改进的基于属性的访问控制策略评估管理决策图  

作　　者：罗霄峰 杨兴春[1] 胡勇 LUO Xiaofeng;YANG Xingchun;HU Yong(Department of Computer Science and Technology,Sichuan Police College,Luzhou Sichuan 64600,China;Cyberspace Security College,Sichuan University,Chengdu Sichuan 610065,China)

机构地区：[1]四川警察学院计算机科学与技术系,四川泸州646000 [2]四川大学网络空间安全学院,成都610065

出　　处：《计算机应用》2019年第12期3569-3574,共6页journal of Computer Applications

基　　金：四川省教育厅教育科研课题(17ZB0262);四川省科技支撑计划项目(2019YFS0068)~~

摘　　要：针对多数据类型区间决策图(MIDD)方法不能正确表示、处理属性的重要性标记特性,以及表示、处理责任及忠告等不清晰,造成节点表示不一致并增加了处理的复杂性等问题,对MIDD方法进行改进和扩展。首先,将MIDD的以实体属性为单位的图节点修改为以元素为单位的图节点,精准地表示基于属性的访问控制元素,使原来不能正确处理重要标志的问题得以解决;然后,将责任及忠告作为元素,用节点表示出来;最后,把规则和策略的组合算法加到决策节点中,以便在策略决策点(PDP)对访问请求进行决策时使用。分析结果表明,改进方法与原方法的时空复杂度相当。两种方法的对比仿真实验结果表明,在每个属性只有1个附属属性时(最一般的应用情况),两种方法每个访问请求的平均决策时间差异的数量级仅在0.01μs。验证了复杂度分析的正确性,说明两种方法的性能相当。附属属性个数仿真实验表明,即使1个属性有10个附属属性(实际应用中十分稀少),两种方法的平均决策时间差异也在相同的数量级。改进方法不但保证了原方法的正确性、一致性和方便性,更将其使用范围从可扩展访问控制标记语言(XACML)策略扩展到一般的基于属性的访问控制策略。The Multi-data-type Interval Decision Diagram(MIDD) approach express and deal with the critical marks of attribute incorrectly, while express and deal with the obligations and advices ambiguously, resulting in the inconformity of node expression and the increase of processing complexity. Aiming at these problems, some improvements and expansions were proposed. Firstly, the graph nodes in MIDD with entity attribute as the unit were converted to the nodes with element as the unit, so that the elements of attribute-based access control policy were able to be represented accurately, and the problem of dealing with the critical marks was solved. Secondly, the obligations and advices were employed as elements, and were expressed by nodes. Finally, the combining algorithm of rule and policy was added to the decision nodes, so that the Policy Decision Point(PDP) was able to use it to make decision on access requests. The analysis results show that the spatio-temporal complexity of the proposed approach is similar to that of the original approach. The result of the two approaches’ comparative simulation show that when each attribute has only one subsidiary attribute(the most general application situation), the average decision time difference per access request of the two approaches is at 0.01 μs level. It proves the correctness of the complexity analysis, indicating the performances of the two approaches are similar. Simulation on the number of subsidiary attributes showed that, even with 10 subsidiary attributes(very rare in practical applications), the average decision time difference of the two approaches is at the same order of magnitude. The proposed approach not only ensures the correctness, consistency and convenience of the original approach, but also extends its application scope from eXtensible Access Control Markup Language(XACML) policy to general attribute-based access control policies.

关 键 词：访问控制 基于属性的访问控制 信息安全 安全策略 可扩展访问控制标记语言(XACML) 

分 类 号：TP309[自动化与计算机技术—计算机系统结构] TP391[自动化与计算机技术—计算机科学与技术]