网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (1): 20-27.doi: 10.11959/j.issn.2096-109x.2021003
诸天逸1,2, 李凤华1,2, 成林3, 郭云川1,2
修回日期:
2020-07-21
出版日期:
2021-02-15
发布日期:
2021-02-01
作者简介:
诸天逸(1995- ),男,江苏无锡人,中国科学院信息工程研究所博士生,主要研究方向为跨域访问控制。基金资助:
Tianyi ZHU1,2, Fenghua LI1,2, Lin CHENG3, Yunchuan GUO1,2
Revised:
2020-07-21
Online:
2021-02-15
Published:
2021-02-01
Supported by:
摘要:
根据国内外最新研究,对跨域数据流动中的访问控制技术进行了总结和展望。首先,结合复杂应用环境下的访问控制,概括了访问控制模型、数据安全模型的发展。其次,分别从数据标记、策略匹配和策略冲突检测方面对访问控制策略管理的研究展开论述。最后,总结归纳了统一授权管理中数据标记技术和授权与延伸控制技术的研究现状。
中图分类号:
诸天逸, 李凤华, 成林, 郭云川. 跨域访问控制技术研究[J]. 网络与信息安全学报, 2021, 7(1): 20-27.
Tianyi ZHU, Fenghua LI, Lin CHENG, Yunchuan GUO. Research on cross-domain access control technology[J]. Chinese Journal of Network and Information Security, 2021, 7(1): 20-27.
[1] | HONG J N , XUE K P , XUE Y G ,et al. TAFC:time and attribute factors combined access control for time-sensitive data in public cloud[J]. IEEE Transactions on Services Computing, 2017. |
[2] | XUE Y J , HONG J N , LI W ,et al. LABAC:a location-aware attribute-based access control scheme for cloud storage[C]// Proceedings of Global Communications Conference (GLOBECOM). 2016: 1-6. |
[3] | DECAT M , LAGAISSE B , JOOSEN W . Scalable and secure concurrent evaluation of history-based access control policies[C]// Proceedings of ACM Computer Security Applications Conference (ACSAC), 2015: 281-290. |
[4] | YIANNIS V . Context-aware Policy Enforcement for PaaS-enabled Access Control[J]. IEEE Transactions on Cloud Computing, 2019. |
[5] | WANG Y C , LI F H , XIONG J B ,et al. Achieving lightweight and secure access control in multi-authority cloud[C]// Proceedings of IEEE International Conference on Trust,Security and Privacy in Computing and Communications (TRUSTCOM). 2015: 459-466. |
[6] | ATLAM H F , ALENEZI A , WALTERS R J ,et al. Developing an adaptive Risk-based access control model for the internet of things[C]// Proceedings of IEEE International Conference on Internet of Things (iThings). 2017. |
[7] | 杨腾飞, 申培松, 田雪 ,等. 对象云存储中分类分级数据的访问控制方法[J]. 软件学报, 2017,28(9): 2334-2353. |
YANG T F , SHEN P S , TIAN X ,et al. Access control mechanism for classified and graded object storage in cloud computing[J]. Journal of Software, 2017,28(9): 2334-2353. | |
[8] | LIU J K , AU M H , HUANG X Y ,et al. Fine-grained two-factor access control for web-based cloud computing services[J]. IEEE Transactions on Information Forensics and Security, 2016,11(3): 484-497. |
[9] | ALAM Q , MALIK S U R , AKHUNZADA A ,et al. A cross tenant access control (CTAC) model for cloud computing:formal specification and verification[J]. IEEE Transactions on Information Forensics and Security, 2017,12(6): 1259-1268. |
[10] | 孙奕, 陈性元, 杜学绘 ,等. 一种具有访问控制的云平台下外包数据流动态可验证方法[J]. 计算机学报, 2017,40(2): 337-350. |
SUN Y , CHEN X Y , DU X H ,et al. Dynamic authenticated method for outsourcing data stream with access control in cloud[J]. Chinese Journal of Computers, 2017,40(2): 337-350. | |
[11] | RONIT N , . PolTree:a data structure for making efficient access decisions in ABAC[C]// Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 2019. |
[12] | CHENG Y , PARK J , SANDHU R . An access control model for online social networks using user-to-user relationships[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(4): 424-436. |
[13] | SQUICCIARINI A C , LIN D , SUNDARESWARAN S ,et al. Privacy policy inference of User-Uploaded images on content sharing sites[J]. IEEE Transactions on Knowledge and Data Engineering, 2015,27(1): 193-206. |
[14] | LI F H , WANG W , MA J F ,et al. Action-based access control model[J]. Chinese Journal of Electronics, 2008,17(3): 396-401. |
[15] | 李凤华, 王彦超, 殷丽华 ,等. 面向网络空间的访问控制模型[J]. 通信学报, 2016,37(5): 9-20. |
