CN106067885A - The method for network access control of a kind of improvement and device - Google Patents

The method for network access control of a kind of improvement and device Download PDF

Info

Publication number
CN106067885A
CN106067885A CN201610508925.6A CN201610508925A CN106067885A CN 106067885 A CN106067885 A CN 106067885A CN 201610508925 A CN201610508925 A CN 201610508925A CN 106067885 A CN106067885 A CN 106067885A
Authority
CN
China
Prior art keywords
strategy
main body
user
relation
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610508925.6A
Other languages
Chinese (zh)
Inventor
马莉
钟勇
霍颖瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Foshan University
Original Assignee
Foshan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Foshan University filed Critical Foshan University
Publication of CN106067885A publication Critical patent/CN106067885A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses method for network access control and the device of a kind of improvement.Its method includes: one or more in the main body strategy, object strategy and the content filtering policies that access described network are verified, wherein, described main body strategy according to the attribute of described main body, main body delegated strategy, bulk filter strategy and and conflict-solving strategy at least one or multiple;Described object strategy includes at least one in object attribute and object delegated strategy or multiple;Described content filtering policies includes at least one in bulk filter strategy and object filtering policy or multiple;The access operating right that described network accesses is generated according to the result.Method for network access control and device that the embodiment of the present invention provides combine the relation between the relation of the relation between user, user and object, object and object and beam-based alignment, have the feasibility of stronger motility and realization.

