CN107623684B - Method for controlling access of network service combination by using ABAC model - Google Patents

Method for controlling access of network service combination by using ABAC model Download PDF

Info

Publication number
CN107623684B
CN107623684B CN201710805909.8A CN201710805909A CN107623684B CN 107623684 B CN107623684 B CN 107623684B CN 201710805909 A CN201710805909 A CN 201710805909A CN 107623684 B CN107623684 B CN 107623684B
Authority
CN
China
Prior art keywords
attribute
network service
rule table
access rule
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710805909.8A
Other languages
Chinese (zh)
Other versions
CN107623684A (en
Inventor
刘刚
柳佳雨
王义峰
张润南
纪少敏
崔娟
王荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201710805909.8A priority Critical patent/CN107623684B/en
Publication of CN107623684A publication Critical patent/CN107623684A/en
Application granted granted Critical
Publication of CN107623684B publication Critical patent/CN107623684B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an access method for controlling a network service combination by using an attribute-based access control model ABAC, aiming at protecting sensitive information in the network service combination from being leaked and avoiding illegal access in a time-saving and resource-saving manner. The method comprises the following specific steps: 1. extracting attribute constraints from a strategy library to realize distributed storage of the attribute constraints; 2. an access control mechanism is proposed that computes subject attribute constraints and environment attribute constraints separately. The invention avoids the influence of irrelevant strategies in the strategy library on the search time in the access control process, solves the problem of resource waste in the network service combination calling process, and greatly reduces the average calling time of the network service combination.

