Research On Risk-based Access Control Framework And Correlation Technologies

Access control is one of the supportive technologies of information security. Traditionalaccess control makes decisions based on predefined static policies, which makes it can’t adapt todynamic environments with high demand of information sharing. So, people present the riskfactors implied in access control policy logic clearly, integrate it into decision-makingmechanism and then propose risk-based access control. In recent years, people has done lots ofresearch and obtained some achievements. However, there are still some problems. For example,separating operational need from security risk to support the access control decision-makingmechanism with security risk, which is also the present research hotpot, can further provideflexibility and adaptability for risk-based access control. But the existing risk-based accesscontrol framework can’t provide support for implementing the above mechanism whilemaintaining security.According to this problem, this paper explores the correlation theory and technology inaccess control. The main achievements are as follows:1. Risk-based access control framework is improved. In existing risk-based access controlframeworks, information aggregation isn’t considered in security risk assessment phase andspecific support for operational need assessment is missing in decision making phase. To solvethe problems, this paper extends appropriately based on XACML referring to the existingframework. Information aggregation is added to the process of security risk assessment. Accesspurpose is introduced into the attributes of subject and object to provide support for solving theproblems existing in information aggregation and for operational need assessment.2. An information aggregation judgment method based on access purpose is proposed. Inthe existing research on information aggregation, aggregation relation nesting isn’t consideredand the aggregation of relevant but without intersection objects isn’t fully studied. Aiming atsolving the problems, this paper provides support for finding aggregation relation nesting basedon the hierarchy of access purpose and proposes concepts like relevant object domain,intersection object domain and so on to combine this two types of objects based on accesspurpose. On the basis of the above, an information aggregation judgment algorithm based onaccess purpose is proposed. The algorithm computes the relevant object domain’s aggregationdegree based on the inclusion-exclusion principle, compares it to predefined aggregationthreshold and obtains a more accurate information value of aggregation objects. This method canadapt to traditional access control. And it can be integrated into the framework proposed in thispaper, which increase the accuracy of security risk assessment. According to the experiment, this method has a slight effect on the system processing performance.3. An operational need quantification method based on access purpose and exponentialsmoothing is devised. Firstly, aiming at solving the problem that the existing method can’t adaptto multiple purpose-sets, this paper proposed the concept of purpose forest, on the basis of whichthe static operational need quantification algorithm based on the purpose forest traversal isproposed. Then, focused on the static operational need quantification result lack of flexibility andvalidity, a dynamic operational need quantification method based on exponential smoothing isproposed by recording access history and introducing exponential smoothing. Finally, analyzingthe relation between the two methods and combing both of them, an operational needquantification method based on access purpose and exponential smoothing is proposed.According to the experiments, this method has a slight effect on system processing performanceand can provide a more accurate operational need value to further support the above risk-basedaccess control decision-making.The above work provides help for research on risk-based access control. In addition, itprovides further support for the realization of secure and flexible risk-based access control.