Kuangyi ZENG,Jinxiang ZHANG,Jiahai YANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.11.050

2006-01-01

Abstract:A new model for policy refinement is presented at the application background of CERNET.Using the properties of access control list(ACL) in this model,the policies described in different specification languages are mapped into access control lists,which are distributed to different network devices to enforce.Thus,the complex transformation logic in traditional policy refinement fashion is simplified,especially,security and access control configuration management can be automated

Xuezeng Pan

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.08.005

2009-01-01

Abstract:To resolve the problem that the simple combination of BLP and Biba models will lead to poor availability,a confidentiality and integrity dynamic union model based on multi-level security(MLS) policy was presented.The two dimensions of secure model are composed of confidentiality and integrity,on which the security label is separated into write privilege range and read privilege range respectively,whereupon subject's access range is adjusted dynamically according to the security label of related objects and the history situation of the subject's access,improving the agility and practicability of the model.The formal definition of this model was given,and the security was also analyzed with proof.Finally,examples were illuminated to show the effectiveness and usability of this model.

ZENG Kuang-yi,YANG Jia-hai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.02.006

2007-01-01

Abstract:Policy refinement and policy conflict resolution are two of the toughest issues in implementing a policy-based network management (PBNM) system. Based on a brief review of general PBNM theories and specific access control technologies, the paper proposed a novel policy-based network management model, which adopts XML as the high level policy description language, and uses the generalized access control list(ACL) as an intermediate refining mechanism, focusing on network security and QoS management. Some critical issues and their solutions, including policy representation, policy refinement, and policy conflict policy detection, are discussed. A formula representation of the policy conflict issue is given with several important inferences. The effectiveness and efficiency of the model is verified by the implemented prototype.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Ying-hong WU,Hao HUANG,Qing-kai ZENG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2014.03.001

2014-01-01

Computer Science

Abstract:Policy refinement is an important method to resolve the complexity of distribute access control policy configuration.This article analyzed the existing policy refinement techniques,including their system and policies hierarchical description,their methods to derive the lower levels coordination control policies,their ability of policy conflict analysis and dispel in policy refinement,and the associated attribute analysis methods about the completeness and consistency in policy refinement,the consistency among coordination control policies for defense in depth,the composing and mutual exclusion polices relationship of application.The analysis shows that the key problem that affects refinement ability is lack of policies associated attribute analysis ability.The article further analyzed policies associated attribute analysis of the existing policy conflict analysis techniques,usability of distributed application and calculation expansibility.Based on these analysis we pointed out some research problems which can improve policy refinement ability to adapt the service oriented distributed application.

Li Jing

Abstract:Through policy-based network security management research,this paper analyzed the existing network secu-rity policy conflict detection and resolution method shortcomings.Based on policy refinement of ideas and security policy conflicts classification technology,policy-based network management security-level model was established,with exten-ded XACML language description.According to the relationship between policy behavior,using knowledge reasoning,dynamic layered security corresponding level of policy refinement consistency automatic detection and timely conflict resolution were made,letting it has a good reusability and scalability,and is conducive to the improvement of manage-ment efficiency.Policy-based access control refinement application implementation was verified.Finally,some of the fu-ture research directions were discussed.

Computer Science

Chenghua Tang,Changzhen Hu

2006-01-01

Abstract:Based on analyzing the new characteristics of the access control requirement,the paper proposed the uniform extensible and transplantable rule,policy and decision,making algorithm to realize the access and control of the fine-grained network resources.

Zhikun ZHANG,Jianguo XIAO,Xiangning KONG

DOI: https://doi.org/10.4156/jnit.vol2.issue1.3

2011-01-01

Journal of Next Generation Information Technology

Abstract:With concern of the current research results as well as the features of the demands for access control of the Web-based application system,the authors propose a context constraint access control theory model on the level of standard reference model,from the perspective of flexibility,generality,and feasibility,and elaborate on the theory of this model and the architecture of access control system.Then the authors give the description and modeling of the access control policy and defines the entities and relations in the model by using a XML-based policy specification grammar called X-Grammar.Finally the overall function description and structure design is given,and an engineering method to elicit and define context constraints is raised.

