Research On Multi-domain Multilevel Security Access Control Policy Management

With the development of network technology and society, the cooperation of high level security fields like bank, military, medical and government has been increasingly strengthened. In multi-domain network, the coexistence of a variety of access control model, the surging number of access control policies and the complicate objects significantly increase the difficulty of access control management. How to execute unified, global management for high-level security access control under multi-domain environment to ensure the security of information systems interoperability has become an important research topic.The core of the access control management is the access control policy management. This paper gives a policy management frame of multi-domain multilevel security access control, which is based on the multi-domain multilevel security access control model. To make sure the access control can be executed correctly, the manage frame proposes to detect the policy incompleteness which makes up the shortage of the existing policy consistency detection. XACML policy description language is used to describe the policies. This paper also gives policy templates for different policies in system.This paper proposes a new method for policy consistency detection which is based on unified directed acyclic graph(U-DAG). The method detects policy conflicts and policy incompleteness during the process of building U-DAG model. This paper has researched the way to build a U-DAG model and gives detailed algorithms for the model such as: equivalent vertex determination algorithm, child vertex determination algorithm, policy incompleteness detect algorithm and loop conflicts detect algorithm. After building the U-DAG correctly, the entities of the system will be added level information based on the U-DAG hierarchy. Also, this paper proves the existence of the U-DAG.In the end, this paper designs an access control policy management simulation system. This system realizes policy edition, policy importation and policy consistency detection functions. And test the system using examples. The testing results verified that the algorithms proposed above are correct. By comparing U-DAG model with other policy conflicts detection based on DAG, this paper shows the advantages of the U-DAG model.