计算机科学 ›› 2020, Vol. 47 ›› Issue (7): 56-65.doi: 10.11896/jsjkx.190700157
王静宇, 刘思睿
WANG Jing-yu, LIU Si-rui
摘要: 大数据访问控制是确保大数据数据安全与信息共享的重要技术之一,但由于传统的访问控制策略无法满足动态环境下访问信息的实时性与动态性,因此在访问控制中引入风险评估方法,以协调访问控制策略,提高访问控制在动态环境中的应用。鉴于此,文中对国内外风险访问控制研究的主要工作进行系统的回顾与总结,分析近年来最新研究成果。首先,分析总结了扩展到传统的访问控制模型和基于XACML框架的访问控制模型的风险访问控制,及其在不同环境中的应用;其次,对风险访问控制的技术与方法进行总结与分析,并且对风险自适应访问控制(Risk-Adaptable Access Control,RAdAC)进行分析与研究;最后,对未来大数据环境下风险访问控制的研究进行了展望,提出一些具有研究价值的问题。文中认为,在未来大数据访问控制研究技术中,基于风险的访问控制仍然是大数据访问控制的重要研究内容。
中图分类号:
[1]BIRYUKOV A,CHRISTOPHE D C,WINKLER W E,et al.Discretionary Access Control[M]//Encyclopedia of Cryptography and Security.Springer US,2011. [2]SAMARATI P, VIMERCATI S C D.Access Control:Policies,Models,and Mechanisms[C]//International School on Foundations of Security Analysis and Design. Berlin:Springer,2000:137-196. [3]ALTURI V ,FERRAIOLO D.Role-Based Access Control[J].Computer,1998,4(3):554-563. [4]https://baike.baidu.com/item/%E9%A3%8E%E9%99%A9/2833020?fr=aladdin. [5]CHEN Y.Application of Fuzzy Analytic Hierarchy Process inInformation Security Evaluation of M System[J].Communication and Information Technology,2017(3):45-48. [6]XU S,TANG Z Q,WANG X.Information Security Risk Assessment Based on D-AHP and Grey Theory[J].Computer Course,2019,45(7):194-202. [7]TANG Z Q,HUANG Y J,LIANG J,et al.The grading of infor-mation systems based on grey fuzzy comprehensive theory[J].Journal of Beijing PolytechnicUniversity,2018,44(8):1145-1151. [8]WANG X R,MA H Z,FENG A R,et al.Network Intrusion Detection Method Based on Information Gain and Principal Component Analysis[J].Computer Engineering,2019,45(6):175-180. [9]M.C.Jason Prograrm Office.HORIZONTAL INTEGRA-TION:Broader Access Models for Realizing Information Dominance[OL].https://xueshu.baidu.com/usercenter/paper/show?paperid=39c44011ef24a98c761ce4698c1ff68b&site=xueshu_se. [10]CHENG P C,ROHATGI P,KESER C,et al.Fuzzy Multi-Level Security:An Experiment on Quantified Risk-Adaptive Access Control[C]//IEEE Symposium on Security & Privacy.2007:222-230. [11]WANG L,WIJESEKERA D,JAJODIA S.A logic-based framework for attribute based access control[C]//Acm Workshop on Formal Methods in Security Engineering.ACM,2004:45-55. [12]VAANCHIG N,CHEN W,QIN Z.Ciphertext-Policy Attribute-Based Access Control with Effective User Revocation for Cloud Data Sharing System[C]//International Conference on Advanced Cloud & Big Data.IEEE,2017:186-193. [13]JIANG Z J.Fuzzy Mathematics Theory and Method [M].Beijing:Publishing House of Electronics Industry,2015:1-223. [14]LELLIOTT R.Fuzzy sets,natural language computations,and risk analysis[J].Fuzzy Sets & Systems,1988,27(3):395-396. [15]BELL D E,LAPADULA L J.Computer Security Model:UnifiedExposition and Multics Interpretation[OL].https://www.researchgate.net/publication/238672205_Secure_Computer_Systems_Unified_Exposition_and_Multics_Interpretation [16]NI Q,BERTINO E,LOBO J.Risk-based access control systems built on fuzzy inferences[C]//Proceedings of the 5th ACM Symposium on Information,Computer and Communications Security.2010. [17]LAZZERINI B,MKRTCHYAN L.Analyzing Risk Impact Factors Using Extended Fuzzy Cognitive Maps[J].IEEE Systems Journal,2011,5(2):288-297. [18]LI J,BAI Y,ZAMAN N.A Fuzzy Modeling Approach for Risk-Based Access Control in eHealth Cloud[C]//IEEE International Conference on Trust.IEEE,2013:17-23. [19]MOYER M J C,AHAMAD