Research On Key Technologies Of Attribute-Based Access Control In Big Data Environment

Ensuring that data is safely shared is a prerequisite for the wide application of big data.Attribute-based access control(ABAC)leverages the attributes of entities and environment to make permission judgement,enabling itself to deal with the access control of big data environment with a mass of entities and complex access control requirements.But in big data environment,the attribute data is collected from many points with various reputation,and the attribute-privilege relation is of great complexity,making it difficult to construct the attribute set and authorization policy set to make permission judgement,difficult to verify and update the authorization policy.To solve the key problems of attribute preprocessing,policy mining and policy refining in big data access control,the following work was accomplished:1.An access control framework of big data based on ABAC was proposed.In view of the characteristics in big data environment that there were a mass of entities and complex access control requirements,the attribute-based access control model was chosen to support access control with various granularity and strong dynamics.For the problems of permission-judgement attribute set construction,authorization policy set construction and authorization policy verification and refinement,some extensions were added to the basic ABAC,which were attribute optimizing module,policy mining module and policy refining module.Then the tasks and functions of the modules in the framework were explained,and the business processes of the framework were introduced.2.A permission-clustering-based attribute value optimization method was proposed.For the problems that the attribute data in big data was collected from many points with various reputation,thus the quality for attributes was insufficient,the entities were clustered according to the associated permission information,to provide high quality division of entities for attribute value reduction and correction based on rough set theory.Then the redundant attribute values with the same distribution were merged based on the distribution of the values with respect to entity clustering result.The support of the attribute set to the entity clustering tag defined in rough set theory was took as the evaluation criterion to verify whether the value whose occurrence frequency was lower than the average occurrence frequency of the values of the attribute could be modified to other values to complete the correction of attribute values.Finally,the method was verified on the public dataset of UCI,showing that the algorithm improved the result of policy mining.3.A log-based rich-semantic ABAC policy mining method was proposed.In order to solve the problems that the number of entities was large and the permission relation was complex,which made it difficult to construct policy set in big data environment,a log-based policy mining method was proposed.The log entry was extended by the attribute constraints satisfied by entities in the log entry,and the set of candidate authorization rules was constructed by mining frequent attribute constraints which often occurred together by frequent item set mining algorithm.Then the rule subset with high accuracy and low risk of over-authorization was selected based on the accuracy quality metric.Next,it was filtered based on the semantic quality metric to get rule subset with high semantic quality.And finally,the minimum rule set equivalent to the filtered rule subset was selected based on greedy method.In the end,the algorithm was verified on the public dataset and handwritten dataset.The results showed that the proposed algorithm made a great improvement on evaluation criterions such as f1-score compared with the existing methods.The semantic improvement of the mining strategy was verified on the handwritten dataset.4.An ABAC policy refining method based on incremental learning was proposed.The complex permission relation and variable access requirements in big data environment made it difficult to verify and update the policy set.So the behavior details of the access were added to the log.The behavior details of log corresponding to the authorization rule were input to the enhanced self-organizing incremental neural network to learn the behavior classes under the authorization rule.Thus,the log was divided according to the learned behavior classes,and the association rule mining algorithm was used to mine the sub-rules of the original rule under each behavior class.Then the scopes of the behavior details covered by the sub-rules were counted as the constraints of behavior details added to the sub-rules.So,the permissions specified by authorization rule was further refined and would be constantly modified with the change of access requirements,to reduce the risk of over-authorization of the system and internal security threats.