Zhu Yiqun,Li Jianhua,Zhang Quanhai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.11.054

2008-01-01

Abstract:In accordance with the increasing customers and the various resource access policies in service-oriented environments,the limi- tation of the related research is anallyzed,and a multi-policy services-oriented attribute-based role-based access control(AB-RBAC) model is proposed.Based on the relationship between the resource attribute and the user attribute in multi-policies,different role groups are defined,and relevant rules are made.User-rde assignment is realized based on a finite set of rules,and the requirement of multiple access policies is satis- fied.The flexibility of access control is enhanced,and the efficiency of the system is improved.A case that uses the AB-RBAC model is de- scribed,and a detailed comparison among several models is made,which clearly shows the advantages of AB-RBAC.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.18293/seke2015-37

2015-01-01

Abstract:One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies.Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases.In this paper, we take XACML as the policy language and build up a logical model.Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks.Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types.This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control.Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies.

TANG Chenghua,HU Changzhen,CUI Zhongjie

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.09.048

2007-01-01

Abstract:Aiming at the security characters of large-scale network environment,a network security policy model based on domain is proposed.By applying domain and the security policy language criterion,the techniques and principles of policies'store,finding,implementation,conflicts detection and resolution are studied.The system which applies this model is a safe one with the peculiarity of auto-managing policy.

Tao Peng,Minghua Jiang,Ming Hu

DOI: https://doi.org/10.4028/www.scientific.net/amr.121-122.558

2010-01-01

Advanced Materials Research

Abstract:A multi-polices access control model is proposed, with the model, access control based on policy regulation and XML based policy description is given. At the same time, We use the XSD(XML Schema Definition) to describe the content and the structure of the xml documents, and check the validity of the xml documents. Based on the description of the access control, an application system is realized we construct the runtime platform and choose some access control polices to test our system. The result is well.

ZY Xia,YC Jiang,YP Zhong,SY Zhang

DOI: https://doi.org/10.1109/iscc.2004.1358432

2004-01-01

Abstract:Access control is the process of mediating every request to resource and data maintained by an active node system and determining whether the request should be granted or denied. In This work we present an access control policy called family tree policy. The family tree policy can correctly represent active network that cannot be correctly modeled by BLP and Chinese wall model. In the family tree policy, the subjects and objects of the system are classified as different Inheriting classes. A subject cannot access the object of the different inheriting class. In the same inheriting class, the subject and object abide by the BLP model. All different inheriting classes have the same ancestor. The ancestor can access any inheriting class and comply with BLP model.

Xinyu Fan,Faen Zhang,Jianfei Song,Jingming Guo,Fujie Gao

DOI: https://doi.org/10.48550/arXiv.2001.01945

2020-01-07

Abstract:A fine-grained provenance-based access control policy model is proposed in this paper, in order to improve the express performance of existing model. This method employs provenance as conditions to determine whether a piece of data can be accessed because historical operations performed on data could reveal clues about its sensitivity and vulnerability. Particularly, our proposed work provides a four-valued decision set which allows showing status to match a restriction particularly. This framework consists of target policy, access control policy, and policy algebras. With the complete definition and algebra system construction, a practical fine-grained access control policy model is developed.

Cryptography and Security

He Huang,Shuzhen Yao

2007-01-01

Abstract:In order to counteract the implicit information leakage problems caused by illegal information flows in internal network environment, a new access control model suitable for inside document protection was proposed, which introduced dynamic rules into traditional access control and authorization mechanisms. The implementation of the proposed model was based on XACML (extensible access control markup language) and its obligation condition, and thus the information leakage problem in multiple users environment can be addressed. The algorithm analysis and its scenario simulation show that the security capability of the traditional access control model is enhanced through the treatments.

