基于谱聚类的访问控制异常权限配置挖掘机制

doi:10.11959/j.issn.1000-436x.2017285

通信学报 ›› 2017, Vol. 38 ›› Issue (12): 63-72.doi: 10.11959/j.issn.1000-436x.2017285

基于谱聚类的访问控制异常权限配置挖掘机制

房梁^1,²,殷丽华³,李凤华²,方滨兴^1,^3,⁴

¹ 北京邮电大学网络空间安全学院，北京 100876
² 中国科学院信息工程研究所信息安全国家重点实验室，北京 100093
³ 广州大学网络空间先进技术研究院，广东广州 510006
⁴ 电子科技大学广东电子信息工程研究院，广东东莞 523808

修回日期:2017-11-06 出版日期:2017-12-01 发布日期:2018-01-19
作者简介:房梁（1989-），男，山西太原人，北京邮电大学博士生，主要研究方向为信息安全、访问控制。|殷丽华（1973-），女，辽宁朝阳人，博士，广州大学教授、博士生导师，主要研究方向为信息安全、安全性评估。|李凤华（1966-），男，湖北浠水人，博士，中国科学院信息工程研究所副总工、研究员、博士生导师，主要研究方向为网络与系统安全、信息保护、隐私计算。|方滨兴（1960-），男，江西万年人，中国工程院院士、广州大学教授，主要研究方向为计算机体系结构、计算机网络与信息安全。
基金资助:
国家重点研发计划基金资助项目(2016YFB0801001);国家自然科学基金资助项目(61672515);东莞市引进创新科研团队计划基金资助项目(201636000100038)

Spectral-clustering-based abnormal permission assignments hunting framework

Liang FANG^1,²,Li-hua YIN³,Feng-hua LI²,Bin-xing FANG^1,^3,⁴

¹ School of CyberSpace Security,Beijing University of Posts and Telecommunications,Beijing 100876,China
² State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
³ Cyberspace Institute of Advanced Technology,Guangdong University,Guangzhou 510006,China
⁴ Institute of Electronic and Information Engineering of UESTC in Guangdong,Dongguan 523808,China

Revised:2017-11-06 Online:2017-12-01 Published:2018-01-19
Supported by:
The National Key Research and Development Program of China(2016YFB0801001);The National Natural Science Foundation of China(61672515);Dongguan Innovative Research Team Program(201636000100038)

摘要/Abstract

摘要：

将强制访问控制、自主访问控制等访问控制系统迁移为基于角色的访问控制系统可极大提高对用户权限的管理效率。为保证系统的安全性需要在迁移过程中生成正确的角色，而原系统中存在的异常权限配置给角色生成带来了极大的挑战。忽略这些异常权限配置将导致生成的角色中包含错误的权限，增加信息泄露的概率。针对访问控制中的异常权限配置发现问题，提出一种基于谱聚类的异常权限配置挖掘机制。实验结果证明，所提方案可以实现更准确的权限配置发现。

关键词: 访问控制, 异常权限配置, 谱聚类

Abstract:

Migrating traditional access control,such as mandatory and discretionary access control,into role-based access control(RBAC)lightens a practical way to improve the user-permission management efficiency.To guarantee the security of RBAC system,it is important to generate proper roles during the migration.However,abnormal user-permission configurations lead to wrong roles and cause tremendous security risks.To hunt the potential abnormal user-permission configurations,a novel spectral clustering based abnormal configuration hunting framework was proposed and recommendations were given to correct these configurations.Experimental results show its performance over existing solutions.

Key words: access control, abnormal configurations, spectral clustering

中图分类号:

TP309.2

房梁,殷丽华,李凤华,方滨兴. 基于谱聚类的访问控制异常权限配置挖掘机制[J]. 通信学报, 2017, 38(12): 63-72.

Liang FANG,Li-hua YIN,Feng-hua LI,Bin-xing FANG. Spectral-clustering-based abnormal permission assignments hunting framework[J]. Journal on Communications, 2017, 38(12): 63-72.

