The attribute-based access control(ABAC)model has received extensive attention in the industry because it can provide fine-grained access control and solve the problem of large-scale user dynamic expansion in application scenarios such as distributed system architecture and open shared network environment.At the same time,when the ABAC model is applied in a complex information system,the attributes of the subject and object are numerous,the scale of the policy set is large,and conflicts between security policies may occur frequently.The conflict is caused by an access request matching to multiple policies and a diametrically opposite authorization decision.Policy conflict can cause the system to fail to properly authorize the access request and threaten the security of the system.Therefore,the conflict detection and resolution in the ABAC Policy has always been one of the hot issues in related research.Based on the above research background,this paper deeply analyzes and summarizes the mechanism of the ABAC policy conflict and characteristics of the related policy conflict detection and resolution methods.We find that the existing static conflict detection and resolution methods can detect the conflict policy before the system runs and resolve the conflict in time,which has certain advantages,but the static methods also has the defects of small detection range and the resolution methods are too simple,the conflict policies cannot be detected and resolved very well.Therefore,it is necessary to further study the static conflict detection and resolution methods.This paper proposes a new static conflict detection and resolution method and designs the experiment to verify the feasibility of the method and illustrate the advantages of the method by comparison of experimental data.The core work of this article includes the following:Firstly,we studied and analyzed the ABAC policy model and policy conflict mechanism which is the basis of the research work in this paper.At the same time,through the analysis of existing conflict detection and resolution methods,their advantages and disadvantages are summarized.We proposed to use static methods to detect and resolve policy conflicts.Secondly,this paper proposes a probability based static conflict detection algorithm.Aiming at the shortcomings of the existing static conflict detection methods,after analyzing the attributes of the ABAC rules,we point out the relatively missing attributes in the rules are the reasons why some conflict rules cannot be statically detected.Therefore,this paper uses the rule attribute completion method to convert the dynamic conflict rules into static conflict rules,so that the static conflict detection method can be applied to any form of conflict rules.This paper also considers policy conflicts as a kind of random event and proposes the concept of conflict probability based on the distribution of attribute values of the system to quantify the difficulty of conflicts between rules.The new conflict detection algorithm implements static detection of all possible conflicting rules and calculates their conflict probability.At the same time,this paper designs a static conflict resolution method based on the scope of the rule.The final decision of the conflict domain is determined by the scope of the conflict rules,solved the problem of decision trend in the traditional conflict resolution method and the attribute used to resolve the conflict domain is selected by calculating the conflict frequency of the attribute,so that the static resolution method can be well applied to a policy set containing a large number of rules.In addition,this paper takes the specific conflict probability as the threshold of conflict resolution and resolve the conflict rule with the conflict probability greater than the threshold in the process of resolution,which realized the flexible control of the degree of conflict resolution.Finally,the proposed static conflict detection and resolution method is implemented in the simulation experiment.The feasibility of the method in the access control system with large-scale policy set is verified by experiments.Through experimental data analysis,the proposed method can statically detect all possible conflicting rules in the policy set and perform conflict resolution.In addition,compared with the traditional static method,the method of this paper extends the scope of static conflict detection and realizes different degrees of resolution of conflicts.In summary,this paper proposes a new static conflict detection and resolution method for the conflicts in the ABAC policy,which can effectively detect and resolve the conflict policies.At the same time,compared with the traditional static method,the static conflict detection and resolution method of this paper has great advantages. |