Description

Method for controlling access of network service combination by using ABAC model
Technical Field
The invention belongs to the technical field of computers, and further relates to a method for controlling network service Access by using an improved attribute-Based Access control model ABAC (attribute Based Access control) in the technical field of computer network security. The invention can be used for controlling the access to the network service and the network service combination to protect the sensitive information of the system and avoid the illegal access to the network service combination.
Background
The network service encapsulates a series of interrelated operation sets which together complete certain functions, and provides an interface, and a network service visitor can access the network service by calling the interface. In this manner, the web service provides services to the visitor. In a distributed environment with high flexibility, high dynamics and cross-domain network services, sensitive information leakage and illegal access to resources are easily caused. The access control model ABAC based on the attribute can control the access process of the network service, and the attribute value of the access control strategy stored in the strategy library is calculated by utilizing the attributes of the network service accessor, the network service attributes and the environment attributes, so that fine-grained authorization is realized, and the leakage of sensitive information and the illegal access of resources are avoided. The method for controlling the access process of the network service by using the attribute-based access control model ABAC comprises the following steps:
you and j. tong in its published paper "distributed based access control for Web Services" (IEEE International reference on Web Services,2005,2005: 561-. The method comprises the following specific steps: firstly, a Simple Object Access Protocol (SOAP) (simple Object Access protocol) client acquires an attribute of a web service visitor through a body attribute authority, puts acquired attribute information of the web service visitor into a SOAP message header, and sends a SOAP request message to a SOAP message processor. Secondly, after the SOAP message processor acquires the SOAP request message, the SOAP request message is forwarded to a policy Decision point PDP (policy Decision point), the PDP calculates a value of a policy rule according to the acquired resource attribute, the acquired environment attribute and the attribute of the web service visitor in the SOAP request message to obtain a Decision result (permission or rejection), and the Decision result is sent to the SOAP message processor. Thirdly, if the decision result is allowed, the SOAP message processor transmits the original SOAP request to the network service endpoint to provide the service for the network service visitor. Otherwise, the SOAP message processor denies the access request of the network service visitor. The method has the following defects: on one hand, the strategy searching time is increased due to the fact that a strategy library based on the attribute access control model is huge; on the other hand, when accessing the combination of network services, the access procedures of the network services in the combination of network services are independent from each other and there is a time delay in the access procedure of the network service, so when the method is used to control the access of the combination of network services, resources and time are wasted.
The WS-ABAC Model was proposed in the paper "Shen H, Hong F.an Attribute-based Access Control Model for Web Services" (International Conference on parallel and Distributed Computing, Applications and technologies. IEEE,2006:74-79) published by Shen and F.hong and protected the sensitive Attribute information of users by an automatic trust negotiation mechanism. The method comprises the following specific steps: first, the web service visitor sends a SOAP request message to the WS-ABAC module. Secondly, after obtaining the request message of the network service visitor, the WS-ABAC obtains the network service parameters, the Environment attributes and the attributes of the network service visitor according to the Resource Authorities (Resource Authorities), the Environment Authorities (Environment Authorities) and the Attribute Authorities (Attribute Authorities), and then calculates the decision result according to the policy rules in the policy library. Thirdly, if the decision result is allowed, the WS-ABAC module sends a SOAP request message to the corresponding web service. Otherwise, the WS-ABAC module will deny the access request of the network service visitor. In the method, the attribute of the network service visitor is directly acquired by the context processor in the WS-ABAC, so that the forwarding process of the attribute information is omitted, and the error probability of the attribute is reduced. The method has the following defects: on one hand, the context processor in WS-ABAC only obtains network service parameters as object attributes in ABAC model, and the object attributes are too few in type to carry out fine-grained control on the access of network service visitors. On the other hand, when accessing the combination of network services, the access procedures of the network services in the combination of network services are independent from each other and there is a time delay in the access procedure of the network service, so when the method is used to control the access of the combination of network services, resources and time are wasted.
In summary, in the prior art, the obtained attributes of the network service visitor, the attributes of the requested network service, and the environmental attributes are used to calculate a decision result according to the policy rules in the policy repository, and then the network service visitor is authorized according to the decision result. But at present this approach is only applicable to situations where a single network service provides services to a network service visitor. In the network service request process, if a single network service meeting the user requirement is not found in the service discovery phase (service discovery phase), a service combination phase (service composition phase) is entered, a plurality of network services are automatically combined, and the service is provided for the user together. If the prior art is used for controlling the access of the network service combination, when one service in the service combination refuses to provide the service for the user because the subject attribute, the object attribute or the environment attribute do not meet the policy rule, the applied network service is totally wasted. This results in a large waste of time and resources.
