期刊文献+

一种基于属性与或矩阵和类型分析的XACML策略查询方法 被引量:1

XACML Policy Query Method Based on Attribute And/Or Matrix and Type Analysis
下载PDF
导出
摘要 访问控制策略的描述与执行是信息系统资源保护的一种重要方式,影响到系统的业务化运行。针对目前评估效率较低的问题,研究人员提出了基于属性缓存和重排序等策略的评估方法,该方法提高了策略的评估效率,但尚未解决策略评估需要遍历所有相关规则的问题。针对此问题,在分析XACML(eRxtensible Access Control Markup Language)描述特点的基础上,利用属性与或矩阵和类型分析,提出一种基于属性与或矩阵和类型分析的XACML策略查询方法,以减少策略评估实施时的规则匹配数量。该方法修改了现有Context Handler的处理过程,增加了一个访问控制规则匹配预处理环节,在该环节中计算得出每个规则属性的区分度,利用区分度和属性与或矩阵筛选掉与当前访问控制请求无关的规则,然后对筛选后的规则集合进行匹配,提高策略评估效率。最后通过实验验证了所提方法的有效性。 The description and execution of access control policy is an important way of information resource protection,which affects system’s operational running.In view of the poor efficiency of evaluation,some researchers have proposed the policy evaluation methods based on attribute cache and reordering,which improve the efficiency of policy eva-luation,but they still fail to solve the problem that the policy evaluation needs to traverse all relevant rules.To focus on this problem,after the analysis about the characteristics of the XACML policy description,a XACML policy query method based on attribute and/or matrix and type analysis was proposed in this paper,which can reduce the number of matching during policy evaluation.This method modifies the processing of the existing Context Handler,and adds a preprocessing phase which will match access control rule.During the preprocessing phase,the discriminations are calculated for each rule attributes.The irrelative rules for current access control request can be filtered by the attribute and/or matrix and the discriminations.The proposed method can improve the efficiency of policy evaluation by matching the filtered rule set.Experimental results verify its efficiency.
作者 韩道军 原万里 段晓宇 张磊 HAN Dao-jun;YUAN Wan-li;DUAN Xiao-yu;ZHANG Lei(Institute of Data and Knowledge Engineering,Henan University,Kaifeng,Henan 475004,China;School of Computer and Information Engineering,Henan University,Kaifeng,Henan 475004,China)
出处 《计算机科学》 CSCD 北大核心 2018年第9期224-229,共6页 Computer Science
基金 国家自然科学基金资助项目(61272545 61402149) 河南省科技攻关计划基金资助项目(142102210390) 河南省教育厅科技攻关计划基金资助项目(14A520026) 河南省博士后科研项目(2015036)资助
关键词 XACML 属性与或矩阵 区分度 类型分析 XACML Attribute and/or matrix Discrimination Type analysis
  • 相关文献

参考文献6

二级参考文献60

  • 1李晓峰,冯登国,徐震.基于扩展XACML的策略管理[J].通信学报,2007,28(1):103-110. 被引量:10
  • 2李晓峰,冯登国,何永忠.XACML Admin中的策略预处理研究[J].计算机研究与发展,2007,44(5):729-736. 被引量:5
  • 3Sloman M. Policy driven management for distributed systems. Journal of Network and Systems Management, 1994, 2(4) :333-360.
  • 4Moses T. eXtensible access control markup language (XACML) version 2.0. OASIS Standard, 2005.
  • 5Jajodia S, Samarati P, Subrahmanian V S et al. A unified framework for enforcing multiple access control policies// Proceedings of the ACM SIGMOD International Conference on Management of Data. Tucson, Arizona, USA, 1997, 26 (2) : 474-485.
  • 6Jajodia S, Samarati P, Subrahmanian V S. A logical language for expressing authorizations//Proeeedings of the 1997 IEEE Symposium on Security and Privacy. Los Alamitos, California, USA, 1997:31-42.
  • 7Lupu E, Sloman M. Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering, 1999, 25(6): 852-869.
  • 8Cholvy L, Cuppens F. Analyzing consistency of security policies//Proceedings of the 1997 IEEE Symposium on Security and Privacy. Los Alamitos, California, USA, 1997:103-112.
  • 9Dunlop N, Indulska J, Raymond K. Dynamic conflict detection in policy-based management systems//Proceedings of the 6th International Enterprise Distributed Object ComputingConference (EDOC). Lausanne, Switzerland, 2002:15-26.
  • 10Guelev D P, Ryan M, Schobbens P Y. Modei-checking access control policies. Lecture Notes in Computer Science 3225. Berlin: Springer-Verlag, 2004.. 219-230.

共引文献52

同被引文献3

引证文献1

二级引证文献2

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部