基于条件随机场的改进型BLP访问控制模型

计算机科学 ›› 2015, Vol. 42 ›› Issue (8): 138-144.

基于条件随机场的改进型BLP访问控制模型

马萌,唐卓,李仁发,熊燎特

湖南大学信息科学与工程学院长沙410081;嵌入式与网络计算湖南省重点实验室长沙410081,湖南大学信息科学与工程学院长沙410081;嵌入式与网络计算湖南省重点实验室长沙410081;武汉大学软件工程国家重点实验室武汉430072,湖南大学信息科学与工程学院长沙410081;嵌入式与网络计算湖南省重点实验室长沙410081,湖南大学信息科学与工程学院长沙410081;嵌入式与网络计算湖南省重点实验室长沙410081

出版日期:2018-11-14 发布日期:2018-11-14
基金资助:
本文受国家自然基金项目(61103047),863计划(2012AA01A301-01),武汉大学软件工程国家重点实验室开放基金(SKLSE2012-09-18)资助

Improved BLP Model Based on CRFs

MA Meng, TANG Zhuo, LI Ren-fa and XIONG Liao-te

Online:2018-11-14 Published:2018-11-14

摘要/Abstract

摘要： 针对大多访问控制模型缺乏对系统安全状态和风险的动态感知能力这一问题,通过将基于条件随机场的机器学习方法引入BLP模型的规则优化中,提出一种动态BLP模型——CRFs-BLP。该模型首先通过对历史访问日志进行预处理与标注,来提取特征值。然后用CRF++工具包对其学习和训练,使模型规则能够根据当前系统的安全状态及安全事件进行动态调整,还可以动态地限制敏感客体的读写范围。最后,通过实验表明了模型在实际环境中的有效性和准确性。

关键词: 访问控制,条件随机场,机器学习,BLP模型

Abstract: As most access control models are short of the ability to perceive the system security status and risks in a dynamic way,the paper introduced a machine learning method CRFs into the rule optimization of BLP model,and proposed a dynamic BLP model,CRFs-BLP.After preprocessing and tagging the history access log,it will extract the feature set,then CRF+＋ toolkit will be taken to finish the study and training of these datasets,so the model can be adjusted dynamically according to the current secure state and events in system,and the read-write scope for sensitive objects will be limited dynamically.Finally,the experiment shows the availability and accuracy of the model in a real environment.

Key words: Access control,CRFs,Machine learning,BLP model

马萌,唐卓,李仁发,熊燎特. 基于条件随机场的改进型BLP访问控制模型[J]. 计算机科学, 2015, 42(8): 138-144. https://doi.org/

MA Meng, TANG Zhuo, LI Ren-fa and XIONG Liao-te. Improved BLP Model Based on CRFs[J]. Computer Science, 2015, 42(8): 138-144. https://doi.org/