图/表 11

图1

表1

表2

表3

图2

图3

图4

图5

表4

图6

图7

参考文献 24

[1]	ZHANG D , RAMAMOHANARAO K , EBRINGER T ,et al. Permission set mining:discovering practical and useful roles[C]// The 24th Annual Computer Security Applications Conference. 2008: 247-256.
[2]	YOUNIS Y A , KIFAYAT K , MERABTI M . An access control model for cloud computing[J]. Journal of Information Security and Applications, 2014,19(1): 45-60.
[3]	李凤华, 王彦超, 殷丽华 ,等. 面向网络空间的访问控制模型[J]. 通信学报, 2016,37(5): 9-20.
	LI F H , WANG Y C , YIN L H ,et al. Novel cyberspace-oriented access control model[J]. Journal on Communications, 2016,37(5): 9-20.
[4]	YU X , XU P , ZHANG T ,et al. Research and implementation of role-based access control model of fundamental spatial database system of Jilin water resources[C]// The 2013 International Conference on Information System and Engineering Management. 2013: 83-86.
[5]	WANG Y C , LI F H , XIONG J B ,et al. Achieving lightweight and secure access control in multi-authority cloud[C]// The 14th IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2015: 459-466.
[6]	VAIDYA J , ATLURI V , GUO Q . The role mining problem:a formal perspective[J]. ACM Transactions on Information and System Security, 2010,13(3).
[7]	MOLLOY I , LI N.H , QI A ,et al. Mining roles with noisy data[C]// The 15th ACM Symposium on Access Control Models and Technologies. 2010: 45-54.
[8]	BAUER L , GARRISS S , REITER M.K . Detecting and resolving policy misconfigurations in access-control systems[J]. ACM Transactions on Information and System Security, 2011,14(1).
[9]	DAS T , BHAGWAN R , NALDURG P . Baaz:a system for detecting access control misconfigurations[C]// The 19th USENIX Security Symposium. 2010: 161-176.
[10]	SCHLEGELMILCH J , STEFFENS U . Role mining with Oracle[C]// The 10th ACM Symposium on Access Control Models and Technologies. 2005: 168-176.
[11]	VAIDYA J , ATLURI V , WARNER J . Roleminer:mining roles using subset enumeration[C]// The 13th ACM Conference on Computer and Communications Security. 2006: 144-153.
[12]	MOLLOY I , CHEN H , LI T et al . Mining roles with semantic meanings[C]// The 13th ACM Symposium on Access Control Models and Technologies. 2008: 21-30.
[13]	FRANK M , BUHMAN J M , BASIN D . Role mining with probabilistic model[J]. ACM Transactions on Information and System Security, 2013,15(4).
[14]	HARIKA P , NAGAJYOTHI M , JOHN J C ,et al. Meeting cardinality constraints in role mining[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(1): 71-84.
[15]	JAFARIAN J H , TAKABI H , TOUATI H ,et al. Towards a general framework for optimal role mining:a constraint satisfaction approach[C]// The 20th ACM Symposium on Access Control Models and Technologies. 2015: 211-220.
[16]	LUXBURG U V . A tutorial on spectral clustering[J]. Statistics and Computing, 2007,17(4): 395-416.
[17]	ZELNIK-MANOR L . Self-tuning spectral clustering[J]. Advances in Neural Information Processing Systems, 2004,14: 1601-1608.
[18]	YAN J , CHENG D , ZONG M ,et al. Improved spectral clustering algorithm based on similarity measure[C]// The 10th International Conference on Advanced Data Mining and Applications. 2014: 641-654.
[19]	GHOSHDASTIDAR D , DUKKIPATI A . Spectral clustering using multilinear svd:Analysis,approximations and applications[C]// The 29th Conference on Artificial Intelligence. 2015: 2610-2616.
[20]	LU H , FU Z , SHU X . Non-negative and sparse spectral clustering[J]. Pattern Recognition, 2014,47(1): 418-426.
[21]	孔万增, 孙志海, 杨灿 ,等. 基于本征间隙与正交特征向量的自动谱聚类[J]. 电子学报, 2010,38(8): 1880-1885.
	KONG W Z , SUN Z H , YANG C ,et al. Automatic spectral clustering based on eigengap and orthogonal eigenvector[J]. Acta Electronica Sinica, 2010,38(8): 1880-1885.
[22]	STOLLER S D , YANG P , RAMAKRISHNAN C R ,et al. Efficient policy analysis for administrative role based access control[C]// The 2007 ACM Conference on Computer and Communications Security. 2007: 445-455.
[23]	ENE A , HORNE W , MILOSAVLJEVIC N ,et al. Fast exact and heuristic methods for role minimization problems[C]// The 13th ACM Symposium on Access Control Models and Technologies. 2008: 1-10.
[24]	YIN L , FANG L , NIU B ,et al. Hunting abnormal configurations for permission-sensitive role mining[C]// The 2016 IEEE Military Communications Conference. 2016: 1004-1009.

用户	P1	P2	P3	P4	P5	P6	P7	P8	P9
A	1	1	1	1	0	0	0	0	0
B	1	1	1	1	1	0	0	0	0
C	1	1	1	1	0	0	0	0	0
D	1	1	1	1	0	0	0	0	0
E	1	1	1	1	0	0	0	0	0

用户	P1	P2	P3	P4	P5	P6	P7	P8	P9
A	1	1	1	1	0	1	0	0	0
B	1	1	1	1	0	1	0	0	0
C	1	1	1	1	0	0	0	0	0
D	1	1	1	1	0	1	0	0	0
E	1	1	1	1	0	1	0	0	0

数据集	用户个数	权限个数
Healthcare	46	46
University	493	56
Emea	35	3 046
Firewall1	365	1 417
Firewall2	325	1 179

数据集	初始异常配置数		对比算法	最终异常配置数
数据集	P_add	N_add	对比算法	P_left	N_left
			文献[7]算法（SVD）	35	18
			文献[7]算法（NMF）	28	30
University	197	23	文献[7]算法（BNMF）	30	16
			文献[7]算法（LPCA）	20	22
			文献[24]算法（PSRM）	16	14
			本文算法	6	14

基于谱聚类的访问控制异常权限配置挖掘机制

Spectral-clustering-based abnormal permission assignments hunting framework

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 24

相关文章 15

Metrics

推荐阅读 0

[1]	金伟, 李凤华, 余铭洁, 郭云川, 周紫妍, 房梁. 面向HDFS的密钥资源控制机制[J]. 通信学报, 2022, 43(9): 27-41.
[2]	赵静, 李俊, 龙春, 万巍, 魏金侠, 陈凯. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022, 43(9): 224-239.
[3]	梁晓艳, 杜瑞忠. IoT下CapBAC规则语义表示及其时间间隔粗糙性分析[J]. 通信学报, 2021, 42(9): 43-53.
[4]	董江涛, 闫沛文, 杜瑞忠. 雾计算中基于无配对CP-ABE可验证的访问控制方案[J]. 通信学报, 2021, 42(8): 139-150.
[5]	彭长根, 彭宗凤, 丁红发, 田有亮, 刘荣飞. 具有可撤销功能的属性协同访问控制方案[J]. 通信学报, 2021, 42(5): 75-86.
[6]	应作斌, 斯元平, 马建峰, 刘西蒙. 基于区块链的分布式EHR细粒度可追溯方案[J]. 通信学报, 2021, 42(5): 205-215.
[7]	杜瑞忠, 闫沛文, 刘妍. 雾计算中细粒度属性更新的外包计算访问控制方案[J]. 通信学报, 2021, 42(3): 160-170.
[8]	张嘉伟, 马建峰, 马卓, 李腾. 云计算中基于时间和隐私保护的可撤销可追踪的数据共享方案[J]. 通信学报, 2021, 42(10): 81-94.
[9]	诸天逸,李凤华,金伟,郭云川,房梁,成林. 互操作性与自治性平衡的跨域访问控制策略映射[J]. 通信学报, 2020, 41(9): 29-48.
[10]	周清雷,班绍桓,韩英杰,冯峰. 针对物理访问控制的拟态防御认证方法[J]. 通信学报, 2020, 41(6): 80-87.
[11]	贾春福,哈冠雄,李瑞琪. 密文去重系统中的数据访问控制策略[J]. 通信学报, 2020, 41(5): 72-83.
[12]	付永贵,朱建明. 基于区块链的数据库访问控制机制设计[J]. 通信学报, 2020, 41(5): 130-140.
[13]	刘真,王娜娜,王晓东,孙永奇. 位置社交网络中谱嵌入增强的兴趣点推荐算法[J]. 通信学报, 2020, 41(3): 197-206.
[14]	谢绒娜,李晖,史国振,郭云川. 基于属性轻量级可重构的访问控制策略[J]. 通信学报, 2020, 41(2): 112-122.
[15]	刘敖迪, 杜学绘, 王娜, 乔蕊. 基于深度学习的ABAC访问控制策略自动化生成技术[J]. 通信学报, 2020, 41(12): 8-20.