M.Generalized role-based accesscontrol for securing future applications[C]//In 23rd National Information Systems Security Conference(NISSC 2000).Baltimore,Md,USA,October 2000. [20]ZHANG G,PARASHAR M.Context-Aware Dynamic AccessControl for Pervasive Applications[C]//In Proceedings of the Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2004).Western Multi Conference (WMC),San Diego,CA,USA,January 2004. [21]DIEP N N,HUNG L X,ZHUNG Y,et al.Enforcing AccessControl Using Risk Assessment[C]//European Conference on Universal Multiservice Networks.IEEE,2007:419-424. [22]CHEN L,CRAMPTON J.Risk-aware role-based access control[C]//International Conference on Security & Trust Management.Springer-Verlag,2011:140-156. [23]SANTOS D R D,WESTPHALL C M,WESTPHALL C B.A dynamic risk-based access control architecture for cloud computing[C]//Network Operations & Management Symposium.IEEE,2014:1-9. [24]ARIAS-CABARCOS P,ALMENAAREZ-MENDOZA F,MARON-LOPEZ A,et al.A Metric-Based Approach to Assess Risk for On Cloud Federated Identity Management[J] J.of Net.And Sys.Man.,20(2012)513-533. [25]SANTOS D R D,MARINHO R,SCHMITT G R,et al.AFramework and Risk Assessment Approaches for Risk-based Access Control in the Cloud[J].Journal of Network and Computer Applications,2016,74:86-97. [26]ROWLEY,ROBERT D.Professional Social Networking[J].Current Psychiatry Reports,2014,16(12):522. [27]BOUCHAMI A,GOETTELMANN E,PERRIN O,et al.En-hancing Access-Control with Risk-Metrics for Collaboration on Social Cloud-Platforms[C]//IEEE Trustcom/bigdatase/ispa.IEEE,2015:864-871. [28]CHEN A,XING H,SHE K,et al.A Dynamic Risk-Based Access Control Model for Cloud Computing[C]//2016 IEEE International Conferences on Big Data and Cloud Computing (BDCloud),Social Computing and Networking (SocialCom),Sustainable Computing and Communications (SustainCom).IEEE,2016:579-584. [29]YANG H Y,NING Y G.A Dynamic Risk Access Control Model for Cloud Platform[J].Journal of Xidian University,2018,45(5):80-88. [30]KAMOUN-ABID,FERDAOUS,MEDDEB-MAKHLOUF,et al.Risk-based Decision for a Distributed and Cooperative network policy in Cloud Computing[C]//14th International Wireless Communications & Mobile Computing Conference (IWCMC).2018:1161-1166. [31]XU Y,GAO W,ZENG Q,et al.A Feasible Fuzzy-Extended Attribute-Based Access Control Technique[J].Security and Communication Networks,2018,2018:1-11. [32]KRAUTSEVICH L,LAZOUSKI A,MARTINELLI F,et al.Towards Attribute-Based Access Control Policy Engineering Using Risk[M]//Risk Assessment and Risk-Driven Testing.Springer International Publishing,2016:80-90. [33]METOUI N,BEZZI M,ARMANDO A.Risk-Based Privacy-Aware Access Control for Threat Detection Systems[J].Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI.2017:1-30. [34]YASSINE N M,PERROT N,KHEIR N,et al.A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems[C]//ACM CCS International Workshop on Managing Insider Security Threats.ACM,2016:97-100. [35]WANG Q,JIN H.Quantified risk-adaptive access control for patient privacy protection in health information systems[C]//Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security.ACM,2011:406-410. [36]ZHEN H,HAO L I,MIN Z,et al.Risk-adaptive access control model for big data in healthcare[J].Journal on Communications,2015,36(12):190-199. [37]SHARMA M,BAI Y,CHUNG S,et al.Using Risk in Access Control for Cloud-Assisted eHealth[C]//IEEE