计算机科学 ›› 2018, Vol. 45 ›› Issue (9): 224-229.doi: 10.11896/j.issn.1002-137X.2018.09.037

• 软件与数据库技术 • 上一篇    下一篇

一种基于属性与或矩阵和类型分析的XACML策略查询方法

韩道军1,2, 原万里2, 段晓宇2, 张磊2   

  1. 河南大学数据与知识工程研究所 河南 开封4750041
    河南大学计算机与信息工程学院 河南 开封4750042
  • 收稿日期:2017-08-08 出版日期:2018-09-20 发布日期:2018-10-10
  • 通讯作者: 原万里(1993-),男,硕士生,主要研究方向为访问控制技术,E-mail:2293978452@qq.com
  • 作者简介:韩道军(1979-),男,博士,副教授,主要研究方向为形式概念分析、空间数据处理、信息安全;段晓宇(1992-),女,硕士生,主要研究方向为图像处理;张 磊(1981-),男,博士,讲师,主要研究方向为空间数据处理、信息安全。
  • 基金资助:
    本文受国家自然科学基金资助项目(61272545,61402149),河南省科技攻关计划基金资助项目(142102210390),河南省教育厅科技攻关计划基金资助项目(14A520026),河南省博士后科研项目(2015036)资助。

XACML Policy Query Method Based on Attribute And/Or Matrix and Type Analysis

HAN Dao-jun1,2, YUAN Wan-li2, DUAN Xiao-yu2, ZHANG Lei2   

  1. Institute of Data and Knowledge Engineering,Henan University,Kaifeng,Henan 475004,China1
    School of Computer and Information Engineering,Henan University,Kaifeng,Henan 475004,China2
  • Received:2017-08-08 Online:2018-09-20 Published:2018-10-10

摘要: 访问控制策略的描述与执行是信息系统资源保护的一种重要方式,影响到系统的业务化运行。针对目前评估效率较低的问题,研究人员提出了基于属性缓存和重排序等策略的评估方法,该方法提高了策略的评估效率,但尚未解决策略评估需要遍历所有相关规则的问题。针对此问题,在分析XACML(eRxtensible Access Control Markup Language)描述特点的基础上,利用属性与或矩阵和类型分析,提出一种基于属性与或矩阵和类型分析的XACML策略查询方法,以减少策略评估实施时的规则匹配数量。该方法修改了现有Context Handler的处理过程,增加了一个访问控制规则匹配预处理环节,在该环节中计算得出每个规则属性的区分度,利用区分度和属性与或矩阵筛选掉与当前访问控制请求无关的规则,然后对筛选后的规则集合进行匹配,提高策略评估效率。最后通过实验验证了所提方法的有效性。

关键词: XACML, 类型分析, 区分度, 属性与或矩阵

Abstract: The description and execution of access control policy is an important way of information resource protection,which affects system’s operational running.In view of the poor efficiency of evaluation,some researchers have proposed the policy evaluation methods based on attribute cache and reordering,which improve the efficiency of policy eva-luation,but they still fail to solve the problem that the policy evaluation needs to traverse all relevant rules.To focus on this problem,after the analysis about the characteristics of the XACML policy description,a XACML policy query method based on attribute and/or matrix and type analysis was proposed in this paper,which can reduce the number of matching during policy evaluation.This method modifies the processing of the existing Context Handler,and adds a preprocessing phase which will match access control rule.During the preprocessing phase,the discriminations are calculated for each rule attributes.The irrelative rules for current access control request can be filtered by the attribute and/or matrix and the discriminations.The proposed method can improve the efficiency of policy evaluation by matching the filtered rule set.Experimental results verify its efficiency.

Key words: Attribute and/or matrix, Discrimination, Type analysis, XACML

中图分类号: 

