复杂网络环境下跨网访问控制机制

doi:10.11959/j.issn.1000-436x.2018019

Abstract

Abstract:

Complex network environments,such as space-ground integrated networks,internet of things and complex private networks,have some typical characteristics,e.g.,integration of multi-network and information flow in cross-network.These characteristics bring access control for complex network environment the new requirement of coarse-grained control,sticky policies and inconsistent operation semantics.To satisfy these requirements,cross-network access control mechanism in complex network environments (CACCN) was designed by mapping the cyberspace-oriented access control.First of all,the process of mapping was illustrated using the example of space-ground integrated networks.Next,a management model was proposed to manage the control elements in CACCN and a series of management functions were designed by using Z-notation.The analysis on practical example demonstrates that the mechanism can satisfy a series of access control requirements.

Key words: complex network environment, cross-network, space-ground integrated network, access control

CLC Number:

TP302

Fenghua LI,Tianzhu CHEN,Zhen WANG,Linjie ZHANG,Guozhen SHI,Yunchuan GUO. Cross-network access control mechanism for complex network environment[J]. Journal on Communications, 2018, 39(2): 1-10.

Figures/Tables 8

函数名	描述
	为管理者分配管理场景，若分配成功，返回true，否则，返回false
ass_QADSC	ass_QADSC(ADSC?,q?:NAME,result!:BOOLEAN) $⊲$
	$i f (q ?, A D S C ?) \notin Q A D S C$
	then QADSC'=QADSC∪{(q,ADSC)},result=true
	else result=false $⊳$
	撤销管理者具有的管理场景
	rev_QADSC(ADSC?,q?:NAME,result!:BOOLEAN) $⊲$
rev_QADSC	if(q?,ADSC?)∈QADSC
	then QADSC'=QADSC\{(q,ADSC)}
	else result=false $⊳$

函数名	描述
	为管理者分配管理者所在场景的权限，若分配成功，返回true，否则，返回false
ass_ADSCP	$a s s_A D S C P (A D S C ?, p ? : N A M E; r e s u l t! : B O O L E A N) ⊲$
	$i f (q ?, A D S C ?) \notin Q A D S C$
	then ADSCP'=ADSCP∪{(ADSC,p)},result=true
	$e l s e r e s u l t = f a l s e ⊳$
	撤销管理者所在场景的权限，若撤销成功，返回true，否则返回false
rev_ADSCP	rev_ADSCP(ADSC?,p?:NAME; result!:BOOLEAN) $⊲$ if (ADSC,p)∈ADSCP and ADSCassignTo((ADSC,p)) $≼$ currentADSC¹
	then ADSCP'=ADSCP\{(ADSC,p)},result=true
	$e l s e r e s u l t = f a l s e ⊳$
	修改管理者所在场景的权限，若修改成功，返回true，否则，返回false
	$\mod_A D S C P (A D S C ?, p ? : N A M E; r e s u l t! : B O O L E A N) ⊲$
mod_ADSCP	if (ADSC,pb)∈ADSCP and ADSCassignTo((ADSC,pb)) $≼$ currentADSC
	then ADSCP'={(ADSC,pa)}∪SCP\{(ADSC,pb)},result=true
	$e l s e r e s u l t = f a l s e ⊳$
	权限继承：高场景自动继承低场景的权限
perInherit	$p e r I n h e r i t (s c e n e ? : N A M E) ⊲$
	$\forall s c \in s c e n e, i f s c ≼ s c e n e, s c . p \subseteq s c e n e . p ⊳$