International Conference on High Performance Computing & Communication &IEEE International Conference on Embedded Software & Systems.IEEE,2012:1047-1052. [38]AQEELI S S A,ALRODHAAN M A,TIAN Y,et al.Privacy Preserving Risk Mitigation Approach for Healthcare Domain[J].E-Health Telecommunication Systems and Networks,2018,7(1):1-42. [39]CLEVELAND J,MAYHEW M J,ADLER A,et al.ScalableMachine Learning Framework for Behavior-Based Access Control[C]//International Symposium on Resilient Control Systems.IEEE,2013. [40]BEN DAOUD W,MEDDEB-MAKHLOUF A,ZARAI F.AModel of Role-Risk Based Intrusion Prevention for Cloud Environment[C]//IEEE International Wireless Communications and Mobile Computing Conference.IEEE,2018:530-535. [41]LIU H,ZHANG L M,CHEN Z G.Task access control model based on fuzzy theory in P2P networks[J].Transactions of Communications,2017,38(2):44-52. [42]CHEN Y,MALIN B.Detection of anomalous insiders in collabo-rative environments via relational analysis of access logs[C]//Acm Conference on Data & Application Security & Privacy.CODASPY,2011. [43]LIAO Y,VEMURI V R.Use of K-Nearest Neighbor classifier for intrusion detection[J].Computers & Security,2002,21(5):439-448. [44]SHYU M,CHEN S,SARINNAPAKORN K,et al.A novel anomaly detection scheme based on principal component classififier[C]//IEEE Foundations and New Directions of Data Mining Workshop.2003:172-179. [45]ATLAM H F,ALENEZI A,HUSSEIN R K,et al.Validation of an Adaptive Risk-based Access Control Model for the Internet of Things[J].International Journal of Computer Network & Information Security,2018,1(1):26-35. [46]MCGRAW R. Risk-Adaptable Access Control (radac)[C]//Privilege (Access) Management Workshop.NIST,National Institute of Standards and Technology,Information Technology Laboratory.2009. [47]BRITTON D W,BROWN I A.A Security Risk Measurement for the RAdAC Model[D].Monterey California Naval Postgra-duate School,2007:89. [48]HUANG D H,YANG Y Q.Role-Based Risk Adaptive Access Control Model[J].Applied Mechanics and Materials,2013,416-417:1516-1521. [49]FALL D,OKUDA T,KADOBAYASHI Y,et al.Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing[J].Journal of Information Processing,2016,24(2):371-380. [50]KANDALA S,SANDHU R,BHAMIDIPATI V.An attributebased framework for risk-adaptive access control models[C]//Sixth International Conference on Availability.IEEE Computer Society,2011:236-241. [51]DÍAZLÓPEZ D,DÓLERATORMO G,GÓMEZMÁRMOL F,et al.Dynamic counter-measures for risk-based access control systems:An evolutive approach[J].Future Generation Computer Systems,2016,55(C):321-335. [52]AL-ZEWAIRI M,ALQATAWNA J,ATOUM J.Risk adaptive hybrid RFID access control system[J].Security and Communication Networks,2015,8(18):3826-3835. [53]MOURA P,FAZENDEIRO P,MARQUES P,et al.SoTRAACE-Socio-technical risk-adaptable access control model[C]//International Carnahan Conference on Security Technology.IEEE,2017. [54]ZADEH L.Fuzzy sets[J].Information and Control,1965,8(3):338-353. [55]NARANJO R,SANTOS M.A fuzzy decision system for money investment in stock markets based on fuzzy candlesticks patternrecognition[J].Expert Systems with Applications,2019,133:34-48. [56]DHIVYA R,PRAKASH R.Edge Detection of Images UsingImproved Fuzzy C-Means and Artificial Neural Network Technique[J].Journal of Medical Imaging and Health Informatics,2019,9(6):1284-1293. [57]MENDES W R,ARAUJO F M U,DUTTA R,et al.Fuzzy control system for variable rate irrigation using remote sensing[J].Expert Systems with Applications,2019,124:13-24. [58]KANGARI R,RIGGS L.Construction risk assessment by lin-guistics[J].IEEE Transactions on Engineering Management,1989,36(2):126-131. [59]XU Z Y,SHANG S C,QIAN W B,et al.A method for fuzzy risk analysis based on the new similarity of trape zoidal fuzzy numbers[J].Expert Systems with Applications,2010,37(3):1920-1927. |
