期:2019-08-21 发布日期:2019-08-26 出版日期:2019-12-10
作者简介:罗霄峰(1974-),男,四川大竹人,高级工程师,博士,主要研究方向:信息安全、大数据;杨兴春(1975-),男,四川泸州人,副教授,博士,主要研究方向:信息安全、信息与通信工程;胡勇(1973-),男,四川射洪人,博士,副教授,主要研究方向:信息系统安全。
基金资助:
四川省教育厅教育科研课题（17ZB0262）；四川省科技支撑计划项目（2019YFS0068）。

Improved decision diagram for attribute-based access control policy evaluation and management

LUO Xiaofeng¹, YANG Xingchun¹, HU Yong²

1. Department of Computer Science and Technology, Sichuan Police College, Luzhou Sichuan 64600, China;
2. Cyberspace Security College, Sichuan University, Chengdu Sichuan 610065, China

Received:2019-04-12 Revised:2019-08-21 Online:2019-08-26 Published:2019-12-10
Contact: 杨兴春
Supported by:
This work is partially supported by the Scientific Research Project of Sichuan Department of Education (17ZB0262), the Science and Technology Support Program of Sichuan (2019YFS0068).

摘要/Abstract

摘要： 针对多数据类型区间决策图（MIDD）方法不能正确表示、处理属性的重要性标记特性，以及表示、处理责任及忠告等不清晰，造成节点表示不一致并增加了处理的复杂性等问题，对MIDD方法进行改进和扩展。首先，将MIDD的以实体属性为单位的图节点修改为以元素为单位的图节点，精准地表示基于属性的访问控制元素，使原来不能正确处理重要标志的问题得以解决；然后，将责任及忠告作为元素，用节点表示出来；最后，把规则和策略的组合算法加到决策节点中，以便在策略决策点（PDP）对访问请求进行决策时使用。分析结果表明，改进方法与原方法的时空复杂度相当。两种方法的对比仿真实验结果表明，在每个属性只有1个附属属性时（最一般的应用情况），两种方法每个访问请求的平均决策时间差异的数量级仅在0.01 μs。验证了复杂度分析的正确性，说明两种方法的性能相当。附属属性个数仿真实验表明，即使1个属性有10个附属属性（实际应用中十分稀少），两种方法的平均决策时间差异也在相同的数量级。改进方法不但保证了原方法的正确性、一致性和方便性，更将其使用范围从可扩展访问控制标记语言（XACML）策略扩展到一般的基于属性的访问控制策略。

关键词: 访问控制, 基于属性的访问控制, 信息安全, 安全策略, 可扩展访问控制标记语言(XACML)

Abstract: The Multi-data-type Interval Decision Diagram (MIDD) approach express and deal with the critical marks of attribute incorrectly, while express and deal with the obligations and advices ambiguously, resulting in the inconformity of node expression and the increase of processing complexity. Aiming at these problems, some improvements and expansions were proposed. Firstly, the graph nodes in MIDD with entity attribute as the unit were converted to the nodes with element as the unit, so that the elements of attribute-based access control policy were able to be represented accurately, and the problem of dealing with the critical marks was solved. Secondly, the obligations and advices were employed as elements, and were expressed by nodes. Finally, the combining algorithm of rule and policy was added to the decision nodes, so that the Policy Decision Point (PDP) was able to use it to make decision on access requests. The analysis results show that the spatio-temporal complexity of the proposed approach is similar to that of the original approach. The result of the two approaches' comparative simulation show that when each attribute has only one subsidiary attribute (the most general application situation), the average decision time difference per access request of the two approaches is at 0.01 μs level. It proves the correctness of the complexity analysis, indicating the performances of the two approaches are similar. Simulation on the number of subsidiary attributes showed that, even with 10 subsidiary attributes (very rare in practical applications), the average decision time difference of the two approaches is at the same order of magnitude. The proposed approach not only ensures the correctness, consistency and convenience of the original approach, but also extends its application scope from eXtensible Access Control Markup Language (XACML) policy to general attribute-based access control policies.