LI F H , WANG Y C , YING L H ,et al. Novel cyberspace-oriented access control model[J]. Journal on Communications, 2016,37(5): 9-20. | |
[16] | 李凤华, 熊金波 . 复杂网络环境下访问控制技术[M]. 北京: 人民邮电出版社, 2015.12. |
LI F H , XIONG J B . Access control technology for complex net-work environment[M]. Beijing: POSTS & TELECOM PRESS Co.,LTD., 2015.12. | |
[17] | 李凤华, 苏铓, 史国振 ,等. 访问控制模型研究进展及发展趋势[J]. 电子学报, 2012,40(4): 805-813. |
LI F H , SU M , SHI G Z ,et al. Research status and development trends of access control model[J]. Acta Electronica Sinica, 2012,40(4): 805-813. | |
[18] | 林果园, 贺珊, 黄皓 ,等. 基于行为的云计算访问控制安全模型[J]. 通信学报, 2012,33(3): 59-66. |
LIN G Y , HE S , HUANG H ,et al. Behavior-based cloud computing access control security model[J]. Journal on Communications, 2012,33(3): 59-66. | |
[19] | WU Z Z , CHEN X Y , YANG Z ,et al. Survey on information flow control[J]. Journal of Software, 2017,28(1): 135-159. |
[20] | GIACOBAZZI R , MASTROENI I . Abstract non-interference:a unifying framework for weakening information-flow[J]. ACM Transactions on Privacy and Security, 2018,21(2): 1-31. |
[21] | NIELSON H , NIELSON F . Content dependent information flow control[J]. Journal of Logical and Algebraic Methods in Programming, 2017,87: 6-32. |
[22] | ZHANG J . Cellular clustering-based interference-aware data transmission protocol for underwater acoustic sensor networks[J]. IEEE Transactions on Vehicular Technology, (2020) |
[23] | 苏铓, 李凤华, 史国振 . 基于行为的多级访问控制模型[J]. 计算机研究与发展, 2014,51(7): 1604-1613. |
SU M , LI F H , SHI G Z . Action-based multi-level access control model[J]. Journal of Computer Research and Development, 2014,51(7): 1604-1613. | |
[24] | LI F H , LI Z F , HAN W L ,et al. Cyberspace-oriented access control:model and policies[C]// Proceedings of IEEE International Conference on Data Science in Cyberspace (DSC). 2017: 261-266. |
[25] | YU H , JAIN P , KAR P ,et al. Large-scale multi-label learning with missing labels[C]// Proceedings of International conference on machine learning (ICML). 2014: 593-601. |
[26] | CONG Y , SUN G , LIU J ,et al. User attribute discovery with missing labels[J]. Pattern Recognition, 2018,73: 33-46. |
[27] | GUO K H . LCC:towards efficient label completion and correction for supervised medical image learning in smart diagnosis[J]. Journal of Network and Computer Applications, 2019(133): 51-59. |
[28] | YIN Y F , SHEN Z J , ZHANG L M ,et al. Spatial-temporal tag mining for automatic geospatial video annotation[J]. ACM Transactions on Multimedia Computing,Communications,and Applications, 2015,11(2). |
[29] | XU Z Y , STOLLER S D . Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(5): 533-545. |
[30] | YANG Y , YANG Y , SHEN H T . Effective transfer tagging from image to video[C]// ACM Transactions on Multimedia Computing,Communications and Applications, 2013,9(2) |
[31] | 王瑜, 武延军, 吴敬征 ,等. 基于异构网络面向多标签系统的推荐模型研究[J]. 软件学报, 2017,28(10): 2611-2624. |
WANG Y , WU Y J , WU Y Z ,et al. Multi-dimensional tag recom-mender model via heterogeneous networks[J]. Journal of Software, 2017,28(10): 2611-2624. | |
[32] | XIN G . Label distribution learning[J]. IEEE Transactions on Knowledge and Data Engineering, 2016,28(7): 1734-1748. |
[33] | LI S W , PURUSHOTHAM S , CHEN C ,et al. Measuring and predicting tag importance for image retrieval[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017,39(12): 2423-2436. |
[34] | WANG G . Hmo:ordering RFID tags with static devices in mobile environments[J]. IEEE Transactions on Mobile Computing, 2019(9): 74-89. |
[35] | 吴迎红, 黄皓, 曾庆凯 . 面向服务访问控制策略精化描述[J]. 计算机研究与发展, 2014,51(11): 2470-2482. |
WU Y H , HUANG H , ZENG Q K . Description of service oriented access control policy refinement[J]. Journal of Computer Research and Development, 2014,51(11): 2470-2482. | |
[36] | 林莉, 怀进鹏, 李先贤 . 基于属性的访问控制策略合成代数[J]. 软件学报, 2009,20(2): 403-414. |
