当前位置: X-MOL 学术J. Ind. Inf. Integr. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
A novel conflict detection method for ABAC security policies
Journal of Industrial Information Integration ( IF 10.4 ) Pub Date : 2021-01-20 , DOI: 10.1016/j.jii.2021.100200
Gang Liu , Wenxian Pei , Yumin Tian , Chen Liu , Shancang Li

Attributed-based access control (ABAC) is widely used in systems with large resources and users such as the Industrial Internet of Things (IIoT), Industrial information integration system, and so on. Attribute-based security policy is highly flexible and expressive, but conflicts between policies occur frequently, affecting the security and availability of the system. Based on analyzing the ABAC security policies represented by the eXtensible Access Control Markup Language (XACML), this study proposes a formal definition of explicit conflicting rules, probable-conflicting rules, and never-conflicting rules. Also, we found that conflicts occur on a pair of rules in which attribute expressions have overlapping values and that be applied to the same request. A new conflict detection method is proposed in which implicit conflicting rules are converted to explicit conflicting rules by completing the absent attribute expressions and then compare all the rules in pairs to detect all the probable conflicting rules in a rule set. In this way, we can analyze the conflicting probability of each pair of policy rules. Furthermore, we define two metrics to evaluate the conflict level of a rule set. Experiment results show that implicit conflicting rules are more numerous than explicit conflicting rules in the policy set. Also, with an increase in the number of attribute expressions in each rule, the conflicting level of a rule set is significantly reduced, which provides a reference for policymaking. With this method, administrators can formulate more robust and efficient security policies, improve the security and availability of systems.



中文翻译:

ABAC安全策略的冲突检测新方法

基于属性的访问控制(ABAC)广泛用于拥有大量资源和用户的系统中,例如工业物联网(IIoT),工业信息集成系统等。基于属性的安全策略具有很高的灵活性和表现力,但是策略之间的冲突经常发生,从而影响系统的安全性和可用性。在分析以可扩展访问控制标记语言(XACML)表示的ABAC安全策略的基础上,本研究提出了显式冲突规则,可能冲突规则和永不冲突规则的正式定义。此外,我们发现冲突发生在一对规则上,其中属性表达式具有重叠的值,并应用于相同的请求。提出了一种新的冲突检测方法,其中通过完成不存在的属性表达式,将隐式冲突规则转换为显式冲突规则,然后将所有规则成对进行比较,以检测规则集中所有可能的冲突规则。这样,我们可以分析每对策略规则的冲突概率。此外,我们定义了两个指标来评估规则集的冲突级别。实验结果表明,隐式冲突规则比策略集中的显式冲突规则更多。另外,随着每个规则中属性表达式数量的增加,规则集的冲突级别也大大减少,这为决策提供了参考。使用此方法,管理员可以制定更健壮和有效的安全策略,

更新日期:2021-02-21
down
wechat
bug