基于场景感知的访问控制模型

doi:10.11959/j.issn.2096-109x.2024003

Abstract

Abstract:

Dynamic access control model is the theoretical basis for constructing a dynamic access control system for big data.However, most existing access control models can only fulfill dynamic access control in a single scenario and are unable to adapt to access control in multiple types of dynamic scenarios.These scenarios include changes in the contextual environment of big data, changes in entity relationships, and changes in the state of objects.To address these issues, an analysis was conducted based on the research of existing access control models and the dynamic factors of big data.Subsequently, scenario-aware access control (SAAC) model was proposed, which was based on dynamic factor conversion and scenario unified modeling.All types of dynamic factors were converted into basic elements such as attributes and relationships.Then, scene information was incorporated to model the various types of constituent elements in a unified manner.A big data dynamic access control model was constructed based on scene information to support multi-type dynamic factors and extended dynamic factors.The working framework of the SAAC model was designed, and the SAAC rule learning algorithm and SAAC rule execution algorithm were proposed corresponding to the workflow of the framework.This enabled the automatic learning of access control rules and dynamic access control decision-making.The security of the proposed model was analyzed and verified by introducing the non-transitive non-interference theory.To validate the effectiveness of the access control policy mining method of the proposed model, experimental comparisons were conducted between the SAAC model and baseline models such as ABAC-L, PBAC-X, DTRM, and FB-CAAC using four datasets.The experimental results demonstrate that the SAAC model and its strategy mining method outperforms the baseline models in terms of metrics such as area under the curve AUC, monotonicity, and steepness of the ROC curve.This verification confirms that the proposed model can support multiple types of dynamic factors and dynamic factor extensions, and that the combined effect of the access control rules obtained from its mining algorithm is relatively high.

Key words: big data, access control, dynamic factors, scenarios, non-interference theory

CLC Number:

TP309

Dibin SHAN, Xuehui DU, Wenjuan WANG, Na WANG, Aodi LIU. Scenario-aware access control model[J]. Chinese Journal of Network and Information Security, 2024, 10(1): 58-78.

Figures/Tables 8

模型要素	映射函数
1) 主体集S： $S = {s_{1}, s_{2}, \dots, s_{m}}, s_{i} \in S, (1 \leq i \leq \| S \|)$	属性映射函数MA：
2) 客体集O： $O = {o_{1}, o_{2}, \dots, o_{m}}, o_{i} \in O, (1 \leq i \leq \| O \|)$	$S \cup O \cup Op \cup E \to At$
3) 操作集Op： $Op = {{op}_{1}, {op}_{2}, \dots, {op}_{m}}, {op}_{i} \in Op, (1 \leq i \leq \| Op \|)$	关系映射函数MR：
4) 环境集E： $E = {e_{1}, e_{2}, \dots, e_{m}}, e_{i} \in E, (1 \leq i \leq \| E \|)$	$S \cup O \cup Op \cup E \cup At \to R$
5) 属性集At： ${At={at}_{i j}^{x} {\|at}_{i j}^{x} = < name,value,map >, x \in X, 1 \leq i \leq N_{x}, 1 \leq j \leq N_{i}}$	场景权限映射函数MSP：
6) 关系集R： $R = {r_{j}^{n} \| 1 \leq j \leq N, 1 < n \leq N}$	Sc→Perm
7) 场景信息集Sc： $Sc = BSc \cup ASc, BSc = At \cup R, ASc = F (BSc)$	规则权限映射函数MPP：
8) 权限集Perm： $Perm = {< {op}_{i}, o_{j} > \| {op}_{i} \in 2^{Op}, o_{j} \in 2^{O}} \subseteq 2^{Op \times O}$	Policy→Perm
9) 访问控制规则集P：
$P = {p_{i} \| p_{i} = < pid, {sc}_{i}, {perm}_{i}, result >, i, pid \in N, {sc}_{i} \in Sc, {perm}_{i} \in Perm, result \in {Accept, Deny}}$