LIN L , HUAI P J , LI X X . Attribute-based access control policies composition algebra[J]. Journal of Software, 2009,20(2): 403-414. | |
[37] | MAROUF S , SHEHAB M , SQUICCIARINI A ,et al. Adaptive reordering and clustering-based framework for efficient XACML policy evaluation[J]. IEEE Transactions on Services Computing, 2011,4(4): 300-313. |
[38] | 牛德华, 马建峰, 马卓 ,等. 基于统计分析优化的高性能XACML策略评估引擎[J]. 通信学报, 2014,35(8): 206-215. |
NIU D H , MA J F , MA Z ,et al. HPEngine:high performance XACML policy evaluation engine based on statistical analysis[J]. Journal on Communications, 2014,35(8): 206-215. | |
[39] | 王雅哲, 冯登国, 张立武 ,等. 基于多层次优化技术的 XACML策略评估引擎[J]. 软件学报, 2011,22(2): 323-338. |
WANG Y Z , FENG D G , ZHANG L W ,et al. XACML policy eval-uation engine based on multi-level optimization technology[J]. Journal of Software, 2011,22(2): 323-338. | |
[40] | NGO C , DEMCHENKO Y , LAAT C . Decision diagrams for XACML policy evaluation and management[C]// Computers & Security. 2015: 1-16. |
[41] | ROSS P , LISCHKAM , MARMOL F G . Graph-based XACML evaluation[C]// Proceedings of ACM symposium on Access Control Models and Technologies (SACMAT). 2012: 83-92. |
[42] | LIU A X , CHEN F , HWANG J H ,et al. Designing fast and scalable XACML policy evaluation engines[J]. IEEE Transactions on Computers, 2011,60(12): 1802-1817. |
[43] | LOU B , LEE D , LEE W C ,et al. Qfilter:rewriting insecure XML queries to secure ones using non-deterministic finite automata[J]. The International Journal on Very Large Data Bases, 2011,20(3): 397-415. |
[44] | FAN D . Establishment of rule dictionary for efficient XACML policy management[J]. Knowledge-Based Systems, 2019(175): 26-35. |
[45] | DIAO Y , FISCHER P , FRANKLIN M J ,et al. YFilter:efficient and scalable filtering of XML documents[C]// Proceedings of International Conference on Data Engineering (ICDE). 2002: 341-342. |
[46] | HAKUTA S , MANETH S , NAKANO K ,et al. XQuery streaming by forest transducers[C]// Proceedings of International Conference on Data Engineering (ICDE). 2014: 952-963. |
[47] | WU X Y , THEODORATOS D , KEMENTSIETSIDIS A . Configuring bitmap materialized views for optimizing XML queries[J]. World Wide Web, 2015,18(3): 607-632. |
[48] | BONIFATI A , GOODFELLOW M , MANOLESCU I ,et al. Algebraic incremental maintenance of XML views[J]. ACM Transactions on Database Systems, 2013,38(3): 177-188. |
[49] | THIMMA M , LIU F , LIN J Q ,et al. HyXAC:hybrid XML access control integrating view-based and query-rewriting approaches[J]. IEEE Transactions on Knowledge and Data Engineering, 2015,27(8): 2190-2202. |
[50] | BRUNS G , HUTH M . Access control via Belnap logic:intuitive,expressive,and analyzable policy composition[J]. ACM Transactions on Information and System Security, 2011,14(1): 1-27. |
[51] | 吴迎红, 黄皓, 吕庆伟 ,等. 基于开放逻辑R反驳计算的访问控制策略精化[J]. 软件学报, 2015,26(6): 1534-1556. |
WU Y H , HUANG H , LYU Q W ,et al. Access control policy re-finement technology based on open logic r-refutation calculus[J]. Journal of Software, 2015,26(6): 1534-1556. | |
[52] | HU H X , AHN G , JORGENSEN J . Multiparty access control for online social networks:model and mechanisms[J]. IEEE Transactions on Knowledge and Data Engineering, 2013,25(7): 1614-1627. |
[53] | SUCH J M , CRIADO N . Resolving multi-party privacy conflicts in social media[J]. IEEE Transactions on Knowledge and Data Engineering, 2016,28(7): 1851-1863. |
[54] | SARKIS L C , SILVA V T D , BRAGA C . Detecting indirect conflicts between access control policies[C]// Proceedings of Annual ACM Symposium on Applied Computing (SAC). 2016: 1570-1572. |
[55] | 李瑞轩, 鲁剑锋, 李添翼 ,等. 一种访问控制策略非一致性冲突消解方法[J]. 计算机学报, 2013,36(6): 1210-1223. |
LI R X , LU J F , LI T Y ,et al. An approach for resolving inconsis-tency conflicts in access control policies[J]. Chinese Journal of Computers, 2013,36(6): 1210-1223. | |
[56] | BERKAY C Z , TAN G , MCDANIEL P D . IoTGuard:dynamic enforcement of security and safety policy in commodity IoT[C]// NDSS. 2019. |
[57] | XUE K P , XUE Y J , HONG J N ,et al. RAAC:robust and auditable access control with multiple attribute authorities for public cloud storage[J]. IEEE Transactions on Information Forensics and Security, 2017,12(4): 953-967. |
[58] | 王晶, 黄传河, 王金海 . 一种面向云存储的动态授权访问控制机制[J]. 计算机研究与发展, 2016,53(4): 904-920. |
WANG J , HUANG C H , WANG J H . An access control mechanism with dynamic privilege for cloud storage[J]. Journal of Computer Research and Development, 2016,53(4): 904-920. | |
[59] | 关志涛, 杨亭亭, 徐茹枝 ,等. 面向云存储的基于属性加密的多授权中心访问控制方案[J]. 通信学报, 2015,36(6): 116-126. |
GUAN Z T , YANG T T , XU R Z ,et al. Multi-authority attribute-based encryption access control model for cloud storage[J]. Journal on Communications, 2015,36(6): 116-126. | |
[60] | SAXENA N , CHOI B J , LU R . Authentication and authorization scheme for various user roles and devices in smart grid[J]. IEEE Transactions on Information Forensics and Security, 2016,11(5): 907-921. |
[61] | ZHANG Y , CHEN J , DU R Y ,et al. FEACS:a flexible and efficient access control scheme for cloud computing[C]// Proceedings of IEEE International Conference on Trust,Security and Privacy in Computing and Communications (TRUSTCOM). 2015: 310-319. |
[62] | BAI W , . RMMDI:a novel framework for role mining based on the multi-domain information[C]// Security and Communication Networks. 2019. |
[63] | KHAMBHAMMETTU H , BOULARES S , ADI K ,et al. A framework for risk assessment in access control systems[J]. Computers &Security, 2013,39: 86-103. |
[64] | MIETTINEN M , HEUSER S , KRONZ W ,et al. ConXsense:automated context classification for context-aware access control[C]// Proceedings of ACM Symposium on Information,Computer and Communications Security (ASIA CCS). 2014: 293-304. |
[65] | SANTOS D , RICARDO D , WESTPHALL C M ,et al. A dynamic risk-based access control architecture for cloud computing[C]// Proceedings of Asia-Pacific Network Operations and Management Symposium (NOMS). 2014: 1-9. |
[66] | 惠榛, 李昊, 张敏 ,等. 面向医疗大数据的风险自适应的访问控制模型[J]. 通信学报, 2015,36(12): 190-199. |
HUI Z , LI H , ZHANG M ,et al. Risk-adaptive access control model for big data in healthcare[J]. Journal on Communications, 2015,36(12): 190-199. | |
[67] | NING J T , CAO Z F , DONG X L ,et al. Auditable -time outsourced attribute-based encryption for access control in cloud computing[J]. IEEE Transactions on Information Forensics and Security, 2018,13(1): 94-105. |
[68] | YANG K , LIU Z , JIA X H ,et al. Time-domain attribute-based access control for cloud-based video content sharing:a cryptographic approach[J]. IEEE Transactions on Multimedia, 2016,18(5): 940-950. |
[69] | YAN Z , LI X Y , WANG M J . Flexible data access control based on trust and reputation in cloud computing[J]. IEEE Transactions on Cloud Computing, 2017,5(3): 485-498. |
[70] | NGUYEN D , PARK J , SANDHU R . A provenance-based access control model for dynamic separation of duties[C]// Proceedings of International Conference on Privacy,Security and Trust (PST). 2013: 247-256. |
[71] | SUN L , PARK J , NGUYEN D ,et al. A provenance-aware access control framework with typed provenance[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(4): 411-423. |
[72] | SIANI P,CASASSA-MONT M , . Sticky policies:an approach for managing privacy across multiple parties[C]// Computer, 2011,44(9): 60-68. |
[73] | SPYRA G , BUCHANAN W J , EKONOMOU E . Sticky policies approach within cloud computing[J]. Computers & Security, 2017,70: 366-375. |
[1] | 陈天柱,郭云川,牛犇,李凤华. 面向社交网络的访问控制模型和策略研究进展[J]. 网络与信息安全学报, 2016, 2(8): 1-9. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|