异常权限配置下的角色挖掘方案  

作　　者：沈卓炜 范琳丽[1,2] 华童 王科翔 SHEN Zhuowei;FAN Linli;HUA Tong;WANG Kexiang(School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;Key Laboratory of Computer Network and Information Integration of Ministry of Education,Southeast University,Nanjing 211189,China;Chinese Aeronautical Establishment,Beijing 100029,China)

机构地区：[1]东南大学网络空间安全学院,南京211189 [2]东南大学计算机网络和信息集成教育部重点实验室,南京211189 [3]中国航空研究院,北京100029

出　　处：《信息网络安全》2022年第11期7-16,共10页Netinfo Security

基　　金：国家重点研发计划(2018YFB1800602)。

摘　　要：角色挖掘是构建RBAC系统的常用方法,但目前的角色挖掘方案在设计时未考虑原始系统存在异常权限配置问题,导致角色挖掘的结果可能包含错误的角色权限配置,给系统带来极大的安全风险。针对该问题,文章提出一种异常权限配置下的角色挖掘方案。首先在用户聚类部分引入Canopy预聚类,通过预聚类提取子集交叠数据,缩小后续谱聚类计算量;然后结合预聚类结果优化谱聚类的初始值选取,并针对访问控制数据由布尔值表示的特点,采用杰卡德距离和汉明距离相结合的方式对Canopy预聚类和谱聚类的距离进行度量,提高用户聚类效果;最后对异常权限配置检测规则进行细化,利用修正后的用户聚类结果进行角色挖掘。实验结果表明,该方案能够有效发现异常权限配置,提高角色挖掘效率。Role mining is a common method to build RBAC system.However,the current role mining schemes don’t detect the abnormal permission configuration in the original system,so that the result of role mining may contain the wrong role permission configuration,which brings security risks to the system.To solve the above problem,role mining scheme tolerating abnormal permission configuration is proposed.First,Canopy preclustering is introduced to reduce the subsequent spectral clustering calculation in the user clustering part by extracting the subset overlapping data.Then,the initial value selection of spectral clustering was optimized by combining the preclustering results,and the distance of Canopy preclustering and spectral clustering was measured by combining Jakard distance and Hamming distance,aiming at the characteristics that access control data are represented by Boolean values,so as to improve user clustering effect.Finally,the abnormal permission configuration detection rules are refined,and the modified user clustering results are used for role mining.Experimental results show that the scheme can find abnormal permission configuration effectively and improve the efficiency of role mining.

关 键 词：角色挖掘 Canopy预聚类 谱聚类 异常权限配置检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]