Research On Correlation Technologies Of Access Control Administration In Multi-level And Inter-domain Environments

Access control policy is the concentrated embodiment of the requirements of informationsystem security. The technologies of access control administration provide security andconsistency to access control policies. It is a new challenge to manage access control policies inthe multi-level&inter-domain classified information system, which is distributed, dynamic andheterogeneous. Therefore, research on how to ensure the effectiveness of administration and theconsistency of access control policy in the multi-level&inter-domain environments is a criticalissue and urgently needed.This paper explores deeply into technologies of access control administration for multi-level&inter-domain classified information systems. The main work is as follows:1. The multi-level&inter-domain access control administration model which is hierarchicaland fine-grained is constructed. Aiming at the problems of complex assignment, scalability andlacking of effective support for cross-domain access management of exsisting models, this paperproposes a multi-level&inter-domain access control administrative model (ML-IDACAM) bycombining the characteristics of multi-level&inter-domain system and the fine-grained need ofaccess control administration, bringing forward the model’s basic elements, elementrelationships, constraints and administration rules. The security of the proposed model is alsoproved. Compared with related work, the ML-IDACAM model which has good expansibilityand fine-grained operation can support secure and centralized access control administration,guarantee the consistency of policies in multi-level&inter-domain environments.2. The policy conflicts in multi-level&inter-domain classified information system arespecified formally. Focusing on policy conflict caused by interoperating in classified informationsystems, policy conflict generating mechanism and procedure are analyzed and the definition ofexplicit and implicit policy conflict is given. Formal specification of policy conflict is conductedwhich laying the foundation for designing effective policy conflict detection and resolutionalgorithms.3. The explicit policy conflict detection algorithm based on policy attribute reduction andthe explicit policy conflict resolution algorithm based on policy attribute significance areproposed. Focused on the problems that existing policy conflict detection and resolutionalgorithms are difficult to effecitively detect and legitimately resolve explicit policy conflicts,concepts of policy attribute reduction and policy condition attribute significance based on theidea of discretization are introduced, the policy explicit policy conflict detection and resolutionalgorithms which are more fine-grained and effective are designed. Finally, computationcomplexity and capability of the algorithms are analyzed. 4. The implicit policy conflict detection algorithm based on information flow matrix and theimplicit policy conflict resolution algorithm based on information flow subtraction are proposed.Aiming at resolving the problem of the existing policy conflict detection and resolutiontechnologies’ lacking of considerations of implicit policy conflict, this paper analogizes theimplicit policy conflict detection and resolution to the problem of obtaining reachable array fromadjacent array by using the mature mathematical theory of directed graph. Finally, computationcomplexity and capability of the algorithms are analyzed.The above work provides technical support for acess control administration in multi-level&inter-domain environments and provides a useful reference for the security construction ofclassified information system as well.