一种基于特征提取的访问控制方法
|
摘要
当前,细粒度的授权控制是访问控制中的研究热点,它能够在单一固定的环境下合理地调整访问策略以满足工作流安全。然而,一旦其迁移到新场景,遭遇访问策略未设定的授权,它就可能难以给出正确判断,只能依靠人工审查来确认是否授权,但人工审查授权耗时耗力,在大数据环境下成本过高。因此,引入一种基于过去经验学习的自动化判别机制势在必行。文中尝试给出一种针对基于角色的多级访问控制模型的自动化审查方法,通过采样已有的正确和错误授权的时间、空间等特征来刻画出该访问控制的一般化特征表达,从而使得已有的访问控制模型在迁移环境下面对新情况依然能够给出正确判断,降低人工审查的工作量。实验表明,该分析机制对用户的访问请求有较高的正确评判率。
Recently,fine-grained authorization control has become a hot topic in access control research field,and it can adjust access strategy reasonably in a single fixed environment,so as to meet the safety of workflow.However,it may be difficult to give a correct judgement and only rely on manual checking to confirm whether it is authorized when it is migrated to the new scenario and encounters authorization that is not set by access policy.Manual checking is time-consuming,and it costs too much in big data environments.Therefore,it is imperative to introduce an automatic discrimination mechanism based on past experiences.This paper attempted to give an automatic discrimination method for role-based multilevel access control model,and described the general expression of the access control by sampling the correct and incorrect authorization time and space.This allows the existing access control model to make the righ judgements under the new environments,thus reducing the workload of manual review.The experimental results show that the analysis mechanism has a higher correct judge rate for user access requests.
Recently,fine-grained authorization control has become a hot topic in access control research field,and it can adjust access strategy reasonably in a single fixed environment,so as to meet the safety of workflow.However,it may be difficult to give a correct judgement and only rely on manual checking to confirm whether it is authorized when it is migrated to the new scenario and encounters authorization that is not set by access policy.Manual checking is time-consuming,and it costs too much in big data environments.Therefore,it is imperative to introduce an automatic discrimination mechanism based on past experiences.This paper attempted to give an automatic discrimination method for role-based multilevel access control model,and described the general expression of the access control by sampling the correct and incorrect authorization time and space.This allows the existing access control model to make the righ judgements under the new environments,thus reducing the workload of manual review.The experimental results show that the analysis mechanism has a higher correct judge rate for user access requests.
引文
[1] WANG Y D,YANG J H,XU C,et al.Survey on access control technologies for cloud computing[J].Journal of Software,2015,26(5):1129-1150.(in Chinese)王于丁,杨家海,徐聪,等.云计算访问控制技术研究综述[J].软件学报,2015,26(5):1129-1150.
[2] LI H,ZHANG M,FENG D G,et al.Research on access control of big data[J].Chinese Journal of Computers,2017,40(1):72-91.(in Chinese)李昊,张敏,冯登国,等.大数据访问控制研究[J].计算机学报,2017,40(1):72-91.
[3] UZUN E,ATLURI V,SURAL S,et al.Analyzing temporal role based access control models[C]∥Proceedings of the 17th ACM symposium on Access Control Models and Technologies.ACM,2012:177-186.
[4] RANISE S,TRUONG A,ARMANDO A.Scalable and precise automated analysis of administrative temporal role-based access control[C]∥Proceedings of the 19th ACM Symposium on Access Control Models and Technologies.ACM,2014:103-114.
[5] BERTINO E,CATANIA B,DAMIANI M L,et al.GEORBAC:A spatially aware RBAC[C]∥Proceedings of the 10th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2005:29-37.
[6] ANDROULAKI E,SORIENTE C,MALISA L,et al.Enforcing location and time-based access control on cloud-stored data[C]∥2014IEEE 34th International Conference on Distributed Computing Systems(ICDCS).IEEE,2014:637-648.
[7] LI F H,WANG W,MA J F,et al.Action-based access control model and administration of actions[J].Acta Electronica Sinica,2008,36(10):1881-1890.(in Chinese)李凤华,王巍,马建峰,等.基于行为的访问控制模型及其行为管理[J].电子学报,2008,36(10):1881-1890.
[8] KUHLMANN M,SHOHAT D,SCHIMPF G.Role mining-revealing business roles for security administration using data mining technology[C]∥Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies.ACM,2003:179-186.
[9] JAFARIAN J H,TAKABI H,TOUATI H,et al.Towards a general framework for optimal role mining:A constraint satisfaction approach[C]∥Proceedings of the 20th ACM Symposium on Access Control Models and Technologies.ACM,2015:211-220.