类别	符号	描述
成员	ST	系统状态集，ST={st₀,st₁,…,st_n}，st₀表示系统初始状态
	D	安全域，包括请求域d_s、响应域d_o、访问控制域d_a（d_a可细分为访问控制决策域d_d、访问控制实施域d_e）
	A	行为集，A={a ₀,a ₁,…,a_n}，a_i表示第i个行为。根据SAAC模型，行为包括访问请求a _request、访问响应a _response、访问裁决a_decision、访问控制实施a_enforcement、场景感知a_scaware、访问控制规则生成a_rulesg6类行为。
	Out	输出结果集
函数	dom:A→D	行为与安全域的映射函数，返回值是行为所属的安全域。dom(a_i)∈D表示行为a_i对应的安全域
	step:ST×A→ST	系统状态st_i在执行行为a_i后进入系统状态st_i+1(0≤i≤n)，记为st_i+1=step(st_i,a_i)
	run:ST×A*→ST	系统状态st_i在执行一系列行为 $α$ 后进入系统状态st_i+j(0≤i≤n)，记为 ${st}_{i + j} = run ({st}_{i}, α)$ 。其中， $α$ 是行为序列，表示为 $α = a_{i + 1} \circ a_{i +}_{2} \circ, \dots, \circ a_{j}$ ， $\circ$ 表示行为连接
	output:ST×A*→Out	系统状态st_i在执行一系列行为 $α$ 后的输出结果，记为 ${out}_{i + j} = output ({st}_{i}, α)$ 。当 $α$ 只有一次行为时，output表示单步执行后的输出结果
	ipurge:A×D→A	非传递的消除函数，从行为序列 $α$ 中消除与给定安全域d无干扰的行为，记为 $ipurge (α, d)$
	sources:A*×D→2 ^D	在一个行为序列中识别出那些不应该被删除的行为，记为 $sources (α, d)$
关系	～＞	干扰关系：表示对不同安全域之间的信息流的权限
	$\sim >$	无干扰关系：表示禁止不同安全域之间的信息流
	${st}_{i} \overset{d}{\sim} {st}_{j}$	观察等价关系：表示从安全域d的角度来看，系统状态st_i和状态st_j是等价的。 ${st}_{i} \overset{d}{\sim} {st}_{j} \Rightarrow output ({st}_{i}, a) = {output(st}_{j}, a)$
	${st}_{i} \overset{C}{\approx} {st}_{j}$	子域等价关系：表示在安全域集的一个子域中，系统状态 st_i 和状态 st_j 是等价的。 ${st}_{i} \overset{C}{\approx} {st}_{j} \overset{def}{=} (\forall d \in C : {st}_{i} \overset{d}{\sim} {st}_{j})$