参考文献

[1] Sandhu R S,Samarati P.Access control:principle and practice[J].Communications Magazine,IEEE,1994,32(9):40-48
[2] Yang Kan,Jia X H.Expressive,Efficient,and Revocable DataAccess Control for Multi-Authority Cloud Storage [J].IEEE Transactions on Parallel and Distributed Systems,2014,25(7):1735-1744
[3] Lan Zhou,Varadharajan V,Hitchens M.Achieving Secure Role-Based Access Control on Encrypted Data in Cloud Storage[J].IEEE Transactions on Information Forensics and Security,2013,8(12):1947-1960
[4] Bell D E,LaPadula L J.Secure Computer Systems:Mathematical Foundations:ESD-TR-73-278,I(AD)770768[R].Bedford,UK:MITRE Corporation,1973
[5] Bell D E,LaPadula L J.Secure Computer System:A Mathematical Model[R].Bedford,MA:Electronic Systems Division,Air Force System Command,Hanscom AFB,1973
[6] Shen Ying,Xiong L R.Lattic based BLP extended model [C]∥Proc of the 2nd International Conference on Future Information Technology and Management Engineering.2009:309-312
[7] Liang H L,Sun Y F,Zhao Q S,et al.Design and implementation of a security label common framework [J].Journal of Software,2003,14(3):547-552
[8] 蔡谊,郑志蓉,沈昌祥.基于多级安全策略的二维标识模型[J].计算机学报,2004,7(5):619-624 Cai Yi,Zheng Zhi-rong,Shen Chang-xiang.A Planar Attributes Model Based on Multi Level Security Policy [J].Chinese Journal of Computers,2004,27(5):619-624
[9] 刘彦明,董庆宽,李小平.BLP 模型的完整性增强研究[J].通信学报,2010,31(2):100-106 Liu Yan-ming,Dong Qing-kuan,Li Xiao-ping.Study on enhancing integrity for BLP model[J].Journal on Communications,2010,31(2):100-106
[10] Lee T M P.Using mandatory integrity to enforce "commercial" security[C]∥Proc of IEEE Conference on Security and Privacy.Washington DC:IEEE Computer Society,1998:140-146
[11] Schell R,Tao T F,Heckmn M.Designing the GEMSOS security kernel for security and performance[C]∥Proc of the 8th National Computer Security Conference.1985:108-119
[12] 聂晓伟,冯登国.基于动态可信度的可调节安全模型[J].通信学报,2008,9(10):37-44 Nie Xiao-wei,Feng Deng-guo.Modified security model based on dynamic trusted degree [J].Journal on Communications,2008,9(10):37-44
[13] 谭智勇,刘铎,司天歌,等.一种具有可信度特征的多级安全模型[J].电子学报,2008,6(8):1637-1641 Tan Zhi-yong,Liu Duo,Si Tian-ge,et al.Multilevel Security Model with Credibility Characteristics [J].Acta Electronica Sinica,2008,36(8):1637-1641
[14] Yamaguchi F,Lindner F,Rieck K.Vulnerability extrapolation:Assisted discovery of vulnerabilities using machine learning[C]∥Proceedings of the 5th USENIX Conference on offensive Technologies.USENIX Association,2011:13-13
[15] 顾亚祥,丁世飞.支持向量机研究进展[J].计算机科学,2011,8(2):14-17 Gu Ya-xiang,Ding Shi-fei.Advances of Support Vector Machines [J].Computer Science,2011,38(2):14-17
[16] Bozorgi M,Saul L K,Savage S,et al.Beyond heuristics:learning to classify vulnerabilities and predict exploits[C]∥Proc.of 16th Int.Conf.on Knowledge discovery and Data Mining.ACM,2010:105-144
[17] 谭小彬,王卫平,奚宏生,等.计算机系统入侵检测的隐马尔可夫模型[J].计算机研究与发展,2003,0(2):245-250 Tan Xiao-bin,Wang Wei-ping,Xi Hong-sheng,et al.A Hidden Markov Model Used in Intrusion Detection [J].Journal of Computer Research and Development,2003,40(2):245-250
[18] Tjhai G C,Furnell S M,PaPadaki M,et al.A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm[J].Computers & Security,2010,9(6):712-723
[19] 王辉,陈泓予,刘淑芬,等.基于改进朴素贝叶斯算法的入侵检测系统[J].计算机科学,2014,1(4):111-115,9 Wang Hui,Chen Hong-yu,Liu Shu-fen,et al.Intrusion Detection System Based on Improved Nave Bayesian Algorithm[J].Computer Science,2014,1(4):111-115,9
[20] Seifert C,Welch I,Komisarczuk P.Identification of maliciousWeb pages with static heuristics[C]∥Proc.of Telecommunication Networks and Applications Conference.2008:91-96
[21] 张健,陈松乔.一种基于最大熵原理系统异常检测模型研究[J].小型微型计算机系统,2008,9(4):643-648 Zhang Jian,Chen Song-qiao.Research on an Abnormal Detect Model for System Call Sequence Using Maximum Entropy Principle [J].Journal of Chinese Computer System,2008,29(4):643-648

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed