| With the development of computer technology,“electronic,automated and distributed”technology has been continuously realized in all fields.It is very important to guarantee the security of information resources in the process of rapid development of technology.Access control technology is one of the security functions in information system.Among them,the attributebased access control has been widely used in the distributed systems with a large number of resources and users,such as the Industrial Internet of Things and industrial information integrated systems,with its advantages of flexible and finegrained access.Security policies based on attribute have high flexibility and power of expression,but largescale security policy set conflicts frequently occur in the complex access control system.Therefore,anomaly detection of the attributebased security policy has always been a research direction in the field of access control.The existing detection methods are mainly implemented by decision tree and sequential comparison.However,with the increasing complexity of access control systems,the number of rules in security policy sets keeps increasing,leading to the existing detection methods often need a lot of time to detect anomaly.At the same time,no relevant research has proposed a quantitative evaluation method for anomalies in the overall security policy set.Therefore,this thesis analyzes the characteristics of security policy set and the substantive causes of anomalies,and focuses on efficiency and evaluation.The main research contents are as follows:(1)In this thesis,an attributebased security policy anomaly detection method based on rule classification is proposed for the complex access control system.Firstly,from the subject,object,environment,operation and decision of security rules,it is concluded that the constraints in the access request match to the intersection domain of the constraints of two security rules at the same time,leading to the occurrence of anomaly in the access control system.Therefore,by supplementing the default attributes in the implicit rules,any two rules can share attributes.Then the system is divided into different system states by the environment attributes,and the security policy set is divided into several security policy subsets,so as to reduce the time consumed by anomaly detection and improve the detection efficiency.In the experiment,the practicability and advantages of the proposed method are proved by comparing with the existing static detection methods.(2)This thesis presents a method to evaluate the whole security policy set,based on the substantive reason of the occurrence of anomaly in access control system,the probability of conflict anomaly between two security rules is calculated according to the proportion of intersection of values in attributes.On this basis,the “average number of conflict rules” and“average conflict probability” is defined,which provide quantitative reference for anomaly detection work.Finally,by changing the complexity of security rules and the size of security policy set,the simulation experiment is designed.Experimental results show that the number of implicit conflicting rules far exceeds the number of explicit conflicting rules in the security policy set.In addition,by increasing the complexity of rules,the overall conflict level of security policy set significantly decreases.Based on this,security administrators can make more robust and efficient security policies to improve the security and availability of the system. |
PDF Full Text Request