References 50

[1]	李昊, 张敏, 冯登国 ,等. 大数据访问控制研究[J]. 计算机学报, 2017,(1): 72-91.
	LI H , ZHANG M , FENG D G ,et al. Research on access control for big data[J]. Journal of Computer Science, 2017,(1): 72-91.
[2]	SERVOS D , OSBORN S L . Current research and open problems in attribute-based access control[J]. ACM Computing Surveys, 2017,49(4): 1-45.
[3]	CHEN X , GAO Y , TANG H ,et al. Research progress on big data security technology[J]. Scientia Sinica Informationis, 2020,50(1): 25-66.
[4]	高振升, 曹利峰, 杜学绘 . 基于区块链的访问控制技术研究进展[J]. 网络与信息安全学报, 2021,7(6): 68-87.
	GAO Z S , CAO L F , DU X H . Research progress of access control based on blockchain[J]. Chinese Journal of Network and Information Security, 2021,7(6): 68-87.
[5]	KAYES A S M , KALARIA R , SARKER I H ,et al. A survey of context-aware access control mechanisms for cloud and fog networks:taxonomy and open research issues[J]. Sensors (Basel), 2020,20(9): 1-34.
[6]	刘敖迪, 杜学绘, 王娜 ,等. 基于深度学习的ABAC访问控制策略自动化生成技术[J]. 通信学报, 2020,41(12): 8-20.
	LIU A D , DU X H , WANG N ,et al. Automatic Generation technology of ABAC access control policy based on deep learning[J]. Journal on Communications, 2020,41(12): 8-20.
[7]	单棣斌, 杜学绘, 王文娟 ,等. 基于 GNN 双源学习的访问控制关系预测方法[J]. 网络与信息安全学报, 2022,8(5): 40-55.
	SHAN D B , DU X H , WANG W J ,et al. Access control relationship prediction method based on GNN dual source learning[J]. Chinese Journal of Network and Information Security, 2022,8(5): 40-55.
[8]	PARK J , NGUYEN D , SANDHU R . A provenance-based access control model[C]// Proceedings of 2012 Tenth Annual International Conference on Privacy,Security and Trust (PST). 2012: 137-144.
[9]	AKAICHI I , KIRRANE S . Usage control specification,enforcement,and robustness:a survey[J]. 2022,arXiv:2203.04800[04.23 2023].
[10]	BERTINO E , BONATTI P A , FERRARI E . TRBAC:A temporal role-based access control model[C]// Proceedings of TISSEC2001. 2001: 191-233.
[11]	BERTINO E , CATANIA B , DAMIANI M L ,et al. GEO-RBAC:a spatially aware RBAC[C]// Proceedings of the 10th Symposium on Access Control Models and Technologies. 2005: 29-37.
[12]	CHANDRAN S M , JOSHI J B . LoT-RBAC:A location and time-based RBAC model[C]// Proceedings of the International Conference on Web Information Systems Engineering. 2005: 361-375.
[13]	ASIM Y , MALIK A K . A survey on access control techniques for social networks[M]. Information Diffusion Management and Knowledge Sharing. 2020: 319-342.
[14]	BUI T , STOLLER S D . A decision tree learning approach for mining relationship-based access control policies[C]// Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 2020: 167-178.
[15]	BUI T , STOLLER S D , LE H . Efficient and extensible policy mining for relationship-based access control[C]// Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 2019: 161-172.
[16]	KAYES A S M , RAHAYU W , DILLON T ,et al. Context-aware access control with imprecise context characterization for cloudbased data resources[J]. Futur Gener Comp Syst, 2019,93: 237-255.
[17]	KAYES A S M , HAN J , RAHAYU W ,et al. A policy model and framework for context-aware access control to information resources[J]. Comput J, 2019,62(5): 670-705.
[18]	BERTOLISSI C , HARTOG J D , ZANNONE N . Using provenance for secure data fusion in cooperative systems[C]// Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 2019: 185-194.
[19]	YU Y , XIA T , WANG H ,et al. Semantic-aware spatio-temporal app usage representation via graph convolutional network[J]. Proc ACM Interact Mob Wearable Ubiquitous Technol, 2020,4(3): 101: 101-124.
[20]	CHAKRABORTY S , SANDHU R . Formal analysis of ReBAC policy mining feasibility[C]// Proceedings of CODASPY '21. 2021: 197-207.
[21]	FAN X , ZHANG F , SONG J ,et al. A fine-grained policy model for provenance-based access control and policy algebras[J]. 2020,arXiv:2001.01945, 2023.
[22]	GROUP N B D P W , SUBGROUP D A T . NIST big data interoperability framework:volume 1,definitions[R]. 2019.
[23]	GROUP N B D P W , SUBGROUP D A T . NIST big data interoperability framework:volume 2,big data taxonomies[R]. 2019.
[24]	李学龙, 龚海刚 . 大数据系统综述[J]. 中国科学:信息科学, 2015,45(1): 1-44.
	LI X L , GONG H G . A survey on big data systems[J]. SCIENTIA SINICA Informationis, 2015,45(1): 1-44.
[25]	ARSHAD H , JOHANSEN C , OWE O . Semantic attribute-based access control:a review on current status and future perspectives[J]. Journal of Systems Architecture, 2022,129:102625.
[26]	KAYES A S M , HAN J , COLMAN A . ICAF:a context-aware framework for access control[M]. Information Security and Privacy. 2012: 442-449.