Key words: Access Control (AC), Attribute-Based Access Control (ABAC), information security, security policy, eXtensible Access Control Markup Language (XACML)

中图分类号:

TP309
TP391

罗霄峰, 杨兴春, 胡勇. 改进的基于属性的访问控制策略评估管理决策图[J]. 计算机应用, 2019, 39(12): 3569-3574.

LUO Xiaofeng, YANG Xingchun, HU Yong. Improved decision diagram for attribute-based access control policy evaluation and management[J]. Journal of Computer Applications, 2019, 39(12): 3569-3574.

参考文献

[1] 罗霄峰,王文贤,罗万伯.访问控制技术现状及展望[J].信息网络安全,2016(12):19-27.(LUO X F, WANG W X, LUO W B. The retrospect and prospect of access control technology[J]. Netinfo Security, 2016(12):19-27.)
[2] BELTRAN V, SKARMETA A F. Overview of device access control in the IoT and its challenges[J]. IEEE Communications Magazine, 2019, 57(1):154-160.
[3] KOLLURU K K, PANIAGUA C, VAN DEVENTER J, et al. An AAA solution for securing industrial IoT devices using next generation access control[C]//Proceedings of the 2018 IEEE Industrial Cyber-Physical Systems. Piscataway:IEEE, 2018:737-742.
[4] GUO H, MEAMARI E, SHEN C-C. Multi-authority attribute-based access control with smart contract[C]//Proceedings of the 2019 International Conference on Blockchain Technology. New York:ACM, 2019:6-11.
[5] OASIS. eXtensible Access Control Markup Language (XACML) version 3.0 plus errata 01[EB/OL].[2019-01-06]. http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.pdf.
[6] International Committee for Information Technology Standards. For information technology-next generation access control-functional architecture:INCITS 499-2018[S]. New York:American National Standards Institute, 2018.
[7] International Committee for Information Technology Standards. For information technology-next generation access control-generic operations and data structures:INCITS 526-2016[S]. New York:American National Standards Institute, 2016.
[8] NGO C, DEMCHENKO Y, de LAAT C. Decision diagrams for XACML policy evaluation and management[J]. Computers and Security, 2015, 49:1-16.
[9] 房梁,殷丽华,郭云川,等.基于属性的访问控制关键技术研究综述[J].计算机学报,2017,40(7):1680-1698.(FANG L, YIN L H, GUO Y C, et al. A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017, 40(7):1680-1698.)
[10] KAVANAGH K, CONTU R. Market trends:cloud-based security services market, worldwide, 2014[EB/OL].[2019-02-08]. https://www.gartner.com/en/documents/2607617/market-trends-cloud-based-security-services-market-world.
[11] FUJITA M, MCGEER P C, YANG J C-Y. Multi-terminal binary decision diagrams:an efficient data structure for matrix representation[J]. Formal Methods in System Design, 1997, 10(2/3):149-169.
[12] FISLER K, KRISHNAMURTHI S, MEYEROVICH L A, et al. Verification and change-impact analysis of access-control policies[C]//Proceedings of the 27th International Conference on Software Engineering. New York:ACM, 2005:196-205.
[13] LIU A X, CHEN F, HWANG J, et al. Designing fast and scalable XACML policy evaluation engines[J]. IEEE Transactions on Computers, 2011, 60(12):1802-1817.
[14] ROS S P, LISCHKA M, MÁRMOL F G. Graph-based XACML evaluation[C]//Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. New York:ACM, 2012:83-92.
[15] MAROUF S, SHEHAB M, SQUICCIARINI A, et al. Adaptive reordering and clustering-based framework for efficient XACML policy evaluation[J]. IEEE Transactions on Services Computing, 2011, 4(4):300-313.
[16] 戚湧,陈俊,李千目.一种基于重排序的XACML策略评估优化方法[J].南京理工大学学报(自然科学版),2015,39(2):187-193.(QI Y, CHEN J, LI Q M. XACML policy evaluation optimization method based on reordering[J]. Journal of Nanjing University of Science and Technology (Natural Science Edition), 2015, 39(2):187-193.)
[17] RAO P, LIN D, BERTINO E, et al. Fine-grained integration of access control policies[J]. Computers and Security, 2011, 30(2/3):91-107.
[18] 罗霄峰,罗万伯.改进的安全策略评价管理决策图[J].四川大学学报(工程科学版),2016,48(4):123-128,210.(LUO X F, LUO W B. Improved decision diagrams for security policy evaluation and management[J]. Journal of Sichuan University (Engineering Science Edition), 2016, 48(4):123-128, 210.)
[19] BISWAS P, SANDHU R, KRISHNAN R. Label-based access control:an ABAC model with enumerated authorization policy[C]//Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control. New York:ACM, 2016:1-12.
[20] GUPTA M, PATWA F, SANDHU R. An attribute-based access control model for secure big data processing in Hadoop ecosystem[C]//Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control. New York:ACM, 2018:13-24.
[21] 罗霄峰,罗万伯.基于iX-MIDD的XACML安全策略评估[J].通信技术,2016,49(5):627-631.(LUO X F, LUO W B. XACML policy evaluation based on iX-MIDD[J]. Communications Technology, 2016, 49(5):627-631.)