Disclosure of Invention
The present invention aims to provide a method for controlling access to a network service by using an attribute-based access control model ABAC, which aims to protect sensitive information in the network service from being leaked and prevent the sensitive information from being illegally accessed in a more time-saving and resource-saving manner, in view of the above-mentioned deficiencies of the prior art.
The idea for realizing the purpose of the invention is to improve the access control model ABAC based on the attribute, put forward a new strategy representation method and store the access control strategy in a distributed way so as to save the time of strategy retrieval. In addition, in order to reduce the waste of time and resources in the network service access process, a new strategy decision mechanism is provided, and the access control decision is carried out on the network service in two steps.
The method comprises the following steps:
(1) obtaining an access rule table chain of a network service combination to be controlled:
(1a) extracting subject attribute constraints and environment attribute constraints in all network service attribute constraint definitions in a network service combination to be accessed from an attribute-based access control model ABAC policy library;
(1b) respectively storing the subject attribute constraint and the environment attribute constraint in an access rule table of each network service in the network service combination to be accessed;
(1c) putting the access rule tables of all the network services into an access rule table chain, wherein the access rule table chain represents a set of access rule tables corresponding to all the network services in the network service combination;
(2) selecting an access rule table:
selecting an access rule table from the access rule table chain according to the access rule table chain sequence;
(3) calculating the subject attribute constraint factor in the selected access rule table according to the following formula:
Figure GDA0002259625070000031
where C denotes a subject attribute constraint factor in the selected access rule table, the calculation result of the subject attribute constraint factor is 0 or 1, n denotes the total number of subject attribute constraints in the selected access rule table, ∪ denotes an OR operation, SjRepresenting the jth main body attribute constraint in the selected access rule table;
(4) judging whether the main body attribute constraint factor in the selected access rule table is 0, if so, rejecting the access request of the network service visitor, and executing the step (13); otherwise, executing the step (5);
(5) acquiring an environment attribute constraint factor in the selected access rule table:
and combining the environment attribute constraints corresponding to the main attribute constraint factors of which each calculation result is 1 in the selected access rule table according to the following formula:
Figure GDA0002259625070000041
wherein G represents the environment attribute constraint factor of the access rule table, the calculation result of the environment attribute constraint factor is 0 or 1, m represents the total number of the environment attribute constraints corresponding to the subject attribute constraint factor of 1 in the access rule table, EiRepresenting the ith environment attribute constraint corresponding to the subject attribute constraint factor of 1 in the access rule table;
(6) judging whether the access rule table is the last access rule table chain, if so, executing the step (7); otherwise, executing the step (2);
(7) putting all the environment attribute constraint factors into an environment attribute constraint chain, wherein the environment attribute constraint chain represents a set of the environment attribute constraint factors of all the access rule tables;
(8) selecting a network service from the network service combination according to the network service arrangement sequence;
(9) extracting a constraint factor of the environment attribute corresponding to the selected network service from the set of environment attribute constraint factors;
(10) judging whether the environmental attribute constraint factor is 0, if so, rejecting the access request of the network service visitor, and executing the step (13); otherwise, executing step (11);
(11) accessing the selected network service;
(12) judging whether the selected network service is the last one in the network service combination, if so, executing the step (13); otherwise, executing step (8);
(13) the whole access process is ended.
Compared with the prior art, the invention has the following advantages:
firstly, the invention utilizes the attribute-based access control model ABAC to control the access of the network service combination, overcomes the defect that the time and resource waste is easily caused by the mutual independence and time delay of the access of each network service in the network service combination in the prior art, is suitable for controlling the access process of the network service combination, solves the problem of resource waste in the environment of the network service combination, greatly reduces the average access time of the network service combination, and greatly improves the performance.
