微信服务号

微信订阅号

2025年4月3日 14:47 星期四
首页 > 过刊浏览>2015年第26卷第6期 >1534-1556. DOI:10.13328/j.cnki.jos.004626
PDF HTML阅读 XML下载 导出引用 引用提醒
基于开放逻辑R反驳计算的访问控制策略精化
作者:
基金项目:

国家高技术研究发展计划(863)(2011AA01A202)


Access Control Policy Refinement Technology Based on Open Logic R-Refutation Calculus
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [20]
    • |
  • 相似文献
    • |
  • 引证文献
    • | |
  • 文章评论
    摘要:

    策略精化是解决分布式应用访问控制策略配置复杂性的重要方法,现有精化技术给出了策略分层描述和逐层精化的方法,但处理策略之间关联问题的能力不足.基于精化树描述策略和策略关联,基于叶结点策略冲突判断,采用开放逻辑R反驳计算分析精化树策略关联属性,能够消解策略冲突同时保证策略互斥、组合、访问路径协同、精化映射等关联正确,并能够按序消解不同类型策略冲突、自由取舍相冲突的策略.实验与分析计算性能表明,该方法符合SaaS平台客户应用系统策略精化需求.

    Abstract:

    Policy refinement is an important technology to resolve the configuration complexity of access control policies in distributed applications. Existing methods for policy refinement describe and refine policies layer by layer. However, they are weak in dealing with the relationship between policies. In this study, policies and the relationship between them are described based on the policy refinement tree where policies conflict analysis is performed on the leaf nodes to allow using R-refutation calculus of open logic to analyze refinement policy correlation properties. This method can resolve conflicting policies while correctly maintaining mutual exclusion, combination, access path coordination, and refinement mapping of policies. It can also resolve conflicting policies of different types in order, and freely make a choice among conflicting policies. Experiments and performance analysis demonstrate that the presented method meets the need of dynamic adaption of policy refinement for service-oriented application systems on SaaS platform.

    参考文献
    [1] Sloman M. Policy driven management for distributed systems. Journal of Network and Systems Management, 1994,2(4):333-360. [doi: 10.1007/BF02283186]
    [2] Jason B. The SOA management landscape. Zapthink. 2006. http://www.zapthink.com/2006/11/30/the-soa-management-landscape/
    [3] Maullo MJ, Calo SB. Policy management: An architecture and approach. In: Proc. of the 1st Int'l Workshop on Systems Management. Piscataway: IEEE, 1993. 13-26. [doi: 10.1109/IWSM.1993.315293]
    [4] Pieters W, Dimkov T, Pavlovic D. Security policy alignment: A formal approach. IEEE Systems Journal, 2013,7:275-287. [doi: 10.1109/JSYST.2012.2221933]
    [5] Mont CM, Baldwin A, Goh C. POWER prototype: Towards integrated policy-based management. In: Proc. of the Network Operations and Management Symp. Piscataway: IEEE/IFIP, 2000. 789-802. [doi: 10.1109/NOMS.2000.830429]
    [6] The Open Group. SLAmanagement Handbook. Vol.4, TMF, 2004. http://www.afutt.org/Qostic/qostic1/SLA-DI-USG-TMF-060091 -SLA_TMForum.pdf
    [7] Kumari P, Pretschner A. Deriving implementation-level policiesfor usage control enforcement. In: Proc. of the CODASPY 2012. New York: ACM Press, 2012. 83-94. [doi: 10.1145/2133601.2133612]
    [8] Jayaraman K, Ganesh V, Tripunitara M, Rinard M, Chapin S. Automatic error finding in access-control policies. In: Proc. of the CCS 2011. New York: ACM Press, 2011. 163-174. [doi: 10.1145/2046707.2046727]
    [9] Lampson B, Abadi M, Burrows M, Wobber E. Authentication in distributed systems: Theory and practice. ACM Trans. on Computer Systems, 1992,10(4):265-310. [doi: 10.1145/138873.138874]
    [10] Abadi M, Burrows M, Lampson B, Plotkin G. A calculus for access control in distributed systems. ACM Trans. on Programming Languages and Systems, 1993,15(3):706-734. [doi: 10.1145/155183.155225]
    [11] Davy S, Jennings B, Strassner J. On harnessing information models and ontologies for policy conflict analysis. In: Proc. of the IFIP/IEEE Int'l Symp. on Integrated Network Management 2009. 2009. 821-826. [doi: 10.1109/INM.2009.5188889]
    [12] Lück I, Vögel S, Krumm H. Model-Based configuration of VPNs. In: Proc. of the Network Operations and Management Symp. 2002. IEEE/IFIP, 2002. 589-602. [doi: 10.1109/NOMS.2002.1015610]
    [13] Albuquerque JP, Krumm H, Geus PL. Formal validation of automated policy refinement in the management of network security systems. Int'l Journal of Information Security, 2010,9(2):99-125. [doi: 10.1007/s10207-010-0101-6]
    [14] Wu YH, Huang H, Zhou JK, Zeng QK. Conflict analysis of distributed application access control policies refinement. Journal of Computer Applications, 2014,34(2):421-427 (in Chinese with English abstract).
    [15] Fu Z, Wu FS. Automatic generation of IPSec/VPN security policies in an intra-domain environment. In: Proc. of the 12th Int Worshop on Distributed Systems. Nancy: DSOM, 2001.
    [16] 李未.一个开放的逻辑系统.中国科学(A辑),1992,10:1103-1113.
    [17] 李未.R-演算:一个修正程序规约的演算系统.中国科学(E辑),2002,32(5):662-673.
    [18] Li W. R-Calculus: An inference system for belief revision. The Computer Journal, 2007,50(4):378-390. [doi: 10.1093/comjnl/ bxl069]
    [19] Su KL. R-Reconstruction in open logic. Chinese Science Bulletin, 1995,40(5):365-366.
    [20] Su KL. Open logic about facts refute and general hypothesis. Chinese Science Bulletin, 1994,39(16):1441-1443 (in Chinese with English abstract).
    相似文献
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

吴迎红,黄皓,吕庆伟,曾庆凯,张迪明.基于开放逻辑R反驳计算的访问控制策略精化.软件学报,2015,26(6):1534-1556

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2013-03-21
  • 最后修改日期:2014-05-09
  • 在线发布日期: 2015-06-04
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19780903位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号