改进的基于属性的访问控制策略评估管理决策图

Improved decision diagram for attribute-based access control policy evaluation and management

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	葛纪红, 沈韬. 基于区块链的能源数据访问控制方法[J]. 计算机应用, 2021, 41(9): 2615-2622.
[2]	马华, 陈跃鹏, 唐文胜, 娄小平, 黄卓轩. 面向工作者能力评估的众包任务分配方法的研究进展综述[J]. 计算机应用, 2021, 41(8): 2232-2241.
[3]	杜心雨, 王化群. LTE-A网络中基于动态组的有效的身份认证和密钥协商方案[J]. 计算机应用, 2021, 41(6): 1715-1722.
[4]	葛丽娜, 胡雨谷, 张桂芬, 陈园园. 云计算环境基于客体属性匹配的逆向混合访问控制方案[J]. 计算机应用, 2021, 41(6): 1604-1610.
[5]	包玉龙, 朱雪阳, 张文辉, 孙鹏飞, 赵颖琪. 物联网应用中访问控制智能合约的形式化验证[J]. 计算机应用, 2021, 41(4): 930-938.
[6]	李莉, 杨鸿飞, 董秀则. 基于身份多条件代理重加密的文件分级访问控制方案[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3251-3256.
[7]	王海勇, 潘启青, 郭凯璇. 基于区块链和用户信用度的访问控制模型[J]. 计算机应用, 2020, 40(6): 1674-1679.
[8]	史锦山, 李茹, 松婷婷. 基于区块链的物联网访问控制框架[J]. 计算机应用, 2020, 40(4): 931-941.
[9]	付伟, 顾晨阳, 高强. 基于属性加密的多用户共享ORAM方案[J]. 计算机应用, 2020, 40(2): 497-502.
[10]	王海勇, 彭垚, 郭凯璇. 云存储中基于代理重加密的CP-ABE访问控制方案[J]. 计算机应用, 2019, 39(9): 2611-2616.
[11]	肖凯, 王蒙, 唐新余, 蒋同海. 基于区块链技术的公益时间银行系统[J]. 计算机应用, 2019, 39(7): 2156-2161.
[12]	王亚琼, 史国振, 谢绒娜, 李凤华, 王雅哲. 卫星网络中支持策略隐藏的多授权访问控制方案[J]. 计算机应用, 2019, 39(2): 470-475.
[13]	曹震寰, 蔡小孩, 顾梦鹤, 顾小卓, 李晓伟. 基于访问控制列表机制的Android权限管控方案[J]. 计算机应用, 2019, 39(11): 3316-3322.
[14]	李兆斌, 李伟隆, 魏占祯, 刘梦甜. SDN数据安全处理机制关键模块的研究与实现[J]. 计算机应用, 2018, 38(7): 1929-1935.
[15]	杨宏宇, 宁宇光. 云平台访问控制自适应风险评估指标权重分配方法[J]. 计算机应用, 2018, 38(6): 1614-1619.