基于标签的数据流转控制策略冗余与冲突检测方法

doi:10.11959/j.issn.2096-109x.2023074

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (5): 21-32.doi: 10.11959/j.issn.2096-109x.2023074

• 学术论文 • 上一篇

基于标签的数据流转控制策略冗余与冲突检测方法

谢绒娜¹, 范晓楠², 李苏浙², 黄宇欣², 史国振¹

¹ 北京电子科技学院密码科学与技术系，北京 100070
² 北京电子科技学院网络空间安全系，北京 100070

修回日期:2023-08-18 出版日期:2023-10-01 发布日期:2023-10-01
作者简介:谢绒娜（1976− ），女，山西永济人，博士，北京电子科技学院教授，主要研究方向为网络与系统安全、访问控制、密码工程
范晓楠（1997− ），女，河北邢台人，北京电子科技学院硕士生，主要研究方向为信息安全、访问控制
李苏浙（1999− ），女，浙江绍兴人，北京电子科技学院硕士生，主要研究方向为访问控制
黄宇欣（1999− ），女，湖南长沙人，北京电子科技学院硕士生，主要研究方向为信息安全、访问控制
史国振（1974− ），男，河南济源人，北京电子科技学院教授、博士生导师，主要研究方向为密码信息安全、信息论与编码理论
基金资助:
国家自然科学基金(61932015);国家重点研发计划(2017YFB0802705)

Redundancy and conflict detection method for label-based data flow control policy

Rongna XIE¹, Xiaonan FAN², Suzhe LI², Yuxin HUANG², Guozhen SHI¹

¹ Department of Cryptography and Science Technology, Beijing Electronic Science and Technology Institute, Beijing 100070, China
² Department of Cyberspace Security, Beijing Electronic Science and Technology Institute, Beijing 100070, China

Revised:2023-08-18 Online:2023-10-01 Published:2023-10-01
Supported by:
The National Natural Science Foundation of China(61932015);The National Key R＆D Program of China(2017YFB0802705)

摘要/Abstract

摘要：

基于标签的数据流转控制机制通过主客体标签实现数据流转控制，具有轻量级、延伸控制的优势，引起了广泛关注。数据流转时，标签变更不可避免，而在标签变更时，新标签与已有标签难免存在冗余或者冲突。如何对标签进行冗余与冲突检测是基于标签的数据流转控制中急需解决的问题。针对上述问题，提出了基于原子操作的标签描述方法。客体标签由多个原子标签的逻辑组合生成。其中，原子标签用于描述最小的安全需求，解决了标签描述简洁性和丰富性问题。为降低标签冗余与冲突检测难度、提高检测效率，基于标签中不同集合的相关性，提出了基于标签的数据流转控制策略冗余与冲突检测方法。该方法通过分析原子标签中各要素的集合关系对原子标签进行冗余与冲突检测，基于原子标签检测结果和逻辑关系对客体标签进行检测，提高了检测效率；基于不同原子标签中包含操作的关系对原子标签进行冗余与冲突检测，对于包含相同操作的不同原子标签，通过分析不同原子标签中主体属性、环境属性以及规则类型之间关系进行检测，对于包含不同操作的原子标签，如果不同操作之间没有关系，那么原子标签不存在冗余与冲突，如果不同操作之间存在偏序关系，则通过分析不同原子标签中操作的偏序关系、主体属性、环境属性以及规则类型之间关系进行检测。从理论和实验两个角度对提出的冗余与冲突检测方法性能进行分析，通过实验验证了原子标签数量和复杂度对检测性能的影响。

关键词: 标签, 数据流转控制, 原子标签, 集合相关性, 策略冗余与冲突检测

Abstract:

To address the challenge of redundancy and conflict detection in the label-based data flow control mechanism, a label description method based on atomic operations has been proposed.When the label is changed, there is unavoidable redundancy or conflict between the new label and the existing label.How to carry out redundancy and conflict detection is an urgent problem in the label-based data flow control mechanism.To address the above problem, a label description method was proposed based on atomic operation.The object label was generated by the logical combination of multiple atomic tags, and the atomic tag was used to describe the minimum security requirement.The above label description method realized the simplicity and richness of label description.To enhance the detection efficiency and reduce the difficulty of redundancy and conflict detection, a method based on the correlation of sets in labels was introduced.Moreover, based on the detection results of atomic tags and their logical relationships, redundancy and conflict detection of object labels was carried out, further improving the overall detection efficiency.Redundancy and conflict detection of atomic tags was based on the relationships between the operations contained in different atomic tags.If different atomic tags contained the same operation, the detection was performed by analyzing the relationship between subject attributes, environmental attributes, and rule types in the atomic tags.On the other hand, if different atomic tags contained different operations without any relationship between them, there was no redundancy or conflict.If there was a partial order relationship between the operations in the atomic tags, the detection was performed by analyzing the partial order relationship of different operations, and the relationship between subject attribute, environment attribute, and rule types in different atomic tags.The performance of the redundancy and conflict detection algorithm proposed is analyzed theoretically and experimentally, and the influence of the number and complexity of atomic tags on the detection performance is verified through experiments.

Key words: label, data flow control, atomic tag, set correlation, policy redundancy and conflict detection

中图分类号:

TP302

谢绒娜, 范晓楠, 李苏浙, 黄宇欣, 史国振. 基于标签的数据流转控制策略冗余与冲突检测方法[J]. 网络与信息安全学报, 2023, 9(5): 21-32.

Rongna XIE, Xiaonan FAN, Suzhe LI, Yuxin HUANG, Guozhen SHI. Redundancy and conflict detection method for label-based data flow control policy[J]. Chinese Journal of Network and Information Security, 2023, 9(5): 21-32.

图/表 6

图1

图2

图3

图4

图5

图6

参考文献 15

[1]	XIE R N , FAN X N , ZHU J Y ,et al. Research on label based data flow control mechanism[C]// 2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC). 2021: 233-239.
[2]	刘敖迪, 王娜, 刘磊 . 面向云服务组合的策略冲突检测机制[J]. 计算机应用研究, 2017,34(4): 1145-1150.
	LIU A D , WANG N , LIU L . Policy conflict detection mechanism for cloud service composition[J]. Computer Application Research, 2017,34(4): 1145-1150.
[3]	戚湧, 陈俊, 李千目 . 基于冗余消除和属性数值化的XACML策略优化方法[J]. 计算机科学, 2016,43(2): 163-168.
	QI Y , CHEN J , LI Q M . XACML policy optimization method based on redundancy elimination and attribute numeralization[J]. Computer Science, 2016,43(2): 163-168.
[4]	吴泽智, 陈性元, 杨智 ,等. 信息流控制研究进展[J]. 软件学报, 2017,28(1): 135-159.
	WU Z Z , CHEN X Y , YANG Z ,et al. Research progress on information flow control[J]. Journal of Software, 2017,28(1): 135-159.
[5]	诸天逸, 李凤华, 成林 ,等. 跨域访问控制技术研究[J]. 网络与信息安全学报, 2021,7(1): 20-27.
	ZHU T Y , LI F H , CHENG L ,et al. Research on cross-domain access control technology[J]. Journal of Network and Information Security, 2021,7(1): 20-27.
[6]	李凤华, 谢绒娜, 李晖 ,等. 一种信息流转方法、装置及系统:中国,CN109347845B[P]. 2020-08-07.
	LI F H , XIE R N , LI H ,et al. An information transfer method,device and system:China,CN109347845B[P]. 2020-08-07.
[7]	王媛, 孙宇清, 马乐乐 . 面向社会网络的个性化隐私策略定义与实施[J]. 通信学报, 2012,33(S1): 239-249.
	WANG Y , SUN Y Q , MA L L . Definition and implementation of personalized privacy policies for social networks[J]. Journal on Communication, 2012,33(S1): 239-249.
[8]	LIU G , FANG L , WANG Q ,et al. Resource and attribute based access control model for system with huge amounts of resources[C]// International Conference on Green,Pervasive and Cloud Computing. 2018.
[9]	LI L Q , HAI L . An access control model based on matrix domain security label[J]. IOP Conference Series:Materials Science and Engineering, 2021,1043(4).
[10]	WANG Y T . A cross-domain authorization access control model based on security label attribute[J]. Journal of Physics:Conference Series, 2021,1955(1).
[11]	吴迎红, 黄皓, 周靖康 ,等. 分布式应用访问控制策略精化冲突分析[J]. 计算机应用, 2014,34(2): 421-427.
	WU Y H , HUANG H , ZHOU J K ,et al. Refinement conflict analysis of distributed application access control policy[J]. Computer Applications, 2014,34(2): 421-427.
[12]	CHEN M , HONG J , XIAO Y ,et al. A method of conflict detection and resolution for security policy based on matrix description[C]// 2017 7th IEEE International Conference on Electronics Information and Emergency Communication(ICEIEC). 2017: 548-551.
[13]	江泽涛, 谢朕, 王琦 ,等. 一种基于屏蔽码的 ABAC 静态策略冲突与冗余检测算法[J]. 计算机科学, 2018,45(2): 197-202.
	JIANG Z T , XIE Z , WANG Q ,et al. An ABAC static policy conflict and redundancy detection algorithm based on masking code[J]. Computer Science, 2018,45(2): 197-202.
[14]	LIU G , PEIW , TIAN Y ,et al. A novel conflict detection method for ABAC security policies[J]. Journal of Industrial Information Integration, 2021,22:100200.
[15]	CHOWDHARY A , SABUR A , HUANG D ,et al. Object oriented policy conflict checking framework in cloud networks (OOPC)[J]. IEEE Transactions on Dependable and Secure Computing, 2021.

基于标签的数据流转控制策略冗余与冲突检测方法

Redundancy and conflict detection method for label-based data flow control policy

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 15

相关文章 3

Metrics

推荐阅读 0

[1]	卢晨昕, 陈兵, 丁宁, 陈立全, 吴戈. 具有紧凑标签的基于身份匿名云审计方案[J]. 网络与信息安全学报, 2022, 8(6): 156-168.
[2]	孙学良, 王巍, 黄俊恒, 辛国栋, 王佰玲. 基于标签传播的两阶段社区检测算法[J]. 网络与信息安全学报, 2022, 8(2): 139-149.
[3]	谢绒娜, 范晓楠, 袁琳, 郭子晨, 朱家玉, 史国振. 在线社交网络中延伸访问控制机制研究[J]. 网络与信息安全学报, 2021, 7(5): 123-131.