[27]	KAYES A S M , RAHAYU W , WATTERS P ,et al. Achieving security scalability and flexibility using fog-based context-aware access control[J]. Futur Gener Comp Syst, 2020,107: 307-323.
[28]	KAYES A S M , HAN J , COLMAN A . An ontological framework for situation-aware access control of software services[J]. Information Systems, 2015,53: 253-277.
[29]	MCINTOSH T , WATTERS P , KAYES A S M ,et al. Enforcing situation-aware access control to build malware-resilient file systems[J]. Future Generation Computer Systems, 2021,115: 568-582.
[30]	CORRADI A , MONTANARI R , TIBALDI D . Context-based access control for ubiquitous service provisioning[C]// Proceedings of the 28th Annual International Computer Software and Applications Conference (COMPSAC’04). 2004: 444-451.
[31]	BUI T , STOLLER S D , LI J J . Greedy and evolutionary algorithms for mining relationship-based access control policies[J]. Computers＆ Security, 2019,80: 317-333.
[32]	IYER P , MASOUMZADEH A . Active learning of relationship-based access control policies[C]// Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 2020: 155-166.
[33]	KAYES A S M , HAN J , COLMAN A ,et al. RelBOSS:a relationship-aware access control framework for software services[M]// MEERSMAN R,PANETTO H,DILLON T,et al. On the Move to Meaningful Internet Systems: Otm 2014 Conferences. 2014: 258-276.
[34]	SUN L , PARK J , NGUYEN D ,et al. A provenance-aware access control framework with typed provenance[J]. IEEE Trans Dependable Secur Comput, 2016,13(4): 411-423.
[35]	NGUYEN D , PARK J , SANDHU R . A provenance-based access control model for dynamic separation of duties[C]// Proceedings of 2013 Eleventh Annual Conference on Privacy,Security and Trust (PST). 2013: 247-256.
[36]	CHAKRABORTY S , SANDHU R . On feasibility of attributeaware relationship-based access control policy mining[M]// Berlin: Springer.Data and Applications Security and Privacy. 2021: 393-405.
[37]	HU V C , FERRAIOLO D , KUHN R ,et al. Guide to attribute based access control (abac) definition and considerations:NIST special publication 800-162[S]. 2014: 1-37.
[38]	KAYES A S M , HAN J , COLMAN A ,et al. A semantic policy framework for context-aware access control applications[C]// Proceedings of 2013 12th IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2013: 753-762.
[39]	KAYES A S M , RAHAYU W , DILLON T . An ontology-based approach to dynamic contextual role for pervasive access control[C]// Proceedings 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications. 2018: 601-608.
[40]	MOREAU L , CLIFFORD B , FREIRE J ,et al. The open provenance model core specification (v1.1)[J]. Future Generation Computer Systems, 2011,27(6): 743-756.
[41]	MISSIER P , BELHAJJAME K , CHENEY J . The W3C PROV family of specifications for modelling provenance metadata[C]// Proceedings of the 16th International Conference. 2013: 773-776.
[42]	BATRA G , ATLURI V , VAIDYA J ,et al. Incremental maintenance of ABAC Policies[C]// Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, 2021.
[43]	SHAN D , DU X , WANG W ,et al. GNN-based method for predicting access control relationships for big data[C]// 2022 2nd International Conference on Computer Science,Electronic Information Engineering and Intelligent Control Technology (CEI). 2022.
[44]	HAN J , PEI J , YIN Y ,et al. Mining frequent patterns without candidate generation:a frequent-pattern tree approach[J]. Data Mining and Knowledge Discovery, 2004,8(1): 53-87.
[45]	HUANG H , FU Y , HU J ,et al. Research on distributed dynamic trusted access control based on security subsystem[J]. IEEE Transactions on Information Forensics and Security, 2022: 1-15.
[46]	RUSHBY J . Noninterference,transitivity,and channel-control security policies[R]. 2005.
[47]	WANG X , JI H , SHI C ,et al. Heterogeneous graph attention network[C]// Proceedings of The World Wide Web Conference(WWW '19). 2019: 2022-2032.
[48]	TU Z , LI R , LI Y ,et al. Your apps give you away distinguishing mobile users by their app usage fingerprints[C]// Proceedings of the ACM on Interactive,Mobile,Wearable and Ubiquitous Technologies. 2018,138: 131-123.
[49]	KARIMI L , ALDAIRI M . An automatic attribute based access control policy extraction from access logs[J]. IEEE Trans Dependable Secur Comput, 2022,19(4): 2304-2317.
[50]	SANDERS M W , YUE C,ACM . Mining least privilege attribute based access control policies[C]// Proceedings of 35th Annual Computer Security Applications Conference (ACSA). 2019: 404-416.