函数名	描述
	修改场景的时间因素
	modT(sc?,oldtime?,newtime?:NAME) $⊲$
	if sc.oldtime∈TSTATES and sc.newtime?TSTATES
	then TSTATES'=TSTATES∪{newtime}
modT	scene'=(newtime,ap,dev,cnn)
	SSC'=SSC\{<s,scene>\|s∈session (sc)}∪{<s,scene'>\|s∈session (sc)}
	QSC'=QSC\{<q,scene>\|q∈entity(sc)}∪{<q,scene' >\|q∈entity(sc)}
	SCP'=SCP\{<scene,p>\|p∈permission(sc)}∪{ <scene',p>\|p∈permission(sc)}
	SCENES'=SCENES\{scene}∪{scene'} $⊳$
	修改场景的接入点因素
	modAp(sc?,oldap?,newap?:NAME) $⊲$
	if sc.oldap∈APSTATES and sc.newap?APSTATES
	then APSTATES'=APSTATES∪{newap}
modAp	scene'=(time,newap,dev,cnn)
	SSC'=SSC\{<s,scene>\|s∈session (sc) }∪{<s,scene'>\| s∈session (sc)}
	QSC'=QSC\{<q,scene>\|q∈entity(sc)}∪{<q,scene'>\|q∈entity(sc)}
	SCP'=SCP\{<scene,p>\|p∈permission(sc)}∪{ <scene',p>\|p∈permission(sc)}
	SCENES'=SCENES\{scene}∪{scene'} $⊳$
	修改场景的设备因素
	modDev(dev?,olddev,newdev?:NAME) $⊲$
	if sc.olddev∈DEVSTATES and sc.newdev?DEVSTATES
	then DEVSTATES'=DEVSTATES∪{newdev}
modDev	scene'=(time,ap,newdev,cnn)
	SSC'=SSC\{<s,scene>\|s∈session(sc)}∪{<s,scene'>\|s∈session(sc)}
	QSC'=QSC\{<q,scene>\|q∈entity(sc)}∪{<q,scene'>\|q∈entity(sc)}
	SCP'=SCP\{<scene,p>\|p∈permission(sc)}∪{ <scene',p>\|p∈permission(sc)}
	SCENES'=SCENES\{scene}∪{scene'} $⊳$
	修改场景的网络因素
	modCnn(cnn?,oldcnn,newcnn?:NAME) $⊲$
	if sc.oldcnn∈CNNSTATES and sc.newcnn?CNNSTATES
	then CNNSTATES'=CNNSTATES∪{newcnn}
modCnn	scene'=(time,ap,dev,newcnn)
	SSC'=SSC\{<s,scene>\|s∈session(sc)}∪{<s,scene'>\|s∈session(sc)}
	QSC'=QSC\{<q,scene>\|q∈entity(sc)}∪{<q,scene'>\| q∈entity(sc)}
	SCP'=SCP\{<scene,p>\|p∈permission(sc)}∪{ <scene',p>\|p∈permission(sc)}
	SCENES'=SCENES\{scene}∪{scene'} $⊳$
	检测是否存在与给定场景冲突的场景，若有则返回true以及与之相冲突的场景，否则，返回false
	det_Conflict(scene?,p?:NAME,resultdc!:BOOLEAN,resultsc:NAME) $⊲$
det_Conflict	?sc∈SCENES, $i f s c ≼ s c e n e a n d s c . p ⊄ s c e n e . p$
	then resultdc=true,resultsc=sc
	else outresult=false $⊳$
	检查场景
che_Scene	che_Scene((t,ap,dev,cnn)?:NAME; outresult!:BOOLEAN) $⊲$ if CheckT(t)and CheckDev(dev,valuegAttr,valuesAttr)and CheckAp(ap,valuegAttr,valuesAttr)and CheckCNN(cnn,valuegAttr,
	valuesAttr)
	then outresult!=true $⊳$

函数名	描述
	为访问请求实体分配会话
ass_QSe	$a s s_Q S e (s ? : N A M E, q ? : Q U E R Y) ⊲$
	$i f (q, s) \notin Q S E$
	$t h e n Q S E' = Q S E \cup (q, s) ⊳$
	为会话分配场景
	$a s s_S e S c (s ?, s c ? : N A M E) ⊲$
ass_SeSc	$i f (s, s c) \notin S E S C$
	$t h e n S E S C' = S E S C \cup {(s, s c)} ⊳$

函数名	描述
	检查当前时间是否在允许范围内
checkT	checkT (t?:NAME; outresult!:BOOLEAN) $⊲$
	if t∈TSTATES
	then outresult!=true $⊳$
	检查所使用的设备是否在允许范围内
	checkDev(dev?,valuegAttr?,valuesAttr?:NAME; outresult!:BOOLEAN) $⊲$
checkDev?	if(valuegAttr∈allowedValue_gAttr(gAttrSelect(dev,gAttr)))and
	(valuesAttr∈allowedValue_sAttr(sAttrSelect(dev,sAttr)))
	then outresult!=true $⊳$
	检查所使用的接入点是否在允许范围内
	checkAp(ap?,valuegAttr?,valuesAttr?):NAME; outresult!:BOOLEAN) $⊳$
checkAp	if(valuegAttr∈allowedValue_gAttr(gAttrSelect(ap,gAttr)))and
	(valuesAttr∈allowedValue_sAttr(sAttrSelect(ap,sAttr)))
	then outresult!=true $⊳$
	检查所使用的接入网络是否在允许范围内
	checkCNN(cnn?,valuegAttr?,valuesAttr?):NAME; outresult!:BOOLEAN) $⊲$
checkCNN	if(valuegAttr∈allowedValue_gAttr(gAttrSelect(cnn,gAttr)))and
	(valuesAttr∈allowedValue_sAttr(sAttrSelect(cnn,sAttr)))
	then outresult!=true $⊳$