Description

The method for network access control of a kind of improvement and device
Technical field
The present invention relates to internet arena, particularly relate to method for network access control and the device of a kind of improvement.
Background technology
Social networks accesses the fine granularity etc. of the high dispersion, dynamic and the mandate that control, is desirable that social networks Access Model has stronger access control list Danone power, in existing research, uses the method for conventional model to be confined to more Static access control pattern, it is more difficult to meet social networks access control list and reach the requirement of power and dynamic.The visit that Wilfred proposes Asking that Controlling model uses reliability rating between user to determine whether requestor allows access data, expressiveness is limited;Carminati etc. The rule-based model that people proposes is by type (Type), the degree of depth (Depth) and the credible level (Trust to customer relationship Level) conduct interviews mandate, accesses to authorize and expresses in the form of rules, and its mandate expressiveness still limits between users this Three class relations, it is low that model there is also efficiency, it is difficult to the problem such as enforcement in the social networks of large user's amount;The access control of Zhao etc. Simulation is set up on the basis of segmenting customer relationship type further;User property is added by the model of Simpson etc. visits Asking in the middle of control, and use formalization specification language Z to carry out authorizing expression, its ability to express has bigger extension.Above-mentioned model Access and control all to set up relation between users, do not take into account the relation pair between user and resource and resource and resource Access the impact controlled.The model of Mohaned etc. authorizes accessing by the relation between the relation between user, user and resource And the relation of resource and resource determines, and regular expression being introduced rights expression, this model has stronger expressiveness, its Shortcoming is that accessing mandate is still based on kinds of relationships, does not considers that user and Resource Properties, should on accessing the impact controlled Model is complex, and feasibility is not strong, also fails to user, resource and attribute thereof are created as unified social networks formalization mould Type
Therefore, the magnanimity of social network data and the system structure of social networks uniqueness, inventor is realizing social network The access of network finds during controlling, and existing access control model is difficult to apply in social networks, is mainly reflected in:
1) the rights management realization mechanism of social networks is distribution, with traditional access with reference monitor as core Centerized fusion model is different, and the high dispersion of social networks makes centralized access Controlling model be difficult to carry out;
2) social network data multiformity, such as picture, video etc., the complexity of demand, this requires that accessing control has enough Expressiveness and motility;
3) the rights management pattern of social networks should be autonomous, user's energy self management's private data and confidential information, Corresponding access control policy is set.
4) social networks access control model should be dynamic, it is allowed to access control policy real-time change, adapts to social network The highly dynamic property of network.
5) due to the bulkyness and multiformity of personal information in social networks, for adapting to all kinds of need of individual privacy protection , the access control management of social networks should be fine-grained.
Summary of the invention
The main object of the present invention is to provide method for network access control and the device of a kind of improvement, solves existing network Access control method lacks adaptive technological deficiency in social networks.
In order to solve above-mentioned technical problem, the technical scheme that the present invention uses is:
A kind of method for network access control of improvement, described network includes subject and object, including:
One or more in the main body strategy, object strategy and the content filtering policies that access described network are tested Card, wherein, described main body strategy is according to attribute, main body delegated strategy, bulk filter strategy and and the conflict solution of described main body In decision-making slightly at least one or multiple;Described object strategy include at least one in object attribute and object delegated strategy or Multiple;Described content filtering policies includes at least one in bulk filter strategy and object filtering policy or multiple;
The access operating right that described network accesses is generated according to the result.
Preferably, one or more during described main body includes the systematic group of network system, user and customer group.
Preferably, described user and member that customer group is described systematic group.
Preferably, described main body includes system and user, and the main body strategy of described system includes system property, system authorization Strategy;The main body strategy of described user includes user property, user's delegated strategy and user filtering strategy.
Preferably, described object includes that some spaces and content, described content belong in described space.
Preferably, described space also includes some subspaces, described in be located in described subspace.
Preferably, the attribute of described main body includes that subjective relationship attribute, described attribute of a relation include the relation between main body, And the relation between subject and object.
Preferably, during the relation between described subject and object includes holding relationship, mark relation and total relation Kind.
In order to solve above-mentioned technical problem, another technical solution used in the present invention is: provide the network of a kind of improvement Access control apparatus, described network includes subject and object, including:
Authentication module, the one in main body strategy, object strategy and the content filtering policies that described network is accessed Or multiple verify, wherein, described main body strategy is according to the attribute of described main body, main body delegated strategy, bulk filter strategy With and conflict-solving strategy at least one or multiple;Described object strategy includes in object attribute and object delegated strategy At least one or multiple;Described content filtering policies include at least one in bulk filter strategy and object filtering policy or Multiple;
Generation module, for generating, according to the result, the access operating right that described network accesses.
Preferably, described main body includes system and user, and the main body strategy of described system includes system property, system authorization Strategy;The main body strategy of described user includes user property, user's delegated strategy and user filtering strategy.
The invention has the beneficial effects as follows: the method for network access control of a kind of improvement that the embodiment of the present invention provides and device In conjunction with the relation between relation, object and the object of the relation between user, user and object and access control based on attribute System, has the feasibility of stronger motility and realization.
Accompanying drawing explanation
Fig. 1 is the flow chart of method for network access control one embodiment of improvement of the present invention;
Fig. 2 is the access control model schematic diagram in the network control method of improvement of the present invention;
Fig. 3 be improvement of the present invention method for network access control one embodiment in the level schematic diagram of main body;
Fig. 4 be improvement of the present invention method for network access control one embodiment in the level schematic diagram of content;
