【作者】 于海波；

【导师】 金淳兆；

【作者基本信息】 吉林大学 ， 计算机软件与理论， 2006， 博士

【摘要】 策略已经日益成为控制大型应用系统行为的安全方法。策略允许调整系统的行为而不必改变实现代码,通过定义高层次的规则来控制和调整低层次的系统行为,与其它方式相比具有更好的灵活性和适应性。但已有的策略方法对大规模的应用系统还存在某些困难。本文的工作主要是研究基于规则的技术和基于本体方法在应用安全策略定义和推理,主要的工作包括:(1)围绕大型应用安全系统的授权问题,总结分析了访问控制模型,综述了策略定义语言并介绍了描述逻辑和本体。(2)对基于规则的技术进行了综述和分析,并指出现有规则方法本身的局限性和应重点解决的问题。(3)介绍了描述逻辑、语义Web语言,分析了他们的关系以及OWL的在表示用户定义数据类型和谓词方面的缺陷,介绍了OWL DL的一种可判定的扩展OWL-E。(4)基于OWL-E本文定义了一个结合规则和本体的语义策略定义框架,建立了可扩展的领域实体和属性本体刻画环境知识,并使用纯OWL的方式对授权规则和约束等策略信息进行了表达和语义解释,并提出了一种细粒度的基于客体内容的授权规则表示方法。(5)基于描述逻辑提供的推理能力,为策略定义框架提出了一套比较完整的策略分析和管理方法,包括访问控制判定方法,策略间优先级判定和分析方法、多种冲突检测方法,自动的冲突消解算法。(6)比较了相关工作,总结了本文工作的特点和进一步的工作。研究结果丰富了本体技术在应用安全领域的应用研究。本文在应用安全领域知识表示,规则知识的纯本体表示、基于语义的策略表示研究、基于规则的授权技术研究、策略的访问控制判定、冲突检测和消解等方面的研究具有一定的理论意义。本文的研究结果对于Internet环境下的访问控制,信息系统集成,电子商务和电子政务等应用安全领域具有较大的应用价值。更多还原

