Li Jing

Abstract:Through policy-based network security management research,this paper analyzed the existing network secu-rity policy conflict detection and resolution method shortcomings.Based on policy refinement of ideas and security policy conflicts classification technology,policy-based network management security-level model was established,with exten-ded XACML language description.According to the relationship between policy behavior,using knowledge reasoning,dynamic layered security corresponding level of policy refinement consistency automatic detection and timely conflict resolution were made,letting it has a good reusability and scalability,and is conducive to the improvement of manage-ment efficiency.Policy-based access control refinement application implementation was verified.Finally,some of the fu-ture research directions were discussed.

Computer Science

Kuangyi ZENG,Jinxiang ZHANG,Jiahai YANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.11.050

2006-01-01

Abstract:A new model for policy refinement is presented at the application background of CERNET.Using the properties of access control list(ACL) in this model,the policies described in different specification languages are mapped into access control lists,which are distributed to different network devices to enforce.Thus,the complex transformation logic in traditional policy refinement fashion is simplified,especially,security and access control configuration management can be automated

Bei-shui Liao,Ji Gao

DOI: https://doi.org/10.1007/11590354_23

2005-01-01

Abstract:Currently, the management of grid services is becoming increasingly complex. To resolve this complexity problem, autonomic computing and policy-based multi-agent technology have been proposed as promising methods. However, there are many challenges to be resolved. Among them, policy refinement is a great problem that hampers the development of policy-based system. To cope with this issue, this paper presents a policy refinement mechanism based on recipes. Recipes define possible refinement alternatives for each abstract policy. And the policy refinement engine automatically refines the policies by choosing the refinement branch in terms of the conditions of each branch.

Kuang Y. Zeng,Jinxiang Zhang,Jiahai Yang

2006-01-01

Abstract:A new model for policy refinement is presented at the application background of CERNET. Using the properties of access control list (ACL) in this model, the policies described in different specification languages are mapped into access control lists, which are distributed to different network devices to enforce. Thus, the complex transformation logic in traditional policy refinement fashion is simplified, especially, security and access control configuration management can be automated.

Donia El Kateb,Tejeddine Mouelhi,Yves Le Traon,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/2188286.2188346

2012-01-01

Abstract:ABSTRACTIn order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of real-life Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.

Ting Wang,Songzheng Song,Jun Sun,Yang Liu,Jin Song Dong,Xinyu Wang,Shanping Li

DOI: https://doi.org/10.1007/978-3-642-34281-3_26

2012-01-01

Abstract:Refinement checking plays an important role in system verification. It establishes properties of an implementation by showing a refinement relationship between the implementation and a specification. Recently, it has been shown that anti-chain based approaches increase the efficiency of trace refinement checking significantly. In this work, we study the problem of adopting anti-chain for stable failures refinement checking, failures-divergence refinement checking and probabilistic refine checking (i.e., a probabilistic implementation against a non-probabilistic specification). We show that the first two problems can be significantly improved, because the state space of the product model may be reduced dramatically. Though applying anti-chain for probabilistic refinement checking is more complicated, we manage to show improvements in some cases. We have integrated these techniques into the PAT model checking framework. Experiments are conducted to demonstrate the efficiency of our approach.

ZENG Kuang-yi,YANG Jia-hai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.02.006

2007-01-01

Abstract:Policy refinement and policy conflict resolution are two of the toughest issues in implementing a policy-based network management (PBNM) system. Based on a brief review of general PBNM theories and specific access control technologies, the paper proposed a novel policy-based network management model, which adopts XML as the high level policy description language, and uses the generalized access control list(ACL) as an intermediate refining mechanism, focusing on network security and QoS management. Some critical issues and their solutions, including policy representation, policy refinement, and policy conflict policy detection, are discussed. A formula representation of the policy conflict issue is given with several important inferences. The effectiveness and efficiency of the model is verified by the implemented prototype.

