基于深度学习的ABAC访问控制策略自动化生成技术

doi:10.11959/j.issn.1000-436X.2020212

通信学报 ›› 2020, Vol. 41 ›› Issue (12): 8-20.doi: 10.11959/j.issn.1000-436X.2020212

基于深度学习的ABAC访问控制策略自动化生成技术

刘敖迪¹^,², 杜学绘¹^,², 王娜¹^,², 乔蕊¹^,³

¹ 信息工程大学，河南郑州 450001
² 河南省信息安全重点实验室，河南郑州 450001
³ 周口师范学院，河南周口 466001

修回日期:2020-09-30 出版日期:2020-12-25 发布日期:2020-12-01
作者简介:刘敖迪（1992- ），男，黑龙江伊春人，信息工程大学博士生，主要研究方向为大数据安全、访问控制技术。
杜学绘（1968- ），女，河南辉县人，博士，信息工程大学教授、博士生导师，主要研究方向为网络信息安全。
王娜（1980- ），女，河南济源人，博士，信息工程大学副教授、硕士生导师，主要研究方向为大数据安全。
乔蕊（1983- ），女，河南周口人，博士，周口师范学院教授，主要研究方向为区块链安全。
基金资助:
国家重点研发计划基金资助项目(2018YFB0803603);国家重点研发计划基金资助项目(2016YFB0501901);国家自然科学基金资助项目(61802436);国家自然科学基金资助项目(61902447)

ABAC access control policy generation technique based on deep learning

Aodi LIU¹^,², Xuehui DU¹^,², Na WANG¹^,², Rui QIAO¹^,³

¹ Information Engineering University, Zhengzhou 450001, China
² He’nan Province Key Laboratory of Information Security, Zhengzhou 450001, China
³ Zhoukou Normal University, Zhoukou 466001, China

Revised:2020-09-30 Online:2020-12-25 Published:2020-12-01
Supported by:
The National Key Research and Development Program of China(2018YFB0803603);The National Key Research and Development Program of China(2016YFB0501901);The National Natural Science Foundation of China(61802436);The National Natural Science Foundation of China(61902447)

摘要/Abstract

摘要：

针对访问控制策略的自动化生成问题，提出了一种基于深度学习的ABAC访问控制策略生成框架，从自然语言文本中提取基于属性的访问控制策略，该技术能够显著降低访问控制策略生成的时间成本，为访问控制的实施提供有效支持。将策略生成问题分解为访问控制语句识别和访问控制属性挖掘两项核心任务，分别设计了 BiGRU-CNN-Attention和 AM-BiLSTM-CRF这 2个神经网络模型来实现访问控制策略语句识别和访问控制属性挖掘，从而生成可读、可执行的访问控制策略。实验结果表明，与基准方法相比，所提方法具有更好的性能。特别是在访问控制策略语句识别任务中平均F1-score指标能够达到0.941，比当前的state-of-the-art方法性能提高了4.1%。

关键词: 访问控制, ABAC模型, 策略生成, 自然语言处理, 深度学习

Abstract:

To solve the problem of automatic generation of access control policies, an access control policy generation framework based on deep learning was proposed.Access control policy based on attributes could be generated from natural language texts.This technology could significantly reduce the time cost of access control policy generation and provide effective support for the implementation of access control.The policy generation problem was decomposed into two core tasks, identification of access control policy sentence and access control attribute mining.Neural network models such as BiGRU-CNN-Attention and AM-BiLSTM-CRF were designed respectively to realize identification of access control policy sentence and access control attribute mining, so as to generate readable and executable access control policies.Experimental results show that the proposed method has better performance than the benchmark method.In particular, the average F1-score index can reach 0.941 in the identification task of access control policy sentence, which is 4.1% better than the current state-of-the-art method.

Key words: access control, ABAC model, policy generation, natural language processing, deep learning

中图分类号:

TP309

刘敖迪, 杜学绘, 王娜, 乔蕊. 基于深度学习的ABAC访问控制策略自动化生成技术[J]. 通信学报, 2020, 41(12): 8-20.

Aodi LIU, Xuehui DU, Na WANG, Rui QIAO. ABAC access control policy generation technique based on deep learning[J]. Journal on Communications, 2020, 41(12): 8-20.