【Abstract】 Policies are being increasingly used for controlling the behavior of complex and largescale application systems. The use of policies allows administrator to regulate systembehavior without changing source code. Administrator can specify high-level rules to controland regulate low-level behavior of systems. Policy-based approach is much more flexible andadaptable than other non-policy approaches. But policy-based approach is still difficult todeal with large scale application systems with large number of users and resources.Especially recent years, with the scale-up of IT systems and the extension of scope ofusers, effective user and privilege administration is still a complex and challenging work,which is a major issue in large enterprises and organizations. For the service-providingenterprises which making their services available to their users via the Internet, the number ofusers can be in the hundreds of thousands or millions and large number of objects and arelatively high number of process can be found as well. The coherent complexity ofapplication security challenges the existed policy management approach.A model to automatically assign user with permissions becomes a perfect solution inlarge scale system. Rule-based authorization approaches were researched and preliminarilyapplied on supporting automatically user and permission managements in past few years.Although rule-based approaches have relatively high management efficiency, the dynamicityof rule makes it often difficult to foresee the impact of a new rule or the modification of anexisting rule. It is difficult to obtain an administration overview, which make it difficult tomaintain and audit. Thereby, it is difficult to specify and maintain authorization policies inapplication system implemented based on rule-based system without other supportingmechanisms.Semantically-rich representations for policy allow both structure and properties of theelements of a application system and the management operations themselves (e.g., policies)to be described at a high level of abstraction, thus enabling policy conflict detection andharmonization. Moreover, modeling policies at a high level of abstraction simplifies theirdescription and improves the analyzability of the system. In fact, semantically-richrepresentations ensure that there is a common understanding between previously unknownentities, which make heterogeneous systems to be interoperated with understandable policies.Recent research effort in the area of semantic web and OWL ontology language provides apowerful base for semantically-rich policy definition. Standard OWL is suitable to describesuch domain knowledge as entities and attributes in application security domain, but it stillhas limitations in describe authorization rules of policies. The specification ofsemantically-rich context-based policies to regulate system behavior in application securityenvironments is a complex task that requires appropriate representations to describe bothcontext information relevant to policy specification and the policies themselves. Currentapproaches to semantic context-based policy specification have outlined two main researchdirections: rule-based and ontology-based approach.We research on rule-based and ontology-based approach in application security policyrepresentation and reasoning, and proposed a policy specification framework integrated ruleand ontology approach to support specification and management of policies in large scaleapplications. Under this framework, we concentrate our work on knowledge expression ofapplication security domain, rule-based semantically-rich policy specification, constraintspecification, fine-grained authorization rule specification and so on. Based on inference taskof description logic, we research on access control reasoning, decision of relationship amongauthorization rules, conflict detection methods and conflict resolution algorithms aboutpolicy specification framework.The principal contributions and research results of this dissertation are summarized inthe following:Firstly, under the background of authorization problem in large scale application security,we analyze the most of access control models and summarize the state of arts in policyspecification language. We concentrate on context-based and semantic-based policy approach,and analyze and compare these approaches in specification methods and reasoning supports.The description logic and ontology language are surveyed as well. We point out thatrule-based approach and ontology-based approach are current research directions tocontext-based policy specification.Secondly, the overview and analysis of state of arts in rule-based authorizationtechnique is given. The international research works in rule-based automaticallyauthorization are summarized, which includes BPD-ACS, RB-RBAC, provisioning-basedRBAC, Kern’ Meta model, according to such aspects as concept, rule expression, rulefunction and feature. The existent problems and further emphasizing research works are pointout.Thirdly, description logic and Web ontology language are introduced. We introduce thelanguage family of description logic and concrete domain extension used to integratenumerical and other domains in a schematic way into description logics. W3C standard webontology language-OWL is introduced in details and correspondence between OWL anddescription logic is given. We also point out the limitation of OWL in datatype support. Sowe introduce the OWL-E, a decidable extension of OWL DL, to overcome the limitation ofOWL. These introductions and analyses form the theory basis of further researches.Fourthly, representation of knowledge in application security domains is investigated.An OWL-E based description frame of domain knowledge is proposed to create extensibledomain entity and attribute to abstract and define context information of application securitydomain. All domain entities are specified with common entity-attribute structure, whichmakes it easy to divide system into finer grains or extend system by using new entities andattributes so as to adapt to evolutions of context and changes of authorization requirement.The representation of quasi-order of attribute values is researched and an ontology classbased representation is proposed.Fifthly, specification and representation of policies of application security is researched.We proposed a pure OWL style Policy Definition Framework. Policy Definition Frameworkuses subclass axiom of OWL to define the syntax of all kinds of authorization rules todescribe implicit authorizations, then the semantics of authorization rules can be interpreteddirectly based on OWL semantics. Thus, authorization rules can be interpreted separatelyfrom environment and reasoning engines. A rule constrain schema is proposed to representthe comparison relations between subject attribute and object attribute to specificationfine-grained content-based access control. Representation methods about static separate ofduty and number restriction constraints are illustrated as well.Sixthly, the thesis researches on description logic based reasoning about policy of PolicyDefinition Framework. Base on description logic inference service, some import reasoningsuch as access control decision, policy scope, relationship among rules and conflict detectionare studied. The decision approaches for seniority level and overlapped relation among rulesare proposed. We proposed some conflict detection methods, which include a conflictdetection method about related policies, a conflict detection method about overlappedpolicies, a conflict detection method based on unsatisfiable intersection of policies and aconflict detection method about separate of duty constraint. We also give an automaticconflict resolution algorithm. Our work provides an effective support and tool for policymanagement and analysis.Our work researches on integrated rule-based and ontology-based policy representationand reasoning. A combined approach is proposed to handle policy management in highdynamic, complex context and heterogenic system environment. The rule specification basedon OWL axiom semantic enhances the expressive power and common understanding onautomatic authorization rules. It can obtain rich relationships among policies and becomprehensively support by most of description reasoner.Our work enrich the research of ontology approaches applied in application securityarea, especially in the following aspect: Rule representation with pure ontology language,semantically-rich policy represent research, rule-based authorization, ontology modeling inapplication security, access control decision reasoning, conflict detection method and conflictresolution. The results of policy representation and reasoning researches can be of practicalvalue for the application security.To sum up, the study results of the thesis are of both theoretical and practical benefit tofurther researches in rule-based and ontology-based policy management.更多还原