Metrics

Recommended 0

No Suggested Reading articles found!

Scenario-aware access control model

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 50

Related Articles 15

Metrics

Recommended 0

模型	支持动态授权	动态因素动态访问控制内容
RBAC	否	无无
TRBAC	是	时间时间约束，随时间动态激活角色
GEO-RBAC	是	地点结合用户位置授予用户角色
LoT-RBAC	是	时间+地点结合时间、地点授予用户角色
ABAC	是	属性、环境条件随属性值的变化、环境条件的变化确定访问者权限
CAAC	是	上下文条件随时间、地点、客体类别、访问目的等上下文条件的变化判断主体访问权限
ReBAC	是	实体关系根据主体之间、主客体之间、客体之间的关系判定主体权限
PBAC	是	起源信息根据起源信息中客体的状态判定主体权限

[1]	Dong LI, Yanni HAO, Shenghui PENG, Ruijie ZI, Ximeng LIU. Network security of the National Natural Science Foundation of China: today and prospects [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 92-101.
[2]	Dibin SHAN, Xuehui DU, Wenjuan WANG, Aodi LIU, Na WANG. Access control relationship prediction method based on GNN dual source learning [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 40-55.
[3]	Chao MU, Xin WANG, Ming YANG, Heng ZHANG, Zhenya CHEN, Xiaoming WU. Hardcoded vulnerability detection approach for IoT device firmware [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 98-110.
[4]	Zhensheng GAO, Lifeng CAO, Xuehui DU. Research progress of access control based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 68-87.
[5]	Guanqun YANG, Yin LIU, Hao XU, Hongwei XING, Jianhui ZHANG, Entang LI. Credible distributed identity authentication system of microgrid based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 88-98.
[6]	Jiashun ZHOU, Na WANG, Xuehui DU. Multi-party efficient audit mechanism for data integrity based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 113-125.
[7]	Fuyuan SONG, Zheng QIN, Jixin ZHANG, Yu LIU. Efficient and secure multi-user outsourced image retrieval scheme with access control [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 29-39.
[8]	Wenchao WU, Zhiyu REN, Xuehui DU. Permission clustering-based attribute value optimization [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 175-182.
[9]	Tianyi ZHU, Fenghua LI, Lin CHENG, Yunchuan GUO. Research on cross-domain access control technology [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 20-27.
[10]	Yunxiang QIU,Hongxia ZHANG,Qi CAO,Jiancong ZHANG,Xingshu CHEN,Hongjian JIN. Blockchain data access control scheme based on CP-ABE algorithm [J]. Chinese Journal of Network and Information Security, 2020, 6(3): 88-98.
[11]	Yukun NIU,Lingbo WEI,Chi ZHANG,Xia ZHANG,Vejarano Gustavo. Privacy-preserving access control for public wireless LAN utilizing the bitcoin blockchain [J]. Chinese Journal of Network and Information Security, 2020, 6(2): 56-66.
[12]	Jianming ZHU,Hongrui YANG. Data security challenges and countermeasures in financial technology [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 71-79.
[13]	Qiuyue SU, Xingshu CHEN, Yonggang LUO. Access control model for multi-source heterogeneous data in big data environment [J]. Chinese Journal of Network and Information Security, 2019, 5(1): 78-86.
[14]	Tuosiyu MING, Hongchang CHEN. Research progress and trend of text summarization [J]. Chinese Journal of Network and Information Security, 2018, 4(6): 1-10.
[15]	De-yu YUAN,Xiao-juan WANG,Jian-chao WAN. Influence of Internet plus on cyberspace security and the technology development trend in Internet plus era [J]. Chinese Journal of Network and Information Security, 2017, 3(5): 1-9.