网络与信息安全学报 ›› 2024, Vol. 10 ›› Issue (1): 58-78.doi: 10.11959/j.issn.2096-109x.2024003
• 学术论文 • 上一篇
单棣斌, 杜学绘, 王文娟, 王娜, 刘敖迪
修回日期:
2023-08-28
出版日期:
2024-02-01
发布日期:
2024-02-01
作者简介:
单棣斌(1982− ),男,河北邯郸人,信息工程大学副教授,主要研究方向为大数据安全、信任安全、图神经网络基金资助:
Dibin SHAN, Xuehui DU, Wenjuan WANG, Na WANG, Aodi LIU
Revised:
2023-08-28
Online:
2024-02-01
Published:
2024-02-01
Supported by:
摘要:
动态访问控制模型是构建大数据动态访问控制系统的理论基础,而现有访问控制模型大多只能满足单一情景下的动态访问控制,无法适应大数据上下文环境变化、实体关系变更和客体状态变迁等多类型动态情景中的访问控制。针对上述问题,在现有访问控制模型的研究的基础上,对大数据动态因素进行分析,提出基于场景感知的访问控制(SAAC,scenario-aware access control)模型。将各类型动态因素转换为属性、关系等基本元素;并引入场景信息对各类组成元素进行统一建模;基于场景信息构建大数据动态访问控制模型,以实现对多类型动态因素、扩展动态因素的支持。设计 SAAC 模型的工作框架,并提出框架工作流程对应的基于场景感知的访问控制模型规则学习算法和 SAAC 规则执行算法,以实现访问控制规则自动学习和动态访问控制决策。通过引入非传递无干扰理论,分析并验证了对所提模型的安全性。为验证所提模型访问控制策略挖掘方法的有效性,将SAAC模型与ABAC-L、PBAC-X、DTRM和FB-CAAC等基线模型在4个数据集上进行了实验对比。实验结果表明,SAAC模型及其策略挖掘方法的ROC曲线的线下面积、单调性和陡峭度等指标的结果均优于基线模型,验证了所提模型能够支持多类型动态因素和动态因素扩展,其挖掘算法所得的访问控制规则的综合质量相对较高。
中图分类号:
单棣斌, 杜学绘, 王文娟, 王娜, 刘敖迪. 基于场景感知的访问控制模型[J]. 网络与信息安全学报, 2024, 10(1): 58-78.
Dibin SHAN, Xuehui DU, Wenjuan WANG, Na WANG, Aodi LIU. Scenario-aware access control model[J]. Chinese Journal of Network and Information Security, 2024, 10(1): 58-78.
表1
访问控制模型支持动态因素与动态访问控制内容对比Table 1 Compare of access control model supports dynamic factors with dynamic access control content"
模型 | 支持动态授权 | 动态因素动态访问控制内容 |
RBAC | 否 | 无无 |
TRBAC | 是 | 时间时间约束,随时间动态激活角色 |
GEO-RBAC | 是 | 地点结合用户位置授予用户角色 |
LoT-RBAC | 是 | 时间+地点结合时间、地点授予用户角色 |
ABAC | 是 | 属性、环境条件随属性值的变化、环境条件的变化确定访问者权限 |
CAAC | 是 | 上下文条件 随时间、地点、客体类别、访问目的等上下文条件的变化判断主体访问权限 |
ReBAC | 是 | 实体关系根据主体之间、主客体之间、客体之间的关系判定主体权限 |
PBAC | 是 | 起源信息根据起源信息中客体的状态判定主体权限 |
表3
基于SAAC模型的访问控制系统符号及描述Table 3 Notation and description of access control system based on SAAC model"
类别 | 符号 | 描述 |
成员 | ST | 系统状态集,ST={st0,st1,…,stn},st0表示系统初始状态 |
D | 安全域,包括请求域ds、响应域do、访问控制域da(da可细分为访问控制决策域dd、访问控制实施域de) | |
A | 行为集,A={a 0,a 1,…,an},ai表示第i个行为。根据SAAC模型,行为包括访问请求a request、访问响应a response、访问裁决adecision、访问控制实施aenforcement、场景感知ascaware、访问控制规则生成arulesg6类行为。 | |
Out | 输出结果集 | |
函数 | dom:A→D | 行为与安全域的映射函数,返回值是行为所属的安全域。dom(ai)∈D表示行为ai对应的安全域 |
step:ST×A→ST | 系统状态sti在执行行为ai后进入系统状态sti+1(0≤i≤n),记为sti+1=step(sti,ai) | |
run:ST×A*→ST | 系统状态sti在执行一系列行为 | |
output:ST×A*→Out | 系统状态sti在执行一系列行为 | |
ipurge:A*×D→A* | 非传递的消除函数,从行为序列 | |
sources:A*×D→2 D | 在一个行为序列中识别出那些不应该被删除的行为,记为 | |
关系 | ~> | 干扰关系:表示对不同安全域之间的信息流的权限 |
无干扰关系:表示禁止不同安全域之间的信息流 | ||
观察等价关系:表示从安全域d的角度来看,系统状态sti和状态stj是等价的。 | ||
子域等价关系:表示在安全域集的一个子域中,系统状态 sti 和状态 stj 是等价的。 |
[1] | 李昊, 张敏, 冯登国 ,等. 大数据访问控制研究[J]. 计算机学报, 2017,(1): 72-91. |
LI H , ZHANG M , FENG D G ,et al. Research on access control for big data[J]. Journal of Computer Science, 2017,(1): 72-91. | |
[2] | SERVOS D , OSBORN S L . Current research and open problems in attribute-based access control[J]. ACM Computing Surveys, 2017,49(4): 1-45. |
[3] | CHEN X , GAO Y , TANG H ,et al. Research progress on big data security technology[J]. Scientia Sinica Informationis, 2020,50(1): 25-66. |
[4] | 高振升, 曹利峰, 杜学绘 . 基于区块链的访问控制技术研究进展[J]. 网络与信息安全学报, 2021,7(6): 68-87. |
GAO Z S , CAO L F , DU X H . Research progress of access control based on blockchain[J]. Chinese Journal of Network and Information Security, 2021,7(6): 68-87. | |
