| With the rapid development of Internet, distributed systems are widely used bringing major changes for the storage, transmission, publication and acquisition mode of information, but also bringing new threats to data integrity, unauthorized access and so on. Access control is a core technology of information security, and distributed access control can be seen as control of obtaining distributed resource essentially. However, the security model, policy description language, logical expressions, data storage structures and so on of access control policies from different distributed systems vary with each other in distributed systems. Or even a combination of these heterogeneous policies may lead to many types of security violation, and bring the system serious security risks.The research on traditional access control always analyze the safety of the security model in model-based, but it can’t guarantee the security of the system fundamentally. This paper focuses on the access control requirements in distributed systems, and do research on integration and optimization of access control policies in distributed systems. This is the key issue of protecting the confidentiality and integrity of information in distributed systems. Specifically, the main research work includes the following three parts:(1) During the cross-domain interoperability, because the role mapping lacks of flexibility and continuity when specifying access control policies, and it can’t meet the dynamic, continuous conversion needs. We set off from the perspective of property, thinking of property classification, proposed a dynamic attribute mapping mechanism to convert quickly create flexible property policy. By building connection to enhance subject attributes and the target attribute variability, we map external request attribute dynamically to the local properties and do user authorization based on local properties.(2) During cross-domain interoperability, the access from different autonomous control policies may conflict with each other. When static separation of duty policies and strategies are available in the same moment, the available and safety requirements which are mutually exclusive may lead to inconsistency access control policy conflicts, providing a an optimized conflict resolution method: ① Reducing the number of policies needed to be considered by static cut; ② By calculating the minimum set covering the conflict in order to reduce the size of problem solving; ③ By measuring deleting each separation of duty policy and available policy caused by the loss of security and availability, and evaluating the various priority programs of conflict resolution;④ By proposing a priority-based algorithm to maximize the consistency of the sub-group and by experiments to proof the performance of the proposed algorithm.(3) Do the optimization to cross-domain user authorization under distributed environment in RBAC session. For the user requests a set of permissions obtained in this system, we need to find a suitable set of roles containing the permissions collection meeting the requirements requested by permission set. The paper proposes a comprehensive definition of the user authorization query problem by the integration of different constraints on UAQ classification issues. For different sub-scenarios of UAQ, conduct experiments by genetic algorithm optimization, by comparing DFS algorithm with the optimized algorithm to proof the performance of the proposed algorithm. |
PDF Full Text Request