摘要
为解决其他访问控制机制向基于属性的访问控制机制迁移过程中所面临的策略生成问题,该文提出一种基于访问控制日志的访问控制策略生成方法,利用基于机器学习分类器的递归属性消除法实现策略属性的选择,基于信息不纯度从日志记录中提炼出蕴含的属性-权限关系,结合实体属性选择的结果,构建策略结构树,实现基于属性的访问控制(ABAC)策略的生成,并设计了基于二分搜索的策略生成优化算法实现对最优策略生成结果的快速计算。实验结果表明,只需原始实体属性集中32.56%的属性信息即可实现对日志中95%的策略覆盖,并且能够将策略规模压缩为原有规模的33.33%,证实了该方案的有效性,能够为ABAC策略管理提供有力支撑。
To overcome the policy generation problem faced by other access control mechanism in the process of migration to attribution-based access control mechanism,an access control policy generation method based on access control log is proposed.The recursive attribute elimination method is utilized to implement attribute selection.Based on information impurity,the attribute-permission relationship is extracted from the access control logs,and the result of entity attribute selection is combined to build the policy structure tree,so as to realize the policy generation of Attribute-Based Access Control(ABAC).In addition,an optimization algorithm based on binary search is designed to calculate quickly the parameters of the optimal policy generation.The experimental results show that only 32.56%of the attribute information in the original entity attribute set can be used to cover 95%of the permission in the log.The size of the policies is also reduced to 33.33%of the original size.The effectiveness of the scheme is proved.
作者
刘敖迪
杜学绘
王娜
单棣斌
张柳
LIU Aodi;DU Xuehui;WANG Na;SHAN Dibin;ZHANG Liu(Information Engineering University,Zhengzhou 450001,China;He’nan Province Key Laboratory of Information Security,Zhengzhou 450001,China)
出处
《电子与信息学报》
EI
CSCD
北大核心
2022年第1期324-331,共8页
Journal of Electronics & Information Technology
基金
国家重点研发计划(2018YFB0803603,2016YFB0501901)
国家自然科学基金(61802436,61902447)。
关键词
访问控制
基于属性的访问控制
策略生成
属性选择
Access control
Attribute-Based Access Control(ABAC)
Policy generation
Attribute selection