[5] | KAYES A S M , KALARIA R , SARKER I H ,et al. A survey of context-aware access control mechanisms for cloud and fog networks:taxonomy and open research issues[J]. Sensors (Basel), 2020,20(9): 1-34. |
[6] | 刘敖迪, 杜学绘, 王娜 ,等. 基于深度学习的ABAC访问控制策略自动化生成技术[J]. 通信学报, 2020,41(12): 8-20. |
LIU A D , DU X H , WANG N ,et al. Automatic Generation technology of ABAC access control policy based on deep learning[J]. Journal on Communications, 2020,41(12): 8-20. | |
[7] | 单棣斌, 杜学绘, 王文娟 ,等. 基于 GNN 双源学习的访问控制关系预测方法[J]. 网络与信息安全学报, 2022,8(5): 40-55. |
SHAN D B , DU X H , WANG W J ,et al. Access control relationship prediction method based on GNN dual source learning[J]. Chinese Journal of Network and Information Security, 2022,8(5): 40-55. | |
[8] | PARK J , NGUYEN D , SANDHU R . A provenance-based access control model[C]// Proceedings of 2012 Tenth Annual International Conference on Privacy,Security and Trust (PST). 2012: 137-144. |
[9] | AKAICHI I , KIRRANE S . Usage control specification,enforcement,and robustness:a survey[J]. 2022,arXiv:2203.04800[04.23 2023]. |
[10] | BERTINO E , BONATTI P A , FERRARI E . TRBAC:A temporal role-based access control model[C]// Proceedings of TISSEC2001. 2001: 191-233. |
[11] | BERTINO E , CATANIA B , DAMIANI M L ,et al. GEO-RBAC:a spatially aware RBAC[C]// Proceedings of the 10th Symposium on Access Control Models and Technologies. 2005: 29-37. |
[12] | CHANDRAN S M , JOSHI J B . LoT-RBAC:A location and time-based RBAC model[C]// Proceedings of the International Conference on Web Information Systems Engineering. 2005: 361-375. |
[13] | ASIM Y , MALIK A K . A survey on access control techniques for social networks[M]. Information Diffusion Management and Knowledge Sharing. 2020: 319-342. |
[14] | BUI T , STOLLER S D . A decision tree learning approach for mining relationship-based access control policies[C]// Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 2020: 167-178. |
[15] | BUI T , STOLLER S D , LE H . Efficient and extensible policy mining for relationship-based access control[C]// Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 2019: 161-172. |
[16] | KAYES A S M , RAHAYU W , DILLON T ,et al. Context-aware access control with imprecise context characterization for cloudbased data resources[J]. Futur Gener Comp Syst, 2019,93: 237-255. |
[17] | KAYES A S M , HAN J , RAHAYU W ,et al. A policy model and framework for context-aware access control to information resources[J]. Comput J, 2019,62(5): 670-705. |
[18] | BERTOLISSI C , HARTOG J D , ZANNONE N . Using provenance for secure data fusion in cooperative systems[C]// Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 2019: 185-194. |
[19] | YU Y , XIA T , WANG H ,et al. Semantic-aware spatio-temporal app usage representation via graph convolutional network[J]. Proc ACM Interact Mob Wearable Ubiquitous Technol, 2020,4(3): 101: 101-124. |
[20] | CHAKRABORTY S , SANDHU R . Formal analysis of ReBAC policy mining feasibility[C]// Proceedings of CODASPY '21. 2021: 197-207. |
[21] | FAN X , ZHANG F , SONG J ,et al. A fine-grained policy model for provenance-based access control and policy algebras[J]. 2020,arXiv:2001.01945, 2023. |
[22] | GROUP N B D P W , SUBGROUP D A T . NIST big data interoperability framework:volume 1,definitions[R]. 2019. |