Secondly, the invention stores the subject attribute constraint and the environment attribute constraint in the access rule table of each network service in the network service combination to be accessed respectively, overcomes the defect of the prior art that the strategy search time is wasted due to the huge strategy library in the ABAC based on the attribute access control model, realizes the distributed storage of the access control strategy, avoids the influence of the irrelevant strategy in the strategy library on the strategy search time in the access control process, and greatly reduces the influence of the strategy search time and the strategy library expansion on the strategy search time.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The invention is further described below with reference to fig. 1.
Step 1, obtaining an access rule table chain of a network service combination to be accessed.
And extracting subject attribute constraints and environment attribute constraints in all network service attribute constraint definitions in the network service combination to be accessed from an attribute-based access control model ABAC policy library.
The attribute constraints are defined as follows:
D=<AT><OP><VALUE>
Figure GDA0002259625070000051
Figure GDA0002259625070000052
wherein D represents a constraint, < AT > represents an attribute type, < OP > represents { ≦ ≧ >, <, >, |! One logical operator in the set, which can be added by the user, custom logical operator, < VALUE > represents attribute VALUE, F represents attribute constraint subformula, x represents total number of constraint conditions, DpRepresenting the pth constraint, ∩ and, T the attribute constraint, the result of the attribute constraint being 0 or 1, y the total number of attribute constraint subformers, FqRepresenting the qth attribute constrainer.
If the attribute types in the attribute constraint are all subject attribute types, the attribute constraint is called a subject attribute constraint, and if the attribute types in the attribute constraint are all environment attribute types, the attribute constraint is called an environment attribute constraint.
And respectively storing the subject attribute constraint and the environment attribute constraint into an access rule table of each network service in the network service combination to be accessed.
The access rule table is as follows:
reference numerals Subject property constraints Environmental attribute constraints
1 S1 E1
2 S2 E2
3 S3 E3
…… …… ……
n Sn En
S in the table1,S2,S3,……,SnRespectively representing the 1 st, 2 nd, … … th and nth subject attribute constraints in the access rule table, E1,E2,E3,……,EnRespectively represent the 1 st and 2 nd in the access rule table… …, nth environmental property constraint. Each row in the access rules table represents an access control policy. When both the subject attribute constraint and the environment attribute constraint are 1, the network service visitor can access the network service corresponding to the access rule table.
Putting the access rule tables of all the network services into an access rule table chain, wherein the access rule table chain represents a set of access rule tables corresponding to all the network services in the network service combination, and the access rule table chain is represented according to the following formula:
L=[A1,A2,...,At]
wherein L represents a chain of access rules, A1,A2,...,AtRespectively representing the access rule tables corresponding to the 1 st, 2 nd, … … th and t th network services in the network service combination.
And 2, selecting an access rule table.
And selecting an access rule table from the access rule table chain according to the access rule table chain sequence.
Step 3, calculating the subject attribute constraint factor in the selected access rule table according to the following formula:
Figure GDA0002259625070000061
wherein C represents the subject attribute constraint factor in the selected access rule table, the calculation result of the subject attribute constraint factor is 0 or 1, n represents the total number of the subject attribute constraints in the selected access rule table, SjAnd representing the jth subject attribute constraint in the selected access rule table.
Step 4, judging whether the main body attribute constraint factor in the selected access rule table is 0, if so, rejecting the access request of the network service visitor, and executing step 13; otherwise, step 5 is executed.
And 5, acquiring the environment attribute constraint factor in the selected access rule table.
And combining the environment attribute constraints corresponding to the main attribute constraint factors with the value of 1 in the selected access rule table according to the following formula:
Figure GDA0002259625070000071
wherein G represents the environment attribute constraint factor of the access rule table, the calculation result of the environment attribute constraint factor is 0 or 1, m represents the total number of the environment attribute constraints in the access rule table, EiIndicating the ith environment attribute constraint in the access rule table.
Step 6, judging whether the access rule table is the last access rule table chain, if so, executing step 7; otherwise, step 2 is executed.
Step 7, putting all environment attribute constraint factors into an environment attribute constraint chain, wherein the environment attribute constraint chain represents a set of the environment attribute constraint factors of all access control tables and is represented according to the following formula:
R=[G1,G2,...,Gw]
wherein R represents a chain of environmental attribute constraints, G1,G2,...,GwAnd respectively representing the environment attribute constraint factors of the access rule tables corresponding to the 1 st, 2 nd, … … th and w-th network services in the network service combination.
And 8, selecting a network service from the network service combination according to the network service arrangement sequence.
And 9, extracting a constraint factor of the environment attribute corresponding to the selected network service from the environment attribute constraint factor set.
Step 10, judging whether the environmental attribute constraint factor is 0, if so, rejecting an access request of a network service visitor, and executing step 13; otherwise, step 11 is performed.
And step 11, accessing the selected network service.
Step 12, judging whether the selected network service is the last one in the network service combination, if so, executing step 13; otherwise, step 8 is performed.
And step 13, ending the whole access process.

