期刊文献+

一种XACML规则冲突及冗余分析方法 被引量:33

A Conflict and Redundancy Analysis Method for XACML Rules
下载PDF
导出
摘要 基于属性的声明式策略语言XACML表达能力丰富,满足开放式环境下资源访问管理的复杂安全需求,但其自身缺乏对规则冲突检测、规则冗余分析的支持.文中利用规则状态思想描述分析了属性层次操作关联带来的多种冲突类型,在资源语义树策略索引基础上利用状态相关性给出规则冲突检测算法;利用状态覆盖思想分析造成规则冗余的原因,给出在不同规则评估合并算法下的冗余判定定理.仿真实验首先分析了冲突检测算法的运行效率;然后针对多种策略判定系统,验证了基于语义树的策略索引和冗余规则处理可以显著提高判定性能. XACML is a kind of declarative policy language which has flexible expressive functions based on attributes and satisfies complex security requirements of access management in the open environment, but it lacks the capabilities of detecting conflict rules and analyzing rule redundancy. This paper proposes rule state concept and applies it to analyze several categories of rule conflict caused by attribute hierarchy. In order to detecting and locating these conflicts, resource semantic tree and state relativity are utilized for depicting conflict detecting algorithms. Besides that, rule redundancy is the other issue in this paper. Employing state covering method, the mechanism of rule redundancy is explained, and redundancy judgment theorems are proven for various rules combining algorithms. The emulation tests in the last part of this paper firstly analyze the algorithm's efficiency, secondly indicate that evaluation performance can profit from resource semantic tree index and redundancy disposing.
出处 《计算机学报》 EI CSCD 北大核心 2009年第3期516-530,共15页 Chinese Journal of Computers
基金 国家"八六三"高技术研究发展计划项目基金(2006AA01Z454) 国家科技支撑计划项目基金(2006BAH02A02) 国家自然科学基金(60603017)资助~~
关键词 访问控制 规则状态 属性层次 规则冲突检测 规则冗余 XACML access control rule state attribute hierarchy rule conflict detecting rule redundancy XACML
  • 相关文献

参考文献20

  • 1Sloman M. Policy driven management for distributed systems. Journal of Network and Systems Management, 1994, 2(4) :333-360.
  • 2Moses T. eXtensible access control markup language (XACML) version 2.0. OASIS Standard, 2005.
  • 3Jajodia S, Samarati P, Subrahmanian V S et al. A unified framework for enforcing multiple access control policies// Proceedings of the ACM SIGMOD International Conference on Management of Data. Tucson, Arizona, USA, 1997, 26 (2) : 474-485.
  • 4Jajodia S, Samarati P, Subrahmanian V S. A logical language for expressing authorizations//Proeeedings of the 1997 IEEE Symposium on Security and Privacy. Los Alamitos, California, USA, 1997:31-42.
  • 5Lupu E, Sloman M. Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering, 1999, 25(6): 852-869.
  • 6Cholvy L, Cuppens F. Analyzing consistency of security policies//Proceedings of the 1997 IEEE Symposium on Security and Privacy. Los Alamitos, California, USA, 1997:103-112.
  • 7Dunlop N, Indulska J, Raymond K. Dynamic conflict detection in policy-based management systems//Proceedings of the 6th International Enterprise Distributed Object ComputingConference (EDOC). Lausanne, Switzerland, 2002:15-26.
  • 8Guelev D P, Ryan M, Schobbens P Y. Modei-checking access control policies. Lecture Notes in Computer Science 3225. Berlin: Springer-Verlag, 2004.. 219-230.
  • 9Zhang N, Ryan M, Guelev D P. Synthesising verified access control systems in XACML//Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. Washington,DC, USA, 2004:56-65.
  • 10Zhang N, Ryan M, Guelev D P. Evaluating access control policies through model checking//Proceedings of the 8th In- formation Security Conference (ISC). Lecture Notes in Computer Science 3650. Berlin: Springer-Verlag, 2005.. 446-460.

同被引文献336

引证文献33

二级引证文献266

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部