A Privavy-aware Access Control Police Composition Research In Cloud Computing Environment

With the rapid development of cloud computing and professional IT services, individual cloud services cannot meet the needs of users diversified, so cloud service composition has received widely attention. In the process of cloud service composition, combining different independent cloud services must coordinate their access control policies, otherwise unauthorized access to composite cloud service can occur when there's conflict among different cloud service providers' access control policies, and then it will bring serious data security and privacy issues. Therefore, how to compose consistence access control policies have become an important premise for the successful cloud services composition. However, the current research of access control policies composition mostly focused on formalization and conflict detection in pervasive computing environment. It is difficult to directly migrate existing policy composition technology to the cloud computing environment, because cloud computing environment has cloud service modes and multi-tenant diversified privacy protection requirements. It is need to solve some key problems as the inconsistent policy description, lack of consideration of privacy protection, the low efficiency of policy conflict detection and resolution.In this paper, through analyzing the features of cloud service composition and the requirements of policy composition, we proposed a novel access control policy composition framework(Packet), which focuses on studying the heterogeneous policies unification, policies similarity analysis and policy conflict detection and resolution. The main results are as follows:1. We proposed a heterogeneous policy which has privacy protection attribute unified description method. Firstly, we establish a privacy protection access control policy model, which support reflecting privacy-aware attribute explicitly such as access purposes. Secondly, we design a heterogeneous policy unification algorithm, which can transform heterogeneous policy into unified description based attributes. Finally, through the example analysis, it is proved that the method can improve the accuracy of heterogeneous policy unification.2. We proposed a policy similarity analysis method based on attribute semantic analysis. Firstly, we have classified all attributes in resource attribute consistent access control policy based on semantic. Secondly, based on classified result, we use different methods to calculate the similarity of all attributes. Then, adopting the ratio analysis techniques, we calculate the weight of different attributes. Thirdly, we obtain the policy similarity in accordance with the weighted average principle integrated all kinds of attribute weights and similarity. Finally, experiments with the classic algorithm of similarity analysis comparison results show that the method more precise and the analysis result is more effective.3. A policy conflict detection and resolution method is proposed to support the hierarchical composition of cloud services. Firstly, we establish a cloud service hierarchy structure and give different conflict detection and resolution rules based on resource attribute. Secondly, referring to the depth of the search techniques, we give a resource attribute policy consistent conflict detection and resolution algorithm based on the consistence resource attribute. And then, adopting set operation skills, we give the resource attribute inconsistent policy conflict detection and resolution algorithm which compose consistence policies for hierarchical structure of cloud service composition. Finally, compared with the existing classical ACPCDM conflict detection algorithm, the method has better conflict detection capability.4. We implement Packet prototype. Firstly, we give the design idea, system structure and execution process of the Packet prototype based on all above research and the XACML framework. Secondly, we simulate the cloud services composition scenario in the OpenStack cloud platform and deploy the Packet prototype. Finally, the experimental results show that Packet has better performance than the composition method in XACML framework.