节点文献
访问控制技术与模型研究
The Research of Accesss Control Techniques and Methods
【作者】 罗鑫;
【导师】 胡正名;
【作者基本信息】 北京邮电大学 , 密码学, 2009, 博士
【摘要】 随着网络技术的发展和网上电子商务应用的增加,信息安全问题日益凸现,当今信息安全技术主要包括密码技术、身份认证、访问控制、入侵检测、风险分析与评估等诸多方面。访问控制是一个安全信息系统下不可或缺的安全措施。访问控制就是通过某种途径授权或限制对关键资源的访问,防止非法用户的侵入或合法用户的不慎操作所造成的破坏。论文的主要工作为:1.在对多种模型研究的基础上,结合已有的模型的优点,针对其局限性进行了一些元素的引入和扩充,讨论扩展了用面向对象方式描述的访问控制模型。2.讨论了多域的环境下RBAC模型的应用,并对其应用中产生的冲突进行了定义和分类,同时给出了冲突的检测算法。3.针对用户行为模型,分析了策略和行为的关系,将访问控制系统中的用户行为和管理行为分离。将这两种行为置于同一模式的策略组织之下。4.给出了扩展用户行为模型的建议规则,并根据建议规则的内容,讨论证明了系统关于策略的一致性、正确性及完备性。5.结合UCON模型及信任管理各自的优势,针对委派关系,描述了基于用户行为及信任度的信任管理(UTCDM-controllabledelegation model based on usage and trustworthiness),该框架实现了存取访问控制中客体、操作级别的多域的环境下的委托关系描述,通过对客体及操作级别的信任度阈值衰减计算对传播深度广度进行控制,并给出了包含信任关系全部要素的信任图的构造方式。介绍了基于委托内容用户行为的信任链查找,给出了在此基础上的信任图的查找发现算法。6.在开放网络环境中,运用用户行为及模糊理论对信任框架进行了建模。给出了信任的定义和信任的计算机制及相关算法。提出的信任的推导算法具有很好的对恶意节点的屏蔽能力,引入亲疏系数的概念,同时解决了恶意节点的定义方式以及信任网络刚建立时,各节点信任度初始化的问题。7.扩展了云模型对信任的形式化定义。讨论了云模型各参数对信任度计算的影响。通过引入时间衰减系数及行为影响系数,较好地解决了信任的模糊性随时间及行为变化的动态性的特点。本文从对象化访问控制模型,基于用户行为模型的策略研究,开放网络环境下的信任管理模型几个角度,多方位地对访问控制理论和方法进行了较为深入的研究。文中提出的访问控制模型针对原有模型的问题,提出了有益的改进,部分成果应用在实际的系统建设中,提高了访问控制系统的效率,减少了管理人员的工作量。对于其他类似系统的建设也具有一定的指导意义。
【Abstract】 Due to the popularity of the Internet and electronic commerce information security becomes more and more important. Generally speaking, information security includes intrusion detection, encryption, authentication, access control and auditing.Access control is the indispensable measure in a safety information system. Access control is the way to allow or restrict the access to resources. By using access control system the damage caused by the invalid login or the miss-operation can be avoided.The major contents in the paper are listed as follows:1. Analyze the shortcomings of the existed access control models, discuss the safety and the flexible, research the attributed-based model, the access control model is described by object-oriented technique.2. Discuss the application of RBAC model in multi-environment, group the violation of the application into the different clusters and definitions. Present the method how to solve the problem about conflict. 3. Present a new model based on the usage control model. The new extended model which is based on the formalization of the authorization, study class and application of the strategy, separate the administration from the usage.4. Present the suggestion rules of the extended usage control model. Based on the content of the rules, the coherence, correctness and the maturity can be proved easily.5. A controllable delegation model based on usage and trustworthiness (UTCDM) which is suitable for open environment is presented. An approach for controlling the depth of delegation focusing on the objects and the rights is discussed. The method of direct authorization for relationship of delegation is provided.6. In open network, the usage and fuzzy set theory have been used to model the issues of trust management. The definition of trust class and the algorithm of trust-computing are discussed. By presenting the affinities coefficient, the derivation algorithm of trust has a good ability of shielding on malicious nodes.7. The cloud model is extended to define the trust model information and the parameters are discussed in detail. By proving the time decay coefficient and usage effecting coefficient, the fuzziness and dynamic variation characters are considered and resolved.This paper discusses the object-oriented access control model; research the model which is based on usage control and the trust management in the open network. These models which are presented by this paper solve and improve the original model. The characteristics of the new models include flexibility, power expression ability, and strong usability.
【Key words】 access control; object oriented; usage trust; credential graph;