Mingjie Yu,Fenghua Li,Nenghai Yu,Xiao Wang,Yunchuan Guo

DOI: https://doi.org/10.1016/j.dcan.2022.09.002

IF: 6.348

2022-10-01

Digital Communications and Networks

Abstract:Policy conflicts may cause substantial economic losses. Although a large amount of effort has been spent on detecting intra-domain policy conflict, it can not detect conflicts of heterogeneous policies. In this paper, considering background knowledge, we propose a conflict detection mechanism to search and locate conflicts of heterogeneous policies. First, we propose a general access control model to describe authorization mechanisms of cloud service and a translation scheme designed to translate a cloud service policy to an Extensible Access Control Markup Language (XACML) policy. Then the scheme based on Multi-terminal Multi-data-type Interval Decision Diagram (MTMIDD) and Extended MTMIDD (X-MTMIDD) is designed to represent XACML policy and search the conflict among heterogeneous policies. To reduce the rate of false positives, the description logic is used to represent XACML policy and eliminate false conflicts. Experimental results show the efficiency of our scheme.

telecommunications

Nguyen Minh Hoang,Ha Xuan Son

DOI: https://doi.org/10.1145/3309074.3309097

2019-01-01

Abstract:Access control is a security technique that specifies access rights to resources in a cloud computing environment. As information in cloud systems nowadays become more complex, it plays an important role in authenticating and authorizing users and preventing an attacker from targeting sensitive information. However, in recent years, with the popularity of the Internet as social network, IoTs which deploy in cloud platforms for sharing data in real-time, more and more challenges have been exposed. For example, the access control mechanism must be able to guarantee fine-grained access control, privacy protection, conflicts and redundancies handle between rules of the same policy or between different policies. In this paper, we proposed an access control model based on attribute that incorporates a policy model based on the combining algorithm and prioritization of functions to resolve conflicts at a fine-grained level called "Dynamic model for fine-grained policy conflict resolution". Experiments are carried out to illustrate the relationship between the processing time for the traditional approach (single policy, multi-policy without priority) and our approach (multi-policy with priority). Experimental results show that the evaluation performance satisfies the privacy requirements defined by the user.

ZD Li,XJ Ye

DOI: https://doi.org/10.1145/1121995.1122001

2006-01-01

Abstract:Dissemination control ( DCON ) is a security policy of controlling digital resource access before and after distribution. It is an extension of traditional access control within client-side domain, digital rights management by payment-free applications, and originator control on recipients' re-dissemination rights allowance. Different application domains may adopt dynamically different resource dissemination policies, but current DCON models cannot solve the multi-policy coexistence and compatibility problems. A dynamic multi-policy dissemination control model ( DMDCON ) is proposed to express the dynamic and multi-policy nature existing in reality, which are indispensable for well formed resource dissemination control application. The goal of this paper is to define and extend formally some basic concepts related with resource dissemination (such as dissemination policy, chain, tree, etc.) and further, propose a comprehensive DMDCON model to describe universal resource dissemination applications through specifying temporal dissemination features, restrictions, and policy revocation (cascade or non-cascade). Finally, we briefly discuss the importance of DCON within the usage control domain.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ebiss.2009.5138002

2009-01-01

Abstract:Access control becomes more and more essential for safe and security access to the system resources. Role based access control policy widely used in industry enterprise systems nowadays is a statement which specifies the rules about how to setup the process for granting or denying authorizations. It is extremely important to make sure that there is no inconsistency of an access control policy, since otherwise it may conceal the security danger or even break down the entire access control system. In this paper, we analyze the inconsistencies of role based access control policy, and give the formal definition for the inconsistency. We then propose an inconsistency checking algorithm to detect the inconsistencies of a role based access control policy.

Kai Bu,Minyu Weng,Junze Bao,Zhenchao Lin,Zhikui Xu

DOI: https://doi.org/10.1109/icdcsw.2016.16

2016-01-01

Abstract:This paper explores a RIGHT framework for reliable policy enforcement in Software-Defined Networking (SDN). Current SDN uses overlapping rules with common matching packets. Even if a packet's expectant rule is inactive, it might hit another rule and experience incorrect yet unnoticed processing. This leads to inconsistency between control plane and data plane, that is, unreliable policy enforcement. RIGHT advocates three adaptations to respectively mitigate, detect, and correct packet processing errors. It is challenging for RIGHT to maintain both accuracy and efficiency. We explore lightweight modifications to current SDN policy enforcement toward better reliability. For example, we decouple rules and priorities through tagging to mitigate matching ambiguity. We also use exact-match rules to efficiently, correctly process packets in the same micro-flow. RIGHT can remedy mis-forwarded packets as well. We expect that a comprehensive design and deployment of RIGHT helps ensure correct per-packet processing in real time for SDN.