[1] | 郭鹏军, 张泾周, 杨远帆, 阳申湘. 飞机机内无线通信网络架构与接入控制算法研究 Study on Wireless Communication Network Architecture and Access Control Algorithm in Aircraft 计算机科学, 2022, 49(9): 268-274. https://doi.org/10.11896/jsjkx.210700220 |
[2] | 阳真, 黄松, 郑长友. 基于区块链与改进CP-ABE的众测知识产权保护技术研究 Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE 计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075 |
[3] | 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪. 基于区块链的工业控制系统角色委派访问控制机制 Blockchain-based Role-Delegation Access Control for Industrial Control System 计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235 |
[4] | 程学林, 杨小虎, 卓崇魁. 基于组织架构的数据权限控制模型研究与实现 Research and Implementation of Data Authority Control Model Based on Organization 计算机科学, 2021, 48(6A): 558-562. https://doi.org/10.11896/jsjkx.200700127 |
[5] | 潘瑞杰, 王高才, 黄珩逸. 云计算下基于动态用户信任度的属性访问控制 Attribute Access Control Based on Dynamic User Trust in Cloud Computing 计算机科学, 2021, 48(5): 313-319. https://doi.org/10.11896/jsjkx.200400013 |
[6] | 曹萌, 于洋, 梁英, 史红周. 基于区块链的大数据交易关键技术与发展趋势 Key Technologies and Development Trends of Big Data Trade Based on Blockchain 计算机科学, 2021, 48(11A): 184-190. https://doi.org/10.11896/jsjkx.210100163 |
[7] | 何亨, 蒋俊君, 冯可, 李鹏, 徐芳芳. 多云环境中基于属性加密的高效多关键词检索方案 Efficient Multi-keyword Retrieval Scheme Based on Attribute Encryption in Multi-cloud Environment 计算机科学, 2021, 48(11A): 576-584. https://doi.org/10.11896/jsjkx.201000026 |
[8] | 徐堃, 付印金, 陈卫卫, 张亚男. 基于区块链的云存储安全研究进展 Research Progress on Blockchain-based Cloud Storage Security Mechanism 计算机科学, 2021, 48(11): 102-115. https://doi.org/10.11896/jsjkx.210600015 |
[9] | 顾荣杰, 吴治平, 石焕. 基于TFR 模型的公安云平台数据分级分类安全访问控制模型研究 New Approach for Graded and Classified Cloud Data Access Control for Public Security Based on TFR Model 计算机科学, 2020, 47(6A): 400-403. https://doi.org/10.11896/JsJkx.191000066 |
[10] | 潘恒, 李景峰, 马君虎. 可抵御内部威胁的角色动态调整算法 Role Dynamic Adjustment Algorithm for Resisting Insider Threat 计算机科学, 2020, 47(5): 313-318. https://doi.org/10.11896/jsjkx.190800051 |
[11] | 王辉, 刘玉祥, 曹顺湘, 周明明. 融入区块链技术的医疗数据存储机制 Medical Data Storage Mechanism Integrating Blockchain Technology 计算机科学, 2020, 47(4): 285-291. https://doi.org/10.11896/jsjkx.190400001 |
[12] | 屠袁飞,张成真. 面向云端的安全高效的电子健康记录 Secure and Efficient Electronic Health Records for Cloud 计算机科学, 2020, 47(2): 294-299. https://doi.org/10.11896/jsjkx.181202256 |
[13] | 乔毛,秦岭. 云存储服务中一种高效属性撤销的AB-ACCS方案 AB-ACCS Scheme for Revocation of Efficient Attributes in Cloud Storage Services 计算机科学, 2019, 46(7): 96-101. https://doi.org/10.11896/j.issn.1002-137X.2019.07.015 |
[14] | 黄美蓉, 欧博, 何思源. 一种基于特征提取的访问控制方法 Access Control Method Based on Feature Extraction 计算机科学, 2019, 46(2): 109-114. https://doi.org/10.11896/j.issn.1002-137X.2019.02.017 |
[15] | 赵鹏, 吴礼发, 洪征. 基于经纪人的多云访问控制模型研究 Research on Broker Based Multicloud Access Control Model 计算机科学, 2019, 46(11): 123-129. https://doi.org/10.11896/jsjkx.190300112 |
|