图/表 16

图1

图2

图3

图4

表1

图5

表2

图6

图7

表3

ACP句子识别性能对比"

方法	数据集		性能
方法	数据集	Precision	Recall	F1-score
文献[26]	iTrust、IBM App	0.887	0.894	0.891
文献[27]	iTrust	0.873	0.908	0.890
文献[28]	iTrust、IBM App、Cyberchair、Collected ACP	0.830	0.874	0.852
文献[19]	iTrust、IBM App、Cyberchair、Collected ACP	0.900	0.900	0.900
文献[31]	iTrust、IBM App、Cyberchair、Collected ACP	0.813	0.742	0.775
文献[30]	iTrust、IBM App、Cyberchair	0.583	0.863	0.657
文献[29]	iTrust、IBM App、Cyberchair	0.635	0.863	0.698
本文所提方法	iTrust、IBM App、Cyberchair、Collected ACP	$0 . 942$	$0 . 941$	$0 . 941$

表3

图8

图9

表4

英文数据集属性挖掘性能对比"

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
BiLSTM	0.783 3	0.783 3	0.783 3	0.843 6	0.804 2	0.823 4	0.706 7	0.868 9	0.779 4
CNN_LSTM	0.717 0	0.666 7	0.690 9	0.830 3	0.830 1	0.827 2	0.626 5	0.787 9	0.698 0
本文所提方法	$0 . 7857$	$0 . 8302$	$0 . 8073$	$0 . 8676$	$0 . 8814$	$0 . 8730$	$0 . 7910$	$0 . 8983$	$0 . 8413$

表4

表5

中文数据集属性挖掘性能对比"

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
BiLSTM	0.875 5	$0 . 8965$	$0 . 8858$	0.850 7	0.866 4	0.858 4	0.786 2	$0 . 8440$	0.814 1
CNN_LSTM	0.804 6	0.768 7	0.786 2	$0 . 9724$	0.520 3	0.661 2	0.709 1	0.799 4	0.748 6
本文所提方法	$0 . 9024$	0.868 0	0.884 8	0.885 0	$0 . 9287$	$0 . 9064$	$0 . 8182$	0.831 7	$0 . 8249$

表5

表6

英文数据集下不同标记方案的性能对比"

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
OB	0.723 2	0.800 7	0.760 0	0.835 5	0.811 0	0.823 0	0.696 0	0.882 4	0.778 1
$O B M$	$0 . 7857$	$0 . 8302$	$0 . 8073$	$0 . 8676$	$0 . 8814$	$0 . 8730$	$0 . 7910$	$0 . 8983$	$0 . 8413$

表6

表7

中文数据集下不同标记方案的性能对比"

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
OB	0.805 5	0.777 0	0.791 0	0.802 0	0.831 0	0.816 2	0.699 0	0.844 8	0.765 0
$O B M$	$0 . 9024$	$0 . 8680$	$0 . 8848$	$0 . 8850$	$0 . 9287$	$0 . 9064$	$0 . 8182$	0.831 7	$0 . 8249$

表7

参考文献 36

[1]	冯登国, 张敏, 李昊 . 大数据安全与隐私保护[J]. 计算机学报, 2014,37(1): 246-258.
	FENG D G , ZHANG M , LI H . Big data security and privacy protection[J]. Chinese Journal of Computers, 2014,37(1): 246-258.
[2]	房梁, 殷丽华, 郭云川 ,等. 基于属性的访问控制关键技术研究综述[J]. 计算机学报, 2017,40(7): 1680-1698.
	FANG L , YIN L H , GUO Y C ,et al. A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017,40(7): 1680-1698.
[3]	SERVOS D , OSBORN S L . Current research and open problems in attribute-based access control[J]. ACM Computing Surveys, 2017,49(4): 1-45.
[4]	XIN J , KRISHNAN R , SANDHU R . A unified attribute-based access control model covering DAC,MAC and RBAC[C]// Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy. Berlin:Springer, 2012: 41-55.
[5]	HU V , KUHN D , FERRAIOLO D . Attribute-based access control[J]. Computer, 2015,48(2): 85-88.
[6]	BUI T , STOLLER S D , LI J . Greedy and evolutionary algorithms for mining relationship-based access control policies[J]. Computers ＆ Security, 2019,80: 317-333.
[7]	SANDERS M W , YUE C . Mining least privilege attribute based access control policies[C]// Annual Computer Security Applications Conference. New York:ACM Press, 2019: 404-416.
[8]	VAIDYA J , ATLURI V , WARNER J ,et al. Role engineering via prioritized subset enumeration[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2010,7(3): 300-314.
[9]	BAUMGRASS A , STREMBECK M . Bridging the gap between role mining and role engineering via migration guides[J]. Information Security Technical Report, 2013,17(4): 148-172.
[10]	HARIKA P , NAGAJYOTHI M , JOHN J C ,et al. Meeting cardinality constraints in role mining[J]. IEEE Transactions on Dependable ＆Secure Computing, 2015,12(1): 71-84.
[11]	NEUMANN G , STREMBECK M . A scenario-driven role engineering process for functional RBAC roles[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2002: 33-42.
[12]	DAS S , SURAL S , VAIDYA J ,et al. VisMAP:visual mining of attribute-based access control policies[C]// International Conference on Information Systems Security. Berlin:Springer, 2019: 79-98.
[13]	TALUKDAR T , BATRA G , VAIDYA J ,et al. Efficient bottom-up mining of attribute based access control policies[C]// IEEE 3rd International Conference on Collaboration and Internet Computing. Piscataway:IEEE Press, 2017: 339-348.
[14]	KARIMI L , JOSHI J . An unsupervised learning based approach for mining attribute based access control policies[C]// International Conference on Big Data. Piscataway:IEEE Press, 2018: 1427-1436.
[15]	COTRINI C , WEGHORN T , BASIN D . Mining ABAC rules from sparse logs[C]// IEEE European Symposium on Security and Privacy. Piscataway:IEEE Press, 2018: 31-46.
[16]	GAUTAM M , JHA S , SURAL S ,et al. Poster:constrained policy mining in attribute based access control[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2017: 121-123.
[17]	IYER P , MASOUMZADEH A . Mining positive and negative attribute-based access control policy rules[C]// Symposium on Access Control Models and technologies. New York:ACM Press, 2018: 161-172.
[18]	KUHLMANN M , SHOHAT D , SCHIMPF G ,et al. Role mining-revealing business roles for security administration using data mining technology[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2003: 179-186.
[19]	NAROUEI M , KHANPOUR H , TAKABI H . Identification of access control policy sentences from natural language policy documents[C]// IFIP Annual Conference on Data and Applications Security and Privacy. Berlin:Springer, 2017: 82-100.
[20]	NAROUEI M , TAKABI H , NIELSEN R D . Automatic extraction of access control policies from natural language documents[J]. IEEE Transactions on Dependable and Secure Computing, 2018,17(3): 1.
[21]	XU Z , STOLLER S D . Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(5): 533-545.
[22]	MOCANU D C , TURKMEN F , LIOTTA A . Towards ABAC policy mining from logs with deep learning[C]// In Proceedings of International Multi Conference. Piscataway:IEEE Press, 2015: 10-16.
[23]	HE Q,ANTóN A I . Requirements-based access control analysis and policy specification (ReCAPS)[J]. Information ＆ Software Technology, 2009,51(6): 993-1009.
[24]	SHI L L , CHADWICK D W . A controlled natural language interface for authoring access control policies[C]// Applied Computing. New York:ACM Press, 2011: 1524-1530.
[25]	SCHWITTER R , . Controlled natural languages for knowledge representation[C]// International Conference on Computational Linguistics. New York:ACM Press, 2010: 1113-1121.
[26]	XIAO X , PARADKAR A , THUMMALAPENTA S ,et al. Automated extraction of security policies from natural-language software documents[C]// ACM Sigsoft International Symposium on the Foundations of Software Engineering. New York:ACM Press, 2012: 1-11.
[27]	SLANKAS J , WILLIAMS L . Access control policy extraction from unconstrained natural language text[C]// 2013 International Conference on Social Computing. New York:ACM Press, 2013: 435-440.
[28]	SLANKAS J , XIAO X , WILLIAMS L ,et al. Relation extraction for inferring access control rules from natural language artifacts[C]// Proceedings of the 30th Annual Computer Security Applications Conference. New York:ACM Press, 2014: 366-375.
[29]	NAROUEI M , TAKABI H . Automatic top-down role engineering framework using natural language processing techniques[C]// International Conference Information Security Theory and Practice. New York:ACM Press, 2015: 137-152.
[30]	NAROUEI M , TAKABI H . Towards an automatic top-down role engineering approach using natural language processing techniques[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2015: 157-160.
[31]	NAROUEI M , KHANPOUR H , TAKABI H ,et al. Towards a top-down policy engineering framework for attribute-based access control[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2017: 103-114.
[32]	ALOHALY M , TAKABI H , BLANCO E ,et al. A deep learning approach for extracting attributes of ABAC policies[C]// Symposium on Access Control models and Technologies. New York:ACM Press, 2018: 137-148.
[33]	ALOHALY M , TAKABI H , BLANCO E . Automated extraction of attributes from natural language attribute-based access control (ABAC) policies[J]. Cybersecurity, 2019,2(1): 2-12.
[34]	BROSSARD D , GEBEL G , BERG M . A systematic approach to implementing ABAC[C]// Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control. New York:ACM Press, 2017: 53-59.
[35]	DEVLIN J , CHANG M , LEE K ,et al. BERT模型:pre-training of deep bidirectional transformers for language understanding[C]// North American Chapter of the Association for Computational Linguistics. Virginia:NAACL, 2019: 4171-4186.
[36]	LUO X , ZHOU W , WANG W ,et al. Attention-based relation extraction with bidirectional gated recurrent unit and highway network in the analysis of geological data[J]. IEEE Access, 2018,6: 5705-5715.

编号	标记符号	标记类别
1	/O	无关属性
2	/B_subject_attribute	主体属性起初位置
3	/M_subject_attribute	主体属性非起初位置
4	/B_action_attribute	动作属性起初位置
5	/M_action_attribute	动作属性非起初位置
6	/B_object_attribute	客体属性起初位置
7	/M_object_attribute	客体属性非起初位置

数据集	领域	ACP语句数目/条	Non-ACP语句数目/条	总数/条
iTrust	Healthcare	967	664	1 631
IBM App	Education	169	232	401
Cyberchair	Conference	140	163	303
Collected ACP	Multiple	125	17	142
总数	—	1 401	1 076	2 477

基于深度学习的ABAC访问控制策略自动化生成技术

ABAC access control policy generation technique based on deep learning

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 16

参考文献 36

相关文章 15

Metrics

推荐阅读 0

[1]	陈东昱, 陈华, 范丽敏, 付一方, 王舰. 基于深度学习的随机性检验策略研究[J]. 通信学报, 2023, 44(6): 23-33.
[2]	李荣鹏, 汪丙炎, 张宏纲, 赵志峰. 知识增强的语义通信接收端设计[J]. 通信学报, 2023, 44(6): 70-76.
[3]	马帅, 裴科, 祁华艳, 李航, 曹雯, 王洪梅, 熊海良, 李世银. 基于生成模型的地磁室内高精度定位算法研究[J]. 通信学报, 2023, 44(6): 211-222.
[4]	金伟, 李凤华, 余铭洁, 郭云川, 周紫妍, 房梁. 面向HDFS的密钥资源控制机制[J]. 通信学报, 2022, 43(9): 27-41.
[5]	杨洁, 董标, 付雪, 王禹, 桂冠. 基于轻量化分布式学习的自动调制分类方法[J]. 通信学报, 2022, 43(7): 134-142.
[6]	杨秀璋, 彭国军, 李子川, 吕杨琦, 刘思德, 李晨光. 基于Bert和BiLSTM-CRF的APT攻击实体识别及对齐研究[J]. 通信学报, 2022, 43(6): 58-70.
[7]	廖勇, 王世义. 高速移动环境下基于RM-Net的大规模MIMO CSI反馈算法[J]. 通信学报, 2022, 43(5): 166-176.
[8]	廖育荣, 王海宁, 林存宝, 李阳, 方宇强, 倪淑燕. 基于深度学习的光学遥感图像目标检测研究进展[J]. 通信学报, 2022, 43(5): 190-203.
[9]	赵增华, 童跃凡, 崔佳洋. 基于域自适应的Wi-Fi指纹设备无关室内定位模型[J]. 通信学报, 2022, 43(4): 143-153.
[10]	廖勇, 程港, 李玉杰. 基于深度展开的大规模MIMO系统CSI反馈算法[J]. 通信学报, 2022, 43(12): 77-88.
[11]	段雪源, 付钰, 王坤, 李彬. 基于简单统计特征的LDoS攻击检测方法[J]. 通信学报, 2022, 43(11): 53-64.
[12]	霍俊彦, 邱瑞鹏, 马彦卓, 杨付正. 基于最邻近帧质量增强的视频编码参考帧列表优化算法[J]. 通信学报, 2022, 43(11): 136-147.
[13]	康海燕, 冀源蕊. 基于本地化差分隐私的联邦学习方法研究[J]. 通信学报, 2022, 43(10): 94-105.
[14]	张红霞, 王琪, 王登岳, 王奔. 基于深度学习的区块链蜜罐陷阱合约检测[J]. 通信学报, 2022, 43(1): 194-202.
[15]	晏燕, 丛一鸣, Adnan Mahmood, 盛权政. 基于深度学习的位置大数据统计发布与隐私保护方法[J]. 通信学报, 2022, 43(1): 203-216.