References 18

[1]	沈荣骏 . 我国天地一体化航天互联网构想[J]. 中国工程科学, 2006,8(10): 19-30.
	SHEN R J . Some thoughts of (Chinese) integrated space-ground network system[J]. Engineering Science, 2006,8(10): 19-30.
[2]	GUBBI J , BUYYA R , MARUSIC S ,et al. Internet of things (IoT):a vision,architectural elements,and future directions[J]. Future Generation Computer Systems, 2013,29(7): 1645-1660.
[3]	张蓉, 徐晔, 闵小峰 . 美协会发表2016年卫星产业状况报告[J]. 中国航天, 2016,8: 38-44.
	ZHANG R , XU Y , MIN X F . 2016 SIA state of the satellite industry report[J]. Aerospace China, 2016,8: 38-44.
[4]	ANGGOROJATI B , MAHALLE P , PRASAO N R ,et al. Capability-based access control delegation model on the federated IoT network[C]// Symposium on Wireless Personal Multimedia Communications. 2012: 604-608.
[5]	GUSMEROLI S , PICCIONE S , ROTONDI D . IoT access control issues:a capability based approach[C]// The IEEE International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. 2012: 787-792.
[6]	GUSMEROLI S , PICCIONE S , ROTONDI D . A capability-based security approach to manage access control in the internet of things[J]. Mathematical and Computer Modelling, 2013,58(5): 1189-1205.
[7]	SAMARATI P , VIMERCATI S D C D . Access control:policies,models,and mechanisms[C]// International School on Foundations of Security Analysis and Design. 2000: 137-196.
[8]	CHEUNG H , YANG C ,et al. New smart-grid operation-based network access control[C]// The IEEE International Conference on Energy Conversion Congress and Exposition. 2015: 1203-1207.
[9]	FERRAIOLO D F , SANDHU R , GAVRILA S ,et al. Proposed NIST standard for role-based access control[J]. ACM Transactions on Information and System Security, 2001,4(3): 224-274.
[10]	BERNABE B , RAMOS J , GOMEZ A F S ,et al. TACIoT:multidimensional trust-aware access control system for the Internet of Things[J]. Soft Computing, 2016,20(5): 1763-1779.
[11]	GRANDISON T , SLOMAN M . A survey of trust in internet applications[J]. IEEE Communications Surveys ＆ Tutorials, 2000,3(4): 2-16.
[12]	封孝生, 刘德生, 乐俊 ,等. 临近空间信息资源访问控制策略初探[J]. 计算机应用研究, 2008,25(12): 3702-3704.
	FENG X S , LIU D S , YUE J ,et al. Exploration on access control to near space information resources[J]. Application Research of Computers, 2008,25(12): 3702-3704.
[13]	HUR J , NOH D K . Attribute-based access control with efficient revocation in data outsourcing systems[J]. IEEE Transactions on Parallel and Distributed Systems, 2011,22(7): 1214-1221.
[14]	QI H , MA H , LI J ,et al. Access control model based on role and attribute and its applications on space-ground integration networks[C]// The IEEE International Conference on Computer Science and Network Technology. 2015: 1118-1122.
[15]	KULKARNI D , TRIPATHI A . Context-aware role-based access control in pervasive computing systems[C]// The ACM Symposium on Access Control Models and Technologies. 2008: 113-122.
[16]	李凤华, 王彦超, 殷丽华 ,等. 面向网络空间的访问控制模型[J]. 通信学报, 2016,37(5): 9-20.
	LI F H , WANG Y C , YIN L H ,et al. Novel cyberspace-oriented access control model[J]. Journal on Communications, 2016,37(5): 9-20.
[17]	DORNYEI Z . Motivational strategies in the language classroom[M]. Cambridge: Cambridge University PressPress, 2001.
[18]	SANDHU R S , COYNE E J . Role-based access control models[J]. Computer, 1996,29(2): 38-47.