Peng Zhao,Lifa Wu,Zheng Hong,He Sun

DOI: https://doi.org/10.23919/jcc.2019.09.017

2019-01-01

China Communications

Abstract:Multicloud access control is important for resource sharing and security interoperability across different clouds, and heterogeneity of access control policy is an important challenge for cloud mashups. XACML is widely used in distributed environment as a declaratively fine-grained, attribute-based access control policy language, but the policy integration of XACML lacks formal description and theory foundation. Multicloud Access Control Policy Integration Framework (MACPIF) is proposed in the paper, which consists of Attribute-based Policy Evaluation Model (ABPEM), Four-value Logic with Completeness (FLC) and Four-value Logic based Policy Integration Operators (FLPIOs). ABPEM evaluates access control policy and extends XACML decision to four-value. According to policy decision set and policy integration characteristics, we construct FLC and define FLPIOs including Intersection, Union, Difference, Implication and Equivalence. We prove that MACPIF can achieve policy monotonicity, functional completeness, canonical suitability and canonical completeness. Analysis results show that this framework can meet the requirements of policy integration in Multicloud.

Fan Zhang,Ji Gao

2007-01-01

Abstract:Open distributed systems have provided a wonderful solution for enterprises to integrate their business systems, such as ERP and CRM. But the management of large-scale distributed system itself became the problem. To solve this problem, policy-driven mechanism is developed and it also acts as a core role in autonomic computing framework that announced by IBM. But many policy-driven solutions, such KAoS, Ponder and Rei, don't have enough ability of policy management, especially in the policy dynamic conflicts detection. This paper presents a policy-driven model and conflict detection method that is suitable in dynamic and static environment.

Chen-hua Ma,Guo-dong Lu,Jiong Qiu

DOI: https://doi.org/10.1631/jzus.a0820366

2009-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The specification of authorization policies in access control models proposed so far cannot satisfy the requirements in workflow management systems (WFMSs). Furthermore, existing approaches have not provided effective conflict detection and resolution methods to maintain the consistency of authorization polices in WFMSs. To address these concerns, we propose the definition of authorization policies in which context constraints are considered and the complicated requirements in WFMSs can be satisfied. Based on the definition, we put forward static and dynamic conflict detection methods for authorization policies. By defining two new concepts, the precedence establishment rule and the conflict resolution policy, we provide a flexible approach to resolving conflicts.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Peng Liu,Jian-bin Hu,Zhong Chen

DOI: https://doi.org/10.1109/WI.2005.2

2005-01-01

Abstract:Although several access control policies have been proposed for securing access to resources, they focused on security of distributed environments that were rather static. Nowadays distributed environment becomes open and dynamic. In this paper, we propose a formal language for access control policies in open and dynamic environment. The language is based on description logic program and generalized courteous logic program supporting classical negation, prioritized conflict handling and mutual exclusion constraints. The language allows the specification of positive and negative authorization, privilege delegation and revocation, prioritized conflict resolution and mutual authorization exclusions.

Ying Li,Yuanlei Lu,Yu Yu Yin,Shuiguang Deng

DOI: https://doi.org/10.1109/APSCC.2010.21

2010-01-01

Abstract:Dynamic reconfiguration can help SOA based applications to update, modify, add and remove their functions, improve their performance, enhance their reliabilities and robustness. However few works focus on the QoS-based dynamic reconfiguration of SOA-based applications. This paper presents an approach for QoS-based dynamic reconfiguration of SOA based applications. The proposed approach can reconfigure a SOA based application to comply with a new QoS constraint by replacing its individual or multiple component services. An important factor named global significance value is introduced to show the significance of each component service. The individual component services are attempted to replace according to the descending order relative to the value. If the attempts fail, multiple component services will be replaced together. In the case study, an example is given to show the approach is feasible to reconfigure a SOA based application to meet a new QoS constraint. The experiment shows the effectiveness and efficiency of our approach.

Bs Liao,J Gao,J Hu,Jj Chen

DOI: https://doi.org/10.1007/978-3-540-30483-8_42

2004-01-01

Abstract:The integration of web services and intelligent agents is promising for automated service discovery, negotiation, and cooperation. But due to the dynamic and heterogeneous nature of web services and agents, it is challenging to guide the behaviors of underlying agents to meet the high-level business (changeful) requirements. Traditional Policy-driven methods (Ponder, Rei, KAoS, etc) are not adaptable to direct the discovery, negotiation and cooperation of dynamic agents who may join in or leave out of a specific community or organization (virtual organization) at run time. The purpose of this paper is to model an ontology-based, policy-driven control framework that is suitable to supervise the dynamic agents according to high-level policies. On the basis of federated multi-agents infrastructure and ontologies of policies, domain concepts, and agent federations, a model of role-based policy specification framework is presented in this paper.