[10] MARTIN E,XIE T.Inferring access-control policy properties via machine learning[C]∥Seventh IEEE International Workshop on Policies for Distributed Systems and Networks.IEEE,2006.
[11]CLEVELAND J,MAYHEW M J,ADLER A,et al.Scalable machine learning framework for behavior-based access control[C]∥2013 6th International Symposium on Resilient Control Systems(ISRCS).IEEE,2013:181-185.
[12]MA M,TANG Z,LI R F,et al.Improved BLP Model Based on CRFs[J].Computer Science,2015,42(8):138-144,151.(in Chinese)马萌,唐卓,李仁发,等.基于条件随机场的改进型BLP访问控制模型[J].计算机科学,2015,42(8):138-144,151.
[13]CRAMPTON J,MORISSET C,ZANNONE N.On missing attributes in access control:Non-deterministic and probabilistic attribute retrieval[C]∥Proceedings of the 20th ACM Symposium on Access Control Models and Technologies.ACM,2015:99-109.
[14]LI J,SQUICCIARINI A,LIN D,et al.Secloc:securing locationsensitive storage in the cloud[C]∥Proceedings of the 20th ACM Symposium on Access Control Models and Technologies.ACM,2015:51-61.
[15]JAYARAMAN K,GANESH V,TRIPUNITARA M,et al.Automatic error finding in access-control policies[C]∥Proceedings of the 18th ACM Conference on Computer and Communications Security.ACM,2011:163-174.
[16]OH S,PARK S.Task-role-based access control model[J].Information Systems,2003,28(6):533-562.
[17]ARDAGNA C A,CREMONINI M,DAMIANI E,et al.Supporting location-based conditions in access control policies[C]∥Proceedings of the 2006ACM Symposium on Information,Computer and Communications Security.ACM,2006:212-222.
[18]RAY I,KUMAR M,YU L.LRBAC:a location-aware role-based access control model[C]∥International Conference on Information Systems Security.Springer Berlin Heidelberg,2006:147-161.
[19]RAY I,TOAHCHOODEEM.A spatio-temporal role-based access control model[C]∥IFIP Annual Conference on Data and Applications Security and Privacy.Springer Berlin Heidelberg,2007:211-226.
[20]CHEN H C,WANG S J,WEN J H,et al.Temporal and Location-based RBAC model[C]∥Fifth International Joint Conference on INC,IMS and IDC.IEEE,2009:2111-2116.
[21]CHAKRABORTY S,RAY I.TrustBAC:integrating trust relationships into the RBAC model for access control in open systems[C]∥Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies.ACM,2006:49-58.
[22]LANG B.Access control oriented quantified trust degree representation model for distributed systems[J].Journal on Communications,2010,31(12):45-54.(in Chinese)郎波.面向分布式系统访问控制的信任度量化模型[J].通信学报,2010,31(12):45-54.
[23]KANDALA S,SANDHUR.Secure role-based workflow models[M]∥Database and Application Security XV.Springer US,2002:45-58.
[24]BOTHA R A,ELOFF J H P.Designing role hierarchies for access control in workflow systems[C]∥Computer Software and Applications Conference,2001(COMPSAC 2001).IEEE,2001:117-122.
[25]SUN Y,MENG X,LIU S,et al.Flexible workflow incorporated with RBAC[C]∥International Conference on Computer Supported Cooperative Work in Design.Springer Berlin Heidelberg,2005:525-534.
[26]YAO H B,HU H P,LU Z D,et al.Dynamic role and contextbased access control for grid applications[J].Computer Science,2006,33(1):41-44.(in Chinese)姚寒冰,胡和平,卢正鼎,等.基于角色和上下文的动态网格访问控制研究[J].计算机科学,2006,33(1):41-44.
[2] LI H,ZHANG M,FENG D G,et al.Research on access control of big data[J].Chinese Journal of Computers,2017,40(1):72-91.(in Chinese)李昊,张敏,冯登国,等.大数据访问控制研究[J].计算机学报,2017,40(1):72-91.
[3] UZUN E,ATLURI V,SURAL S,et al.Analyzing temporal role based access control models[C]∥Proceedings of the 17th ACM symposium on Access Control Models and Technologies.ACM,2012:177-186.
[4] RANISE S,TRUONG A,ARMANDO A.Scalable and precise automated analysis of administrative temporal role-based access control[C]∥Proceedings of the 19th ACM Symposium on Access Control Models and Technologies.ACM,2014:103-114.
[5] BERTINO E,CATANIA B,DAMIANI M L,et al.GEORBAC:A spatially aware RBAC[C]∥Proceedings of the 10th ACM Symposium on Access Control Models and Technologies.New York:ACM Press,2005:29-37.