Metrics

Recommended 0

No Suggested Reading articles found!

函数名	描述
	为通用属性选择函数，用来确定哪些通用属性可用作控制要素
	gAttrSel:(DEV,gAttr)→gAttr
gAttrSel	/如gAttrAss (mobile phone,<dLoc,dVel,dDir,dSpectrum,dWidth,aPrio>)=<dLoc,- ,- ,-,-,aPrio>表示只选择移动手机的2个属性（所在的位置和接入优先级）作为控制要素/
	gAttrSelect:(RES,gAttr)→gAttr
	gAttrSelect:(CNN,gAttr)→gAttr
	为安全属性选择函数，用来确定哪些安全属性可用作控制要素
sAttrSel	sAttrSel:(DEV,gAttr)→sAttrsAttrSel:( RES,gAttr)→ sAttr
	sAttrSel:( CNN,gAttr)→ sAttr

Cross-network access control mechanism for complex network environment

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 18

Related Articles 15

Metrics

Recommended 0

[1]	Wei JIN, Fenghua LI, Mingjie YU, Yunchuan GUO, Ziyan ZHOU, Liang FANG. HDFS-oriented cryptographic key resource control mechanism [J]. Journal on Communications, 2022, 43(9): 27-41.
[2]	Jiangtao DONG, Peiwen YAN, Ruizhong DU. Verifiable access control scheme based on unpaired CP-ABE in fog computing [J]. Journal on Communications, 2021, 42(8): 139-150.
[3]	Changgen PENG, Zongfeng PENG, Hongfa DING, Youliang TIAN, Rongfei LIU. Attribute-based revocable collaborative access control scheme [J]. Journal on Communications, 2021, 42(5): 75-86.
[4]	Zuobin YING, Yuanping SI, Jianfeng MA, Ximeng LIU. Blockchain-based distributed EHR fine-grained traceability scheme [J]. Journal on Communications, 2021, 42(5): 205-215.
[5]	Ruizhong DU, Peiwen YAN, Yan LIU. Fine-grained attribute update and outsourcing computing access control scheme in fog computing [J]. Journal on Communications, 2021, 42(3): 160-170.
[6]	Jiawei ZHANG, Jianfeng MA, Zhuo MA, Teng LI. Time-based and privacy protection revocable and traceable data sharing scheme in cloud computing [J]. Journal on Communications, 2021, 42(10): 81-94.
[7]	Tianyi ZHU,Fenghua LI,Wei JIN,Yunchuan GUO,Liang FANG,Lin CHENG. Cross-domain access control policy mapping mechanism for balancing interoperability and autonomy [J]. Journal on Communications, 2020, 41(9): 29-48.
[8]	Qinglei ZHOU,Shaohuan BAN,Yingjie HAN,Feng FENG. Mimic defense authentication method for physical access control [J]. Journal on Communications, 2020, 41(6): 80-87.
[9]	Chunfu JIA,Guanxiong HA,Ruiqi LI. Data access control policy of encrypted deduplication system [J]. Journal on Communications, 2020, 41(5): 72-83.
[10]	Yonggui FU,Jianming ZHU. Design for database access control mechanism based on blockchain [J]. Journal on Communications, 2020, 41(5): 130-140.
[11]	Zheng GUAN,Lei XIONG,Yao JIA,Min HE,Zhijun YANG. Research on scheduled WLAN MAC protocol with failure retries on RoF-DAS architecture [J]. Journal on Communications, 2020, 41(3): 102-111.
[12]	Rongna XIE,Hui LI,Guozhen SHI,Yunchuan GUO. Attribute-based lightweight reconfigurable access control policy [J]. Journal on Communications, 2020, 41(2): 112-122.
[13]	Aodi LIU, Xuehui DU, Na WANG, Rui QIAO. ABAC access control policy generation technique based on deep learning [J]. Journal on Communications, 2020, 41(12): 8-20.
[14]	Rongna XIE, Hui LI, Guozhen SHI, Yunchuan GUO, Ming ZHANG, Xiuze DONG. Blockchain-based access control mechanism for data traceability [J]. Journal on Communications, 2020, 41(12): 82-93.
[15]	Hongyan LI,Tao ZHANG,Jingqian ZHANG,Keyi SHI,Pengcheng ZENG. Time deterministic routing algorithm and protocol based on time-varying graph over the space-ground integrated network [J]. Journal on Communications, 2020, 41(10): 116-129.