Fig. 5 be improvement of the present invention method for network access control one embodiment in the level schematic diagram in space;
Fig. 6 be improvement of the present invention method for network access control one embodiment in relation between subject and object Schematic diagram;
Fig. 7 be improvement of the present invention method for network access control one embodiment in the signal of social network relationships Figure;
Fig. 8 is the structural representation of network access control device one embodiment of improvement of the present invention.
Detailed description of the invention
Access control (Access Control) and refer to system of users identity and affiliated predefined strategy group limit thereof Make its means using data resource ability.It is generally used for system manager and controls user to networks such as server, catalogue, files The access of resource.Access and control to be system security, integrity, availability and the important foundation of legal usability, be network peace Complete take precautions against and one of Key Strategy of protection of resources, be also some control strategy of main body basis or authority to object itself or its provide The different mandate that source is carried out accesses.
Social networks includes the multiple main bodys in network, and multiple object.NS software includes three key elements: main Body, object and control strategy.
(1) main body S (Subject).Refer to propose to access the concrete request of resource.It is the promoter of a certain operational motion, but It is not necessarily the executor of action, it may be possible to a certain user, it is also possible to be process, service and the equipment etc. that start of user.
(2) object O (Object).Refer to the entity of accessed resource.All can be operated information, resource, object It can be object.Object can be the aggregations such as information, file, record, it is also possible to is hardware facility on network, wireless communication In terminal, it might even be possible to comprise another one object.
(3) control strategy A (Attribution).The relevant access rule set conjunction of main object, i.e. community set. Access strategy embodies a kind of act of authorization, is also the object acquiescence to some operation behavior of main body.
As it is shown in figure 1, Fig. 1 is the access control model schematic diagram in the network control method of improvement of the present invention.This Invent the embodiment of described network control method and include step S11 and step S12:
S10: one or more in the main body strategy, object strategy and the content filtering policies that access described network are entered Row checking, wherein, described main body strategy is according to attribute, main body delegated strategy, bulk filter strategy and and the punching of described main body In prominent resolution policy at least one or multiple;Described object strategy includes at least in object attribute and object delegated strategy Plant or multiple;Described content filtering policies includes at least one in bulk filter strategy and object filtering policy or multiple;
S12: generate the access operating right that described network accesses according to the result.
In the present embodiment, configure social networks access control model RuleSN according to the main body of NS software, This model is made up of main body, object, relation, operation, property set and six parts of delegated strategy collection.
Wherein, subject and object is all hierarchical structure.Relation have two classes, a class be relation between user and user (as Friends etc.), another kind of is the relation (such as holding relationship, mark relation, total relation etc.) between subject and object.Attribute Being the characteristic that has of entity, main body, object and relationship entity are respectively provided with attribute, and the attribute of single entity forms property set.Authorize Strategy is the access control policy of body operation entity.Delegated strategy is made up of access control rule collection, the access of single entity Control rule sets forms the delegated strategy collection of this entity, and delegated strategy collection includes authorization rule collection and filtering rule set.
See Fig. 2, the access control model schematic diagram in the network control method of improvement of the present invention.Fig. 2 shows The main assembly structure chart of one RuleSN model embodiment.In presently filed embodiment, main body, object and relation are equal It is referred to as the entity of model.Main body shown in figure 2 has system (System), user A (UserA), user B (UserB).Object There is object object (Object);Relation has relation U (Ru_u) and relation S (Rs_o).System is system of subject group, and it includes system Attribute SYSattr, system access control policy ACPSysWith system crash resolution policy CRPSys.UserA, UserB are that main body is used Family, it includes body attribute Sattr, principal access control strategy ACPsub, bulk filter strategy FPsubWith main body Conflict solving plan Slightly CRPsub.Object is object object, including object attribute OattrWith object delegated strategy Pobj.Relation Ru_uAnd Rs_oIt is respectively The relation between relation and subject and object between user and user, it includes attribute of a relation RattrWith relation delegated strategy Prel
See the level of main body in method for network access control one embodiment that Fig. 3, Fig. 3 are improvement of the present invention to show It is intended to.In embodiment shown in Fig. 3, main body includes user, customer group (showing colleague group and classmate group in Fig. 3) and system Group.User can add customer group becomes the member of this group, and therefore user C and user D becomes the member of colleague group.This model In one embodiment as, social networks self can be regarded a systematic group, give tacit consent to all users and customer group is all that this is The member of system group, no longer has inclusion relation between customer group.
See the level of content in method for network access control one embodiment that Fig. 4, Fig. 4 are improvement of the present invention to show It is intended to.Object includes content and space, and content is self-existent object, as network linking, article, blog, comment on, annotate with And all kinds of picture, video, audio frequency etc. broadly fall into content object.In the embodiment illustrated in fig. 4, by membership relation, content Between can form the content level such as Fig. 4, there is immediate subordinate relation between comment and the article A of article A, this comment is with right The reply of this comment there is also immediate subordinate relation, forms the content level of Fig. 4.
See the structure in space in method for network access control one embodiment that Fig. 5, Fig. 5 are improvement of the present invention to show It is intended to.Space is used for depositing content, and the content in space belongs to this space to be owned, and all the elements all should belong to certain space, and space can Comprising subspace, all the elements all leave in space, if be connected with its parking space by the peak of content level, then may be used Form object level.
See in method for network access control one embodiment that Fig. 6, Fig. 6 are improvement of the present invention subject and object it Between relation schematic diagram.Relation is divided into two classes, and a class is the relation between user and user, such as friends etc.;Another kind of it is Relation between subject and object, such as holding relationship, mark relation, total relation etc..
This model authorization norm and authentication policy collection, and propose RuleSN and authorize model, this model is different from The place of existing network access control model is:
(1) relation between the relation of relation, user and resource, resource and the resource between this models coupling user and Beam-based alignment, existing model does not have all features of the method.
(2) this model can use logic authoring language based on Datalog rule, can intactly express between user Relation between the relation of relation, user and resource, resource and resource and user and the attribute of resource, have stronger flexible Property and the feasibility of realization.