  • TP309
[1]WANG Y Z,FENG D G.A Conflict and Redundancy Analysis Method for XACML Rules [J].Chinese Journal of Computers,2009,32(3):516-530.(in Chinese)
王雅哲,冯登国.一种XACML规则冲突及冗余分析方法[J].计算机学报,2009,32(3):516-530.
[2]NIU D H,MA J F,MA Z,et al.HPEngine:high performance XACML policy evaluation engine based on statistical analysis[J].Journal on Communications,2014,35(8):206-215.(in Chinese)
牛德华,马建峰,马卓,等.基于统计分析优化的高性能XACML策略评估引擎[J].通信学报,2014,35(8):206-215.
[3]WANG Y Z,FENG D G,ZHANG L W,et al.XACML policy
evaluation engine based on multi-level optimization technology [J].Journal of Software,2011,22(2):323-338.(in Chinese)
王雅哲,冯登国,张立武,等.基于多层次优化技术的XACML策略评估引擎[J].软件学报,2011,22(2):323-338.
[4]QI Y,CHEN J,LI Q M.XACML policy evaluation optimization method based on reordering [J].Journal of Nanjing University of Science and Technology,2015,39(2):187-193.(in Chinese)
戚湧,陈俊,李千目.一种基于重排序的XACML策略评估优化方法[J].南京理工大学学报,2015,39(2):187-193.
[5]CHEN J.The research on XACML strategy optimization method
[D].Nanjing:Nanjing University of Science and Technology,2015.(in Chinese)
陈俊.XACML策略优化方法研究[D].南京:南京理工大学,2015.
[6]CHEN W H,WANG N N.Research on XACML policy evaluation optimization technology [J].Application Research of Computer,2013,30(3):900-905.(in Chinese)
陈伟鹤,王娜娜.基于XACML的策略评估优化技术的研究[J].计算机应用研究,2013,30(3):900-905.
[7]QI Y,CHEN J,LI Q M,et al.XACML strategy optimization
method based on redundancy elimination and attribute numericalization [J].Journal of Computer Science,2016,43(2):163-168.(in Chinese)
戚湧,陈俊,李千目.基于冗余消除和属性数值化的XACML策略优化方法[J].计算机科学,2016,43(2):163-168.
[8]eXtensible Access Control Markup Language(XACML) Version 3.0 [EB/OL].http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc.
[9]XACML 2.0 conformances tests [EB/OL].http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip.
[10]Sun’s XACML Implementation [EB/OL].http://sunxacml.
sourceforge.net.
[11]Enterprise XACML Implementation [EB/OL].http://source-forge.net/projects/java-xacml.
[1] 王萌, 丁志军.
一种新的设备指纹特征选择及模型构建方法
New Device Fingerprint Feature Selection and Model Construction Method
计算机科学, 2020, 47(7): 257-262. https://doi.org/10.11896/jsjkx.190900107
[2] 王瑞杰, 李军怀, 王侃, 王怀军, 商珣超, 徒鹏佳.
基于改进特征子集区分度的行为识别特征选择方法
Feature Selection Method for Behavior Recognition Based on Improved Feature Subset Discrimination
计算机科学, 2020, 47(11A): 204-208. https://doi.org/10.11896/jsjkx.200100030
[3] 卢秋如,陈建平,马海英,陈韦旭.
一种可扩展访问控制标记语言的策略优化算法
Optimization Algorithm for Extensible Access Control Markup Language Policies
计算机科学, 2017, 44(12): 115-119. https://doi.org/10.11896/j.issn.1002-137X.2017.12.023
[4] 曹宛恬,于鹏飞.
XACML的移动应用安全策略及测试方法
Mobile Application Security Policies and Testing Research on XACML
计算机科学, 2017, 44(11): 134-145. https://doi.org/10.11896/j.issn.1002-137X.2017.11.021
[5] 罗元,孙龙.
一种新的鲁棒声纹特征提取与融合方法
New Method of Robust Voiceprint Feature Extraction and Fusion
计算机科学, 2016, 43(8): 297-299. https://doi.org/10.11896/j.issn.1002-137X.2016.08.060
[6] 刘晓建,王力生,廖新考.
基于CP-ABE和XACML多权限安全云存储访问控制方案
Multiple Permissions Secure Access Control Scheme Combining CP-ABE and XACML in Cloud Storage
计算机科学, 2016, 43(3): 118-121. https://doi.org/10.11896/j.issn.1002-137X.2016.03.024
[7] 戚湧,陈俊,李千目.
基于冗余消除和属性数值化的XACML策略优化方法
XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization
计算机科学, 2016, 43(2): 163-168. https://doi.org/10.11896/j.issn.1002-137X.2016.02.036
[8] 成红红,张晓琴,李飞江,钱宇华.
一种对应约束的决策表属性约简算法
Decision Table Attribute Reduction Algorithm Based on Correspondence Constraints
计算机科学, 2015, 42(6): 50-53. https://doi.org/10.11896/j.issn.1002-137X.2015.06.011
[9] 倪 川,黄志球,王珊珊,黄传林.
基于属性的支持策略本体推理的访问控制方法研究
Attribute-based Access Control Method Supporting Policies Ontology Reasoning
计算机科学, 2015, 42(3): 96-101. https://doi.org/10.11896/j.issn.1002-137X.2015.03.020
[10] 李冬辉,张斌,费晓飞,刘洋.
基于多值属性分量的XACML策略匹配算法
Algorithm of Matching to XACML-Policy Based on Component of Multi-valued Attribute
计算机科学, 2014, 41(6): 104-107. https://doi.org/10.11896/j.issn.1002-137X.2014.06.021
[11] 唐卓,刘国华,李肯立.
多域环境下工作流访问控制时序策略组合研究
Research on Workflow Access Control Temporal Policy Combine in Multi-domains
计算机科学, 2011, 38(1): 125-129.
[12] 文俊浩,曾骏,张志宏.
SOA中基于属性的访问控制安全策略
Security Policy of Attribute-based Access Control in SOA
计算机科学, 2010, 37(9): 147-150.
[13] 霍远国,马殿富,刘建,李竹青.
面向Web服务资源的两层访问控制方法
Attribute-based Two Level Access Control for Web Service Resources
计算机科学, 2010, 37(7): 125-129.
[14] .
分布式联动系统中的多级委托策略研究

计算机科学, 2009, 36(6): 85-88.
[15] .
基于SAT求解的面向对象程序类型分析

计算机科学, 2009, 36(1): 256-262.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!