LI Fenghua,CHEN Tianzhu,WANG Zhen,ZHANG Linjie,SHI Guozhen,GUO Yunchuan

DOI: https://doi.org/10.11959/j.issn.1000-436x.2018019

2018-01-01

Abstract:Complex network environments, such as space-ground integrated networks, internet of things and complex private networks, have some typical characteristics, e.g., integration of multi-network and information flow in cross-network. These characteristics bring access control for complex network environment the new requirement of coarse-grained control, sticky policies and inconsistent operation semantics. To satisfy these requirements, cross-network access control mechanism in complex network environments (CACCN) was designed by mapping the cy-berspace-oriented access control. First of all, the process of mapping was illustrated using the example of space-ground integrated networks. Next, a management model was proposed to manage the control elements in CACCN and a series of management functions were designed by using Z-notation. The analysis on practical example demonstrates that the mechanism can satisfy a series of access control requirements.

TANG Cheng-hua,HU Chang-zhen

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.10.046

2006-01-01

Abstract:By analyzing the features of traditional access control models and relative implementation mechanism,puts forward an XACML access control model based on AC and its realizing methods.The security of this model is also analyzed.

Wang, Y.,Liu, Z.Y.,Hu, C.Z.,Zhao, X.L.,JF Xue,LX Wei

DOI: https://doi.org/10.1049/cp.2013.2461

2013-01-01

Abstract:In view of existing access control mechanisms having coarse granularity and being lack of dynamic adaptability in cross-domain open environment with a lot of strange entities, an access control policy generation approach from reputation evaluation up to trust management is proposed. This approach can generate fine-grained authorization policies automatically and dynamically according to entities' behaviour features and context attributes, which is achieved by integrating reputation evaluation and trust management in an original data mining based way. Such integration makes the approach surpass the limitations of existing integration models, in which reputation evaluation is only subjectively taken as an extension to trust management without overcoming the pre-set policies' limited ability to adapt to dynamic environment. The reputation evaluation combines cloud model and Bayesian networks, which can represent and evaluate the uncertainty of trust more accurately and efficiently. Then the association relationships between entities' attributes and their reputation are extracted from reputation evaluation results. Finally, these relationships will be transformed into attribute based access control policies. Simulation results show that the entities' behaviour features can be automatically mapped into access control policies which can better adapt to cross-domain dynamic environment.

Hao Xia,Milind Dawande,Vijay Mookerjee

DOI: https://doi.org/10.1287/ijoc.2014.0603

IF: 3.288

2014-01-01

INFORMS Journal on Computing

Abstract:Access control mechanisms in software systems administer user privileges by granting users permission to perform certain operations while denying unauthorized access to others. Such mechanisms are essential to ensure that important business functions in an organization are conducted securely and smoothly. Currently, the dominant access control approach in most major software systems is role-based access control. In this approach, permissions are first assigned to roles, and users acquire permissions by becoming members of certain roles. However, given the dynamic nature of organizations, a fixed set of roles usually cannot meet the demands that users (existing or new) have to conduct business.The typical response to this problem is to myopically create new roles to meet immediate demand that cannot be satisfied by an existing set of roles. This ad hoc creation of roles invariably leads to a proliferation in the number of roles with the accompanying administrative overhead. Based on discussions with practitioners, we propose a role refinement scheme that reconstructs a system of roles to reduce the cost of role management. We first show that the role-refinement problem is strongly NP-hard and then provide two polynomial-time approximation algorithms (a greedy algorithm and a randomized rounding algorithm) and establish their performance guarantees. Finally, numerical experiments-based on a real data set from a firm's enterprise resource planning system-are conducted to demonstrate the applicability and performance of our refinement scheme.

ZHOU Jiagen,YE Chunxiao,LUO Juan

DOI: https://doi.org/10.3778/j.issn.1002-8331.1109-0593

2013-01-01

Abstract:To solve the semantic presentation and enforcement problems of ABAC policies in the open system environment, a method using ontology to define policies is proposed. This method is defined on the basis of a map from ABAC policy model to description logic definitions. Also, it uses SWRL rules to define relations in the system. Based on the policy ontology, a frame-work utilizing close world reasoning and individual realization reasoning service to generate decisions of access request is pro-posed. The correctness of policy enforcement method is proved through its soundness and completeness, and an experiment is showed to verify the feasibility of these methods in a real application.