By the enforcement of above-described embodiment, can intactly express the relation between user, user and the relation of resource, resource And relation between resource and user and the attribute of resource, have stronger mandate expressiveness and motility.
The RuleSN model that relate to is described in detail below in some the application embodiments.
In some embodiments, the level (Hierarchy) of social networks Controlling model RuleSN be four-tuple (Mi, Ma, M ,≤), wherein:
(1) Mi, Ma and M are mutually disjoint set, i.e.
(2)≤and it is the partial ordering relation in set (Mi ∪ Ma ∪ M), it is wherein in set (Mi ∪ Ma ∪ M) to any m ∈ Mi Minimum, m ∈ Mi is minimum and if only if element not little than m in level, i.e.To any m ∈ Ma is maximum in set (Mi ∪ Ma ∪ M), and m ∈ Ma is maximum and if only if element not bigger than m in level, i.e.
In some embodiments, the main body level UGH of social networks Controlling model RuleSN be level four-tuple (U, Gsys,Guser,≤UG), wherein U is user identifier collection, GsysIt is systematic group identifier collection, GuserIt is customer group identifier collection, ≤UGIt is partial ordering relation, wherein:
(1) to arbitrary u ∈ U, g ∈ Guser, u≤UGThe member of g and if only if user u is customer group g.
(2) to arbitrary v ∈ U ∪ Guser, sys ∈ Gsys, all have v≤UG sys。
In some embodiments, the object level CSH of social networks Controlling model RuleSN be level four-tuple (C∪SP,≤CS), wherein C is content set, and SP is space collection ,≤CSIt is partial ordering relation, wherein:
(1) to arbitrary sp ∈ SP, sp' ∈ SP, sp≤CSThe subspace of sp' and if only if sp is sp'.
(2) to arbitrary c ∈ C, c' ∈ C, c≤CSThe immediate subordinate content of c' and if only if c is c'.
(3) to arbitrary c ∈ C, sp ∈ SP, c≤CSAnd if only if that content c leaves in the sp of space and in its place of c for sp Hold the peak of level.
In some embodiments, the graph of a relation R_Graph of social networks Controlling model RuleSN be four-tuple (V, E, ∑, R), wherein:
(1) V=S ∪ O is the finite aggregate on summit on graph of a relation, S and O is main body collection and object collection respectively.
(2) ∑=∑u_u∪∑s_o={ t1, t2, t3..., tnRelationship type collection in representation relation figure, ti∈∑(1≤i ≤ n) it is relationship type, relationship type collection divides two big classifications: U_U and S_O, U_U are the relationship types of user and user, and S_O is The relationship type of subject and object, wherein:
U_U relation: U × ∑u_u×U。
S_O relation: S × ∑s_o×O。
(3) E=Eu_u∪Es_oLimit collection in representation relation figure, wherein
(4) R is relationship entity collection, to limit e=arbitrary in graph of a relation (s, v, t), wherein e ∈ E, s ∈ S, v ∈ S ∪ O, t ∈ ∑, the r ∈ R of existence anduniquess, the starting point of r be the type that terminal is v, r of s, r be t, namelyStart (r)=s ∧ end (r)=v ∧ type (r)=t.
Being defined below shown in 5, carry out the current value of the single attribute of presentation-entity herein with function, type (r)=t represents pass Be the current value of type of entity r be t.Further, since single edge can determine that unique relationships entity, the most also will with limit (s, v, T) corresponding relationship entity be expressed as r (s, v, t).
In some embodiments, the authorization attribute collection of social networks Controlling model RuleSN is:
Allow EN, EV represent pre defined attribute title collection and the span collection of entity E respectively, attribute be two tuples (EN, EV), the community set of the current value of entity E is called the authorization attribute collection of this entity, is expressed as △E
For the sake of Fang Bian, the application can also represent the current value of single attribute with function, such as:
Age (u)=19;
Date (sys)=" 01-23-2014 ";
Type (r)=" friend ".
In some embodiments, the social networking system SNS of social networks Controlling model RuleSN be hexa-atomic group (UGH, CSH, R_Graph, P, Δ, Pol):
(1) UGH=(U, Gsys,Guser,≤UG) it is main body level;
(2)It it is object level;
(3) Rel is the set of relations between user and user, between subject and object;
(4) P is the main body operation set to entity;
(5) △ is Entity Authorization property set;
(6) Pol is Entity Authorization set of strategies.
In some embodiments, the mandate of social networks Controlling model RuleSN is tlv triple (u, e, (sign) p), its Middle u ∈ U, e ∈ S ∪ O ∪ R, sign ∈+,-, p ∈ P.As tlv triple (u, o ,+p) allows user u that object o performs operation p, (u, r ,+creat) allows user u to create relation r, and (u, g ,-creat) does not allow user u to create group g.
In some embodiments, the authority checking of social networks Controlling model RuleSN is the authorization attribute from main body s Collection △ and delegated strategy collection pol, if mandate tlv triple (u, e, (sign) p) can be inferred, then claims this tlv triple to obtain main body s Authority checking, be denoted as:
Δ, pol |=(u, e, (sign) p)
In some embodiments, the checking path of social networks Controlling model RuleSN be to entity sequence Seq=< e1, e2..., en> (n >=1), u ∈ U, sign ∈+,-, if p ∈ P is to any ei∈ Seq (1≤i≤n) all has △i,poli |=(u, ei, (sign) p), then claim to authorize tlv triple (u, e1, (sign) p) obtain entity sequence Seq checking, by this entity sequence Row referred to as e1Checking path, be denoted as:
Seq~> (u, e1,(sign)p)
To entity e and checking path Seq thereof, if Seq=<e>only comprise entity itself, the most single checking path, This checking is referred to as single authority checking, if e is object, csh is the object level at e place, and Seq is that csh root node is to this reality The directed walk of body, then be referred to as the object e path of checking completely on object level csh by this path, and this checking is referred to as completely Authority checking.For the sake of Jian Dan, with the immediate subordinate higher level of symbol ↑ expression object e, such as path < e1, ↑ > checking e1And directly from Belong to higher level.
In some embodiments, the checking conflict of social networks Controlling model RuleSN is to entity e and checking road thereof Footpath Seq1And Seq2If, Seq1~> (u, e ,+p), Seq2~> (u, e ,-p), then claim checking path Seq1And Seq2To mandate (p) there is checking conflict in u, e.
Being similar to traditional Conflict Strategies settlement mechanism [17], checking conflict can use refusal preference strategy, allow preferentially The settlement mechanisms such as strategy.
In some embodiments, social networks access control model RuleSN authorization rule language is patrolled based on Datalog The program of collecting, and employ the certain embodiments of circumscription logic program (CLP).RuleSN authorization rule structure is as follows:
(1) codomain
Main body collection S, user collects U, subscriber cluster G, systematic group SYS, S=U ∪ G ∪ SYS;
Object collection O, content set C, space collection SP, O=C ∪ SP;
Set of relations R, customer relationship collection RU, host-guest relationship collection RO, R=RU ∪ RO;
Entity set E=S ∪ O ∪ R, entity attribute collection ATTR;
Operation set P, authorization type collection SIGN={+ ,-;
Set of integers Z, natural manifold N.
(2) predicate type
Predicate comprises extension predicate collection and intension predicate collection.
1) extension predicate collection, is expressed as Pext.Extension predicate is based on entity attribute predicate, and attribute predicates is shape such as attr (wherein attr is attribute-name for e, predicate v), and e is entity, and v is property value, to entity self strategy, it is also possible to use attr V () represents this entity property value.As attribute predicates age (u, 20) or u inner strategy age (20) represents that the age of user u is 20.
2) intension predicate collection, is expressed as Pint.Intension predicate mainly includes following a few class:
-authorize predicate and derivative mandate predicate, it is expressed as Pauth, all kinds of Authorized operation predicates are as follows:
A. main body checking predicate AuthS
B. object checking predicate AuthO
C. object path validation predicate, RoadAuthO
D. predicate Auth is authorized
E. information filtering predicate Filter
F. physical operation predicate Do