[23] | GROUP N B D P W , SUBGROUP D A T . NIST big data interoperability framework:volume 2,big data taxonomies[R]. 2019. |
[24] | 李学龙, 龚海刚 . 大数据系统综述[J]. 中国科学:信息科学, 2015,45(1): 1-44. |
LI X L , GONG H G . A survey on big data systems[J]. SCIENTIA SINICA Informationis, 2015,45(1): 1-44. | |
[25] | ARSHAD H , JOHANSEN C , OWE O . Semantic attribute-based access control:a review on current status and future perspectives[J]. Journal of Systems Architecture, 2022,129:102625. |
[26] | KAYES A S M , HAN J , COLMAN A . ICAF:a context-aware framework for access control[M]. Information Security and Privacy. 2012: 442-449. |
[27] | KAYES A S M , RAHAYU W , WATTERS P ,et al. Achieving security scalability and flexibility using fog-based context-aware access control[J]. Futur Gener Comp Syst, 2020,107: 307-323. |
[28] | KAYES A S M , HAN J , COLMAN A . An ontological framework for situation-aware access control of software services[J]. Information Systems, 2015,53: 253-277. |
[29] | MCINTOSH T , WATTERS P , KAYES A S M ,et al. Enforcing situation-aware access control to build malware-resilient file systems[J]. Future Generation Computer Systems, 2021,115: 568-582. |
[30] | CORRADI A , MONTANARI R , TIBALDI D . Context-based access control for ubiquitous service provisioning[C]// Proceedings of the 28th Annual International Computer Software and Applications Conference (COMPSAC’04). 2004: 444-451. |
[31] | BUI T , STOLLER S D , LI J J . Greedy and evolutionary algorithms for mining relationship-based access control policies[J]. Computers& Security, 2019,80: 317-333. |
[32] | IYER P , MASOUMZADEH A . Active learning of relationship-based access control policies[C]// Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 2020: 155-166. |
[33] | KAYES A S M , HAN J , COLMAN A ,et al. RelBOSS:a relationship-aware access control framework for software services[M]// MEERSMAN R,PANETTO H,DILLON T,et al. On the Move to Meaningful Internet Systems: Otm 2014 Conferences. 2014: 258-276. |
[34] | SUN L , PARK J , NGUYEN D ,et al. A provenance-aware access control framework with typed provenance[J]. IEEE Trans Dependable Secur Comput, 2016,13(4): 411-423. |
[35] | NGUYEN D , PARK J , SANDHU R . A provenance-based access control model for dynamic separation of duties[C]// Proceedings of 2013 Eleventh Annual Conference on Privacy,Security and Trust (PST). 2013: 247-256. |
[36] | CHAKRABORTY S , SANDHU R . On feasibility of attributeaware relationship-based access control policy mining[M]// Berlin: Springer.Data and Applications Security and Privacy. 2021: 393-405. |
[37] | HU V C , FERRAIOLO D , KUHN R ,et al. Guide to attribute based access control (abac) definition and considerations:NIST special publication 800-162[S]. 2014: 1-37. |
[38] | KAYES A S M , HAN J , COLMAN A ,et al. A semantic policy framework for context-aware access control applications[C]// Proceedings of 2013 12th IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2013: 753-762. |
[39] | KAYES A S M , RAHAYU W , DILLON T . An ontology-based approach to dynamic contextual role for pervasive access control[C]// Proceedings 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications. 2018: 601-608. |