[6] ANDROULAKI E,SORIENTE C,MALISA L,et al.Enforcing location and time-based access control on cloud-stored data[C]∥2014IEEE 34th International Conference on Distributed Computing Systems(ICDCS).IEEE,2014:637-648.
[7] LI F H,WANG W,MA J F,et al.Action-based access control model and administration of actions[J].Acta Electronica Sinica,2008,36(10):1881-1890.(in Chinese)李凤华,王巍,马建峰,等.基于行为的访问控制模型及其行为管理[J].电子学报,2008,36(10):1881-1890.
[8] KUHLMANN M,SHOHAT D,SCHIMPF G.Role mining-revealing business roles for security administration using data mining technology[C]∥Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies.ACM,2003:179-186.
[9] JAFARIAN J H,TAKABI H,TOUATI H,et al.Towards a general framework for optimal role mining:A constraint satisfaction approach[C]∥Proceedings of the 20th ACM Symposium on Access Control Models and Technologies.ACM,2015:211-220.
[10] MARTIN E,XIE T.Inferring access-control policy properties via machine learning[C]∥Seventh IEEE International Workshop on Policies for Distributed Systems and Networks.IEEE,2006.
[11]CLEVELAND J,MAYHEW M J,ADLER A,et al.Scalable machine learning framework for behavior-based access control[C]∥2013 6th International Symposium on Resilient Control Systems(ISRCS).IEEE,2013:181-185.
[12]MA M,TANG Z,LI R F,et al.Improved BLP Model Based on CRFs[J].Computer Science,2015,42(8):138-144,151.(in Chinese)马萌,唐卓,李仁发,等.基于条件随机场的改进型BLP访问控制模型[J].计算机科学,2015,42(8):138-144,151.
[13]CRAMPTON J,MORISSET C,ZANNONE N.On missing attributes in access control:Non-deterministic and probabilistic attribute retrieval[C]∥Proceedings of the 20th ACM Symposium on Access Control Models and Technologies.ACM,2015:99-109.
[14]LI J,SQUICCIARINI A,LIN D,et al.Secloc:securing locationsensitive storage in the cloud[C]∥Proceedings of the 20th ACM Symposium on Access Control Models and Technologies.ACM,2015:51-61.
[15]JAYARAMAN K,GANESH V,TRIPUNITARA M,et al.Automatic error finding in access-control policies[C]∥Proceedings of the 18th ACM Conference on Computer and Communications Security.ACM,2011:163-174.
[16]OH S,PARK S.Task-role-based access control model[J].Information Systems,2003,28(6):533-562.
[17]ARDAGNA C A,CREMONINI M,DAMIANI E,et al.Supporting location-based conditions in access control policies[C]∥Proceedings of the 2006ACM Symposium on Information,Computer and Communications Security.ACM,2006:212-222.
[18]RAY I,KUMAR M,YU L.LRBAC:a location-aware role-based access control model[C]∥International Conference on Information Systems Security.Springer Berlin Heidelberg,2006:147-161.
[19]RAY I,TOAHCHOODEEM.A spatio-temporal role-based access control model[C]∥IFIP Annual Conference on Data and Applications Security and Privacy.Springer Berlin Heidelberg,2007:211-226.
[20]CHEN H C,WANG S J,WEN J H,et al.Temporal and Location-based RBAC model[C]∥Fifth International Joint Conference on INC,IMS and IDC.IEEE,2009:2111-2116.
[21]CHAKRABORTY S,RAY I.TrustBAC:integrating trust relationships into the RBAC model for access control in open systems[C]∥Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies.ACM,2006:49-58.
[22]LANG B.Access control oriented quantified trust degree representation model for distributed systems[J].Journal on Communications,2010,31(12):45-54.(in Chinese)郎波.面向分布式系统访问控制的信任度量化模型[J].通信学报,2010,31(12):45-54.
[23]KANDALA S,SANDHUR.Secure role-based workflow models[M]∥Database and Application Security XV.Springer US,2002:45-58.
[24]BOTHA R A,ELOFF J H P.Designing role hierarchies for access control in workflow systems[C]∥Computer Software and Applications Conference,2001(COMPSAC 2001).IEEE,2001:117-122.
[25]SUN Y,MENG X,LIU S,et al.Flexible workflow incorporated with RBAC[C]∥International Conference on Computer Supported Cooperative Work in Design.Springer Berlin Heidelberg,2005:525-534.
[26]YAO H B,HU H P,LU Z D,et al.Dynamic role and contextbased access control for grid applications[J].Computer Science,2006,33(1):41-44.(in Chinese)姚寒冰,胡和平,卢正鼎,等.基于角色和上下文的动态网格访问控制研究[J].计算机科学,2006,33(1):41-44.