-combination predicate.For rule of combination and the middle predicate of attribute.As:
relation(u1, u2, " friend ") ← type (r, " friend "), start (r, u1), end (r, u2)(1)
relation(u1, u2, " friend ") ← relation (u1, u3, " friend "), relation (u3, u2, " friend”)(2)
Above-mentioned rule (1) illustrates if there is relationship entity r, and its type is friend, and starting point is u1, terminal is u2, then say Bright u1With u2Between there is friend relation.Rule (2) illustrates if u1With u3Between there is friend relation, u3With u2Between deposit In friend relation, then u1With u2Between there is also friend relation.
(3) atomic formula and word
1) definition individual constant is item
2) defining single variable is item
Allow p (x1,…,xn) it is any predicate symbol, x1,…,xnIt is the item in corresponding codomain, claims p (x1,…,xn) be One atomic formula (abbreviation atom), claims p (x1,…,xn) or its negateIt it is a word.
(4) authorization rule and delegated strategy
Authorization rule is made up of following form Datalog rule: P ← L1,…,Ln
Wherein P is intension predicate atom, L1,…,LmIt it is any word.
Entity Authorization strategy Pol=EDB ∪ IDB, wherein extensional database EDB is by representing the basic of entity attribute and state True composition, IDB is authorization rule collection.
Wherein, it is stipulated that authorization rule must be safe.Safety refer in rule body occur any variable all Must be present in certain non-sub-goal predicate negated, the mesh ground of safety is to prevent unrestricted variable from producing not by defeated Enter rule or true collection that data base controls.Authorization rule specifies, to arbitrary unrestricted domain variable, rule body must be deposited Comprising the non-negative atom L of this variablei, and the finite aggregate that the equal value of other variable is discrete, limited by its codomain.
In some embodiments, (AuthS advises the main body proof rule of social networks Controlling model RuleSN authorization method Then)
AuthS rule be the rule of following form: AuthS (s, e,<sign>p) ← L1,…,Ln
Wherein s ∈ S, e ∈ S ∪ O ∪ R, sign ∈ SIGN, p ∈ P, Li(1≤i≤n) is to represent main body both sides' attribute or shape The word of state.
As following rule declaration accesses friend or the friend of friend that the visitor of object that Alice has must be Alice Friend, the age, the credibility of friends was more than 0.5 more than 20 years old.
AuthS (u, o ,+read) ← own (" Alice ", o), relation (u, " Alice ", " friend "), depth (u, " Alice ", " friend ", m), m≤2, trust (u, " Alice ", " friend ", n), n >=0.5, age (u, k), k >=20
Wherein, own, relation, depth and trust are all combination predicates.As following rule declaration s has object o1, Then s has object o1All objects on level.
Own (s, o) ← own (s, o1), in (o, o1, CSH)
In some embodiments, (AuthO advises the object proof rule of social networks Controlling model RuleSN authorization method Then)
AuthO rule be the rule of following form: AuthO (s, o,<sign>p) ← L1,…,Ln
Wherein s ∈ S, o ∈ O, sign ∈ SIGN, p ∈ P, Li(1≤i≤n) is any literary composition representing Subjective and Objective both sides' attribute Word.
In some embodiments, the object path validation rule of social networks Controlling model RuleSN authorization method (RoadAuthO rule)
To entity e1Checking path Seq=< e1, e2..., en> (n 1), RoadAuthO is the rule of following form:
RoadAuthO (s, e1,<sign>p) ← AuthO (s, e1,<sign>p), RoadAuthO (s, e2,<sign> P) ..., RoadAuthO (s, en,<sign>p).Wherein s ∈ S, ei∈ E, sign ∈ SIGN, p ∈ P.
In some embodiments, (Auth advises the main body authorization rule of social networks Controlling model RuleSN authorization method Then)
Auth rule is the rule of following form:
Auth (s, o,<sign>p) ← AuthS (s, o,<sign>p), RoadAuthO (s, o,<sign>p), Over (s, O,<sign>p)
Wherein s ∈ S, o ∈ O, sign ∈ SIGN, p ∈ P.The explanation of main body authorization rule to be verified through main body, object path Checking also obtains main body mandate according to conflict-solving strategy.
In some embodiments, the information filtering rule (Filter of social networks Controlling model RuleSN authorization method Rule)
Filter rule is the rule of following form: Filter (o1, o2,<sign>p) ← L1,…,Ln.Wherein o1∈ O, o2 ∈ O, sign ∈ SIGN, p ∈ P, Li(1≤i≤n) is any word representing body attribute or state.
Filtering rule has other main bodys setting of certain relation, as following filtering rule is said by main body self or with main body Bright filter out the content that in blacklist blacklist, main body has:
blacklist(blist),s∈blist
Filter (o, o,<sign>p) ← own (s, o), blacklist (blist),
In some embodiments, the physical operation rule (Do rule) of social networks Controlling model RuleSN authorization method As follows:
Do rule is the rule of following form:
Do(o1, o2,<sign>p) ← Auth (Self, o2,<sign>p), filter (o2, o1,<sign>p), L1,…, Ln.Wherein constant Self ∈ S represents and gathers around well-regulated main body self, o1∈ O, o2∈ O, sign ∈ SIGN, p ∈ P.
The flow process of network control method one embodiment of improvement of the present invention is introduced below in conjunction with Fig. 7.Fig. 7 present invention The schematic diagram of social network relationships in described method for network access control one embodiment.In the embodiment shown in Fig. 7, main Body includes system, Terry, Tom and Alice.Wherein, Terry and Tom is monitoring relation, Tom and Alice is friends. Tom has a user's space, and user's space no storage has work photograph album and family's photograph album, is provided with photo 1 in family's photograph album.
First, NS software model is configured.
1, system authorization strategy
1) system property
{date≡2014/7/4;time≡8:00:25;version≡2.0.1}
2) system authorization strategy
(1) hour of log-on was more than 1 year, builds the user u that group is less than 2 and grade is higher than 2 and can build group;
AuthS (u, g ,+creatgroup) ← regdays (u, d), d >=365, userlevel (u, l), l >=2, Groupnum (u, n), n < 2
(2) number of each group not can exceed that 200 people;
AuthS (u, g ,+adduser) ← num (g, n), n < 200 (17)
(3) user of good friend just can the most mutually transmit file the most each other;
AuthS(u1, u2,+sendfile) and ← relation (u1, u2, " friend "), relation (u2, u1, " friend”)
AuthS(u2, u1,+sendfile) and ← AuthS (u1, u2,+sendfile)
(4) system crash strategy uses and denies preferentially.
Oversys(s, e ,-p) ← AuthO (s, e ,+p), AuthO (s, e ,-p)
2, the main body delegated strategy of Terry
1) Terry attribute
{name≡“Terry”;age≡12;regdays≡150;userlevel≡2;Classtime ≡ ([1/1/00, 1/1/08], week+{2 ..., 6}.day+{9,15}.hour4.hour)[19],whitelist≡{“Terry”, “Alice”}}
2) Terry main body delegated strategy
Only good friend may have access to the space of Terry;
AuthS (u, o ,+read) ← own (Self, o), relation (Self, u, " friend ")
Wherein constant Self refers to have and set the main body of rule.
3) filtering policy
The user content in white list can only be accessed and the class period can not access;
Filter (o, o ,+read) ← own (s, o), whitelist (self, list), s ∈ list, time (t), classtime(ct),
whitelist(self,list),
classtime(ct),t∈ct
3, the main body delegated strategy of Tom
1) Tom attribute
{name≡“Tom”;age≡25;regdays≡700;userlevel≡4;}
2) Tom main body delegated strategy
(1) credibility can only be allowed to be not less than 0.5, relation is the space that good friend or the good friend of good friend or colleague access Tom;
AuthS (u, o ,+read) ← own (Self, o), relation (Self, u, " friend "), depth (Self, U, " friend ", m), m≤2, trust (Self, u, " friend ", n), n >=0.5
AuthS (u, o ,+read) ← own (Self, o), relation (Self, u, " colleagued "), trust (Self, u, " friend ", n), n >=0.5
(2) Tom main body conflict-solving strategy uses and allows preferentially, and main body and system crash resolution policy take main body strategy Preferentially.
Oversub(s, e ,+p) ← AuthO (s, e ,+p), AuthO (s, e ,-p)
Over (s, e ,-p) ← oversys(s, e ,+p), oversub(s, e ,-p)
Over (s, e ,+p) ← oversys(s, e ,-p), oversub(s, e ,+p)
4, the main body delegated strategy of Alice
1) Alice attribute
{name≡“Alice”;age≡35;regdays≡350;userlevel≡3;blacklist≡{“Irene”, “Jenny”}}
2) Alice main body delegated strategy
Good friend may have access to the space of Alice;
AuthS (u, o ,+read) ← own (Self, o), relation (Self, u, " friend ")
3) filtering policy