[40] | MOREAU L , CLIFFORD B , FREIRE J ,et al. The open provenance model core specification (v1.1)[J]. Future Generation Computer Systems, 2011,27(6): 743-756. |
[41] | MISSIER P , BELHAJJAME K , CHENEY J . The W3C PROV family of specifications for modelling provenance metadata[C]// Proceedings of the 16th International Conference. 2013: 773-776. |
[42] | BATRA G , ATLURI V , VAIDYA J ,et al. Incremental maintenance of ABAC Policies[C]// Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, 2021. |
[43] | SHAN D , DU X , WANG W ,et al. GNN-based method for predicting access control relationships for big data[C]// 2022 2nd International Conference on Computer Science,Electronic Information Engineering and Intelligent Control Technology (CEI). 2022. |
[44] | HAN J , PEI J , YIN Y ,et al. Mining frequent patterns without candidate generation:a frequent-pattern tree approach[J]. Data Mining and Knowledge Discovery, 2004,8(1): 53-87. |
[45] | HUANG H , FU Y , HU J ,et al. Research on distributed dynamic trusted access control based on security subsystem[J]. IEEE Transactions on Information Forensics and Security, 2022: 1-15. |
[46] | RUSHBY J . Noninterference,transitivity,and channel-control security policies[R]. 2005. |
[47] | WANG X , JI H , SHI C ,et al. Heterogeneous graph attention network[C]// Proceedings of The World Wide Web Conference(WWW '19). 2019: 2022-2032. |
[48] | TU Z , LI R , LI Y ,et al. Your apps give you away distinguishing mobile users by their app usage fingerprints[C]// Proceedings of the ACM on Interactive,Mobile,Wearable and Ubiquitous Technologies. 2018,138: 131-123. |
[49] | KARIMI L , ALDAIRI M . An automatic attribute based access control policy extraction from access logs[J]. IEEE Trans Dependable Secur Comput, 2022,19(4): 2304-2317. |
[50] | SANDERS M W , YUE C,ACM . Mining least privilege attribute based access control policies[C]// Proceedings of 35th Annual Computer Security Applications Conference (ACSA). 2019: 404-416. |
[1] | 祖铄迪, 丁世昌, 袁福祥, 罗向阳. 目标网络场景自适应的IP定位框架[J]. 网络与信息安全学报, 2023, 9(6): 71-85. |
[2] | 李婧文, 李雅文. 深度合成技术应用与风险应对[J]. 网络与信息安全学报, 2023, 9(2): 184-190. |
[3] | 李东, 郝艳妮, 彭升辉, 訾瑞杰, 刘西蒙. 国家自然科学基金委员会网络安全现状与展望[J]. 网络与信息安全学报, 2022, 8(6): 92-101. |
[4] | 单棣斌, 杜学绘, 王文娟, 刘敖迪, 王娜. 基于GNN双源学习的访问控制关系预测方法[J]. 网络与信息安全学报, 2022, 8(5): 40-55. |
[5] | 穆超, 王鑫, 杨明, 张恒, 陈振娅, 吴晓明. 面向物联网设备固件的硬编码漏洞检测方法[J]. 网络与信息安全学报, 2022, 8(5): 98-110. |
[6] | 高振升, 曹利峰, 杜学绘. 基于区块链的访问控制技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 68-87. |
[7] | 杨冠群, 刘荫, 徐浩, 邢宏伟, 张建辉, 李恩堂. 基于区块链的电网可信分布式身份认证系统[J]. 网络与信息安全学报, 2021, 7(6): 88-98. |
[8] | 周家顺, 王娜, 杜学绘. 基于区块链的数据完整性多方高效审计机制[J]. 网络与信息安全学报, 2021, 7(6): 113-125. |
[9] | 宋甫元, 秦拯, 张吉昕, 刘羽. 基于访问控制安全高效的多用户外包图像检索方案[J]. 网络与信息安全学报, 2021, 7(5): 29-39. |
[10] | 毋文超, 任志宇, 杜学绘. 基于权限聚类的属性值优化[J]. 网络与信息安全学报, 2021, 7(4): 175-182. |
[11] | 郝一诺, 金梁, 黄开枝, 肖帅芳. 准静态场景下基于智能超表面的密钥生成方法[J]. 网络与信息安全学报, 2021, 7(2): 77-85. |
[12] | 诸天逸, 李凤华, 成林, 郭云川. 跨域访问控制技术研究[J]. 网络与信息安全学报, 2021, 7(1): 20-27. |
[13] | 熊钢,葛雨玮,褚衍杰,曹卫权. 基于跨域协同的网络空间威胁预警模式[J]. 网络与信息安全学报, 2020, 6(6): 88-96. |
[14] | 邱云翔,张红霞,曹琪,章建聪,陈兴蜀,金泓键. 基于CP-ABE算法的区块链数据访问控制方案[J]. 网络与信息安全学报, 2020, 6(3): 88-98. |
[15] | 牛玉坤,魏凌波,张驰,张霞,GustavoVejarano. 基于比特币区块链的公共无线局域网接入控制隐私保护研究[J]. 网络与信息安全学报, 2020, 6(2): 56-66. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|