Filter out the user content in blacklist:
Filter (o, o ,+read) ← own (s, o), blacklist (self, list),
blacilist(self,list),s∈list
5, the object delegated strategy of Tom
1) family's photograph album delegated strategy
The good friend of only Tom could access family's photograph album of Tom, access path<family's photograph album, ↑>.
AuthO (u, family's photograph album ,+read) ← own (Self, family's photograph album), relation (Self, u, " friend ")
RoadAuthO (u, family's photograph album ,+read) ← AuthO (u, family's photograph album ,+read), RoadAuthO (u, e2, < sign>p)
2) work photograph album delegated strategy
The colleague of only Tom could access the work photograph album of Tom, access path<work photograph album, ↑>.
AuthO (u, work photograph album ,+read) ← own (Self, work photograph album), relation (Self, u, " colleagued”)
RoadAuthO (u, work photograph album ,+read) ← AuthO (u, work photograph album ,+read), RoadAuthO (u, e2, < sign>p)
3) photo 1 delegated strategy
Age could access picture 1 more than the user of 18 years old, access path<photo 1, ↑>
AuthO (u, photo 1 ,+read) ← own (Self, photo 1), relation (Self, u, " friend "), age (u, n), n >=18
RoadAuthO (u, photo 1 ,+read) ← AuthO (u, photo 1 ,+read), RoadAuthO (u, work photograph album, +read)
4) physical operation strategy
Do(o1, o2,<sign>p) ← Auth (Self, o2,<sign>p), filter (o2, o1,<sign>p)
6, the relation RTom-Alice delegated strategy of Tom Yu Alice
1) attribute
{start≡Tom;end≡Alice;type≡friend;trust≡0.7;}
2) relation delegated strategy Prel
The other end of following strategy permission relation namely Alice change the attribute of relation.
AuthS (s, self ,+changeattr) ← end (self, s)
7, the relation RTom-Terry delegated strategy of Tom Yu Terry
1) attribute
{start≡Tom;end≡Terry;type≡guardian;trust≡1;}
2) relation delegated strategy Prel
Following strategy does not allow the children under guardianship in monitoring relation to revise attribute of a relation.
AuthS (s, self ,-changeattr) ← end (self, s)
Secondly, access as a example by the photo 1 of Tom by Alice, Alice is accessed the network access authorization mistake of the photo 1 of Tom Journey is described below:
(1) the main body proof procedure of Tom
According to the main body delegated strategy requirement of system authorization strategy and Tom, Tom allows credibility to be not less than 0.5 or good friend Access the space of Tom, Alice be Tom credibility be the good friend of 0.7, meet this rule, there is not system and main body simultaneously Conflict Strategies, thereby through the main body checking of Tom, i.e. AuthS (Alice, photo 1 ,+read) sets up.
(2) the object proof procedure of Tom
Step 1: photo 1 delegated strategy requires that the age user more than 18 years old could access picture 1, and Alice is tested by this Card, and carry out upper level checking according to checking path<photo 1, ↑>;
Step 2: family's photograph album delegated strategy requires that the good friend of Tom could access family's photograph album of Tom, Alice is by being somebody's turn to do Checking, and carry out upper level checking according to checking path<family's photograph album, ↑>;
Step 3: user's space is not provided with delegated strategy, Alice passes through this checking
Alice verifies eventually through the object of Tom, i.e. AuthO (Alice, photo 1 ,+read) sets up.
(3) information filtering process
The filtering policy that Alice is arranged filters out the user content in blacklist, and Tom is not belonging in Alice blacklist Main body, thus have filter (photo 1, photo 1 ,+read) to set up.
(4) ultimate authority process (physical operation)
According to the physical operation strategy of Tom, finally have do (photo 1, photo 1 ,+read) to set up, i.e. Alice obtains photo The access operating right of 1.
Embodiment from the description above is it can be seen that the social networks that RuleSN model is logic-based authoring language is visited Asking Controlling model, this model can intactly be expressed between the relation of relation, user and resource, resource and resource between user Relation and user and the attribute of resource, have stronger mandate expressiveness and motility.
See the structural representation of network access control device one embodiment of Fig. 8, Fig. 8 improvement of the present invention.At Fig. 8 In the embodiment illustrated, described in network access control device, network includes subject and object, also includes:
Authentication module, the one in main body strategy, object strategy and the content filtering policies that described network is accessed Or multiple verify, wherein, described main body strategy is according to the attribute of described main body, main body delegated strategy, bulk filter strategy With and conflict-solving strategy at least one or multiple;Described object strategy includes in object attribute and object delegated strategy At least one or multiple;Described content filtering policies include at least one in bulk filter strategy and object filtering policy or Multiple;
Generation module, for generating, according to the result, the access operating right that described network accesses.
In some embodiments, described main body includes system and user, and the main body strategy of described system includes that system belongs to Property, system authorization strategy;The main body strategy of described user includes user property, user's delegated strategy and user filtering strategy.This Embodiment can combine with any embodiment at inventive network access control method.
In several embodiments provided by the present invention, it should be understood that disclosed equipment and method, can be passed through it Its mode realizes.Such as, equipment embodiment described above is only schematically, such as, and described module or unit Division, be only a kind of logic function and divide, actual can have other dividing mode, the most multiple unit or group when realizing Part can in conjunction with or be desirably integrated into another system, or some features can be ignored, or does not performs.Another point, shown Or the coupling each other discussed or direct-coupling or communication connection can be indirect by some interfaces, device or unit Coupling or communication connection, can be electrical, machinery or other form.
The described unit illustrated as separating component can be or may not be physically separate, shows as unit The parts shown can be or may not be physical location, i.e. may be located at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected according to the actual needs to realize present embodiment scheme Purpose.
It addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to It is that unit is individually physically present, it is also possible to two or more unit are integrated in a unit.Above-mentioned integrated list Unit both can realize to use the form of hardware, it would however also be possible to employ the form of SFU software functional unit realizes.
If described integrated unit realizes and as independent production marketing or use using the form of SFU software functional unit Time, can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially The part that in other words prior art contributed or this technical scheme completely or partially can be with the form of software product Embodying, this computer software product is stored in a storage medium, including some instructions with so that a computer Equipment (can be personal computer, server, or the network equipment etc.) or processor (processor) perform the present invention each All or part of step of method described in embodiment.And aforesaid storage medium includes: USB flash disk, portable hard drive, read only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD Etc. the various media that can store program code.
The foregoing is only embodiments of the present invention, not thereby limit the scope of the claims of the present invention, every utilization is originally Equivalent structure or equivalence flow process that description of the invention and accompanying drawing content are made convert, or are directly or indirectly used in what other were correlated with Technical field, is the most in like manner included in the scope of patent protection of the present invention.

Claims (10)

1. the method for network access control improved, described network includes subject and object, it is characterised in that including:
One or more in the main body strategy, object strategy and the content filtering policies that access described network are verified, its In, described main body strategy is according to attribute, main body delegated strategy, bulk filter strategy and and the conflict-solving strategy of described main body In at least one or multiple;Described object strategy includes at least one in object attribute and object delegated strategy or multiple; Described content filtering policies includes at least one in bulk filter strategy and object filtering policy or multiple;
The access operating right that described network accesses is generated according to the result.
The method for network access control of a kind of improvement the most as claimed in claim 1, it is characterised in that described main body includes network One or more in the systematic group of system, user and customer group.
3. a kind of method for network access control as claimed in claim 2, it is characterised in that described user and customer group are described The member of systematic group.
4. the method for network access control of a kind of improvement as described in claim/3, it is characterised in that described main body include be System and user, the main body strategy of described system includes system property, system authorization strategy;The main body strategy of described user includes using Family attribute, user's delegated strategy and user filtering strategy.
The method for network access control of a kind of improvement the most as claimed in claim 1, it is characterised in that described object includes some Space and content, described content belongs in described space.
The method for network access control of a kind of improvement the most as claimed in claim 4, it is characterised in that if described space also includes Dry subspace, described in be located in described subspace.
The method for network access control of a kind of improvement the most as claimed in claim 1, it is characterised in that the attribute bag of described main body Including subjective relationship attribute, described attribute of a relation includes the relation between main body, and the relation between subject and object.
The method for network access control of a kind of improvement the most as claimed in claim 7, it is characterised in that described subject and object it Between relation include the one in holding relationship, mark relation and total relation.
9. the network access control device improved, described network includes subject and object, it is characterised in that including:
Authentication module, the one or many in main body strategy, object strategy and the content filtering policies that described network is accessed Kind verify, wherein, described main body strategy according to the attribute of described main body, main body delegated strategy, bulk filter strategy and with And in conflict-solving strategy at least one or multiple;Described object strategy includes in object attribute and object delegated strategy extremely Lack one or more;Described content filtering policies includes at least one in bulk filter strategy and object filtering policy or many Kind;
Generation module, for generating, according to the result, the access operating right that described network accesses.
The network access control device of a kind of improvement the most as claimed in claim 9, it is characterised in that described main body includes system And user, the main body strategy of described system includes system property, system authorization strategy;The main body strategy of described user includes user Attribute, user's delegated strategy and user filtering strategy.
CN201610508925.6A 2016-01-22 2016-06-29 The method for network access control of a kind of improvement and device Pending CN106067885A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2016100464382 2016-01-22
CN201610046438 2016-01-22

Publications (1)

Publication Number Publication Date
CN106067885A true CN106067885A (en) 2016-11-02

Family

ID=57420641

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610508925.6A Pending CN106067885A (en) 2016-01-22 2016-06-29 The method for network access control of a kind of improvement and device

Country Status (1)

Country Link
CN (1) CN106067885A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109815654A (en) * 2019-01-23 2019-05-28 山东浪潮通软信息科技有限公司 A kind of data access control method and device
CN117834298A (en) * 2024-03-04 2024-04-05 北京中关村实验室 Method and device for judging route source information conflict based on partial order relation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312722A (en) * 2013-07-04 2013-09-18 河北科技大学 Control design method for fine-grained mandatory access
CN103905468A (en) * 2014-04-23 2014-07-02 西安电子科技大学 XACML frame extension system and method for network access control system
CN104683362A (en) * 2015-03-27 2015-06-03 合肥工业大学 Access control system and access control method of fine-grained privacy security
CN104683348A (en) * 2015-03-13 2015-06-03 河南理工大学 Access control strategy composition method based on attribute

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312722A (en) * 2013-07-04 2013-09-18 河北科技大学 Control design method for fine-grained mandatory access
CN103905468A (en) * 2014-04-23 2014-07-02 西安电子科技大学 XACML frame extension system and method for network access control system
CN104683348A (en) * 2015-03-13 2015-06-03 河南理工大学 Access control strategy composition method based on attribute
CN104683362A (en) * 2015-03-27 2015-06-03 合肥工业大学 Access control system and access control method of fine-grained privacy security

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LI MA等: ""RuleSN :Research and Application of Social Network Access Control Model"", 《2016 IEEE INTERNATIONAL CONFERENCE ON INTELLIGENT DATA AND SECURITY》 *
霍颖瑜等: ""面向社交网络的多方授权模型"", 《计算机科学》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109815654A (en) * 2019-01-23 2019-05-28 山东浪潮通软信息科技有限公司 A kind of data access control method and device
CN109815654B (en) * 2019-01-23 2023-04-07 浪潮通用软件有限公司 Data access control method and device
CN117834298A (en) * 2024-03-04 2024-04-05 北京中关村实验室 Method and device for judging route source information conflict based on partial order relation
CN117834298B (en) * 2024-03-04 2024-04-30 北京中关村实验室 Method and device for judging route source information conflict based on partial order relation

Similar Documents

Publication Publication Date Title
US10785167B2 (en) Method for controlling access to a shared resource
CN107332847B (en) A kind of access control method and system based on block chain
CN111709056B (en) Data sharing method and system based on block chain
US11108627B2 (en) Object identification for groups of IoT devices
EP3343425B1 (en) System and method for the creation and management of decentralized authorizations for connected objects
US11140166B2 (en) Multi-tenant authorization
US10911428B1 (en) Use of metadata for computing resource access
US8572760B2 (en) Systems and methods for secure agent information
US8769642B1 (en) Techniques for delegation of access privileges
Barka et al. Securing the web of things with role-based access control
CN105871854A (en) Self-adaptive cloud access control method based on dynamic authorization mechanism
CN100555940C (en) A kind of distributed access control method based on risk
EP2586155A1 (en) Authorization control
US11544392B2 (en) Implementation of a file system on a block chain
Abdessalem et al. A reachability-based access control model for online social networks
CN107426134A (en) A kind of access control method based on relation
CN106067885A (en) The method for network access control of a kind of improvement and device
WO2021204943A2 (en) Monitoring system with multistage request verification
US20180293392A1 (en) Method and system for selecting a communication interface
JP4723930B2 (en) Compound access authorization method and apparatus
Palanikkumar et al. An Enhanced Decentralized Social Network based on Web3 and IPFS using Blockchain
Peralta-Velecela et al. Digital identity proposal for unified medical record using blockchain technology
Moniruzzaman et al. A study of privacy policy enforcement in access control models
An et al. Achieving Secure and Efficient P2P Data Trading based on Blockchain for Internet of Things
CN106570413A (en) System and method for controlling access permission of document system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20161102

RJ01 Rejection of invention patent application after publication