Claims (2)

1. A method for controlling the access of a network service combination by using an attribute-based access control model ABAC is characterized by comprising the following steps:
(1) acquiring an access rule table chain of a network service combination to be accessed:
(1a) extracting subject attribute constraints and environment attribute constraints in all network service attribute constraint definitions in a network service combination to be accessed from an attribute-based access control model ABAC policy library;
(1b) respectively storing the subject attribute constraint and the environment attribute constraint in an access rule table of each network service in the network service combination to be accessed;
(1c) putting the access rule tables of all the network services into an access rule table chain, wherein the access rule table chain represents a set of access rule tables corresponding to all the network services in the network service combination;
(2) selecting an access rule table:
selecting an access rule table from the access rule table chain according to the access rule table chain sequence;
(3) calculating the subject attribute constraint factor in the selected access rule table according to the following formula:
Figure FDA0002259625060000011
where C denotes a subject attribute constraint factor in the selected access rule table, the calculation result of the subject attribute constraint factor is 0 or 1, n denotes the total number of subject attribute constraints in the selected access rule table, ∪ denotes an OR operation, SjRepresenting the jth main body attribute constraint in the selected access rule table;
(4) judging whether the main body attribute constraint factor in the selected access rule table is 0, if so, rejecting the access request of the network service visitor, and executing the step (13); otherwise, executing the step (5);
(5) acquiring an environment attribute constraint factor in the selected access rule table:
and combining the environment attribute constraints corresponding to the main attribute constraint factors of which each calculation result is 1 in the selected access rule table according to the following formula:
Figure FDA0002259625060000012
wherein G represents the environment attribute constraint factor of the access rule table, the calculation result of the environment attribute constraint factor is 0 or 1, m represents the total number of the environment attribute constraints corresponding to the subject attribute constraint factor of 1 in the access rule table, EiRepresenting the ith environment attribute constraint corresponding to the subject attribute constraint factor of 1 in the access rule table;
(6) judging whether the access rule table is the last access rule table chain, if so, executing the step (7); otherwise, executing the step (2);
(7) putting all the environment attribute constraint factors into an environment attribute constraint chain, wherein the environment attribute constraint chain represents a set of the environment attribute constraint factors of all the access rule tables;
(8) selecting a network service from the network service combination according to the network service arrangement sequence;
(9) extracting a constraint factor of the environment attribute corresponding to the selected network service from the set of environment attribute constraint factors;
(10) judging whether the environmental attribute constraint factor is 0, if so, rejecting the access request of the network service visitor, and executing the step (13); otherwise, executing step (11);
(11) accessing the selected network service;
(12) judging whether the selected network service is the last one in the network service combination, if so, executing the step (13); otherwise, executing step (8);
(13) the whole access process is ended.
2. The method for controlling access to a combination of web services based on the attribute access control model ABAC according to claim 1, wherein the attribute constraint of step (1a) is defined as follows:
D=<AT><OP><VALUE>
Figure FDA0002259625060000021
Figure FDA0002259625060000022
wherein D represents a constraint, < AT > represents an attribute type, < OP > represents { ≦ ≧ >, <, >, |! One logical operator in the set, which can be added by the user, custom logical operator, < VALUE > represents attribute VALUE, F represents attribute constraint subformula, x represents total number of constraint conditions, DpRepresenting the pth constraint, ∩ and, T the attribute constraint, the result of the attribute constraint being 0 or 1, y the total number of attribute constraint subformers, FqRepresenting the qth attribute constrainer.
CN201710805909.8A 2017-09-08 2017-09-08 Method for controlling access of network service combination by using ABAC model Active CN107623684B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710805909.8A CN107623684B (en) 2017-09-08 2017-09-08 Method for controlling access of network service combination by using ABAC model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710805909.8A CN107623684B (en) 2017-09-08 2017-09-08 Method for controlling access of network service combination by using ABAC model

Publications (2)

Publication Number Publication Date
CN107623684A CN107623684A (en) 2018-01-23
CN107623684B true CN107623684B (en) 2020-02-21

Family

ID=61089807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710805909.8A Active CN107623684B (en) 2017-09-08 2017-09-08 Method for controlling access of network service combination by using ABAC model

Country Status (1)

Country Link
CN (1) CN107623684B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108712369B (en) * 2018-03-29 2022-01-07 中国工程物理研究院计算机应用研究所 Multi-attribute constraint access control decision system and method for industrial control network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2631841A2 (en) * 2012-02-27 2013-08-28 Axiomatics AB Provisioning authorization claims using attribute-based access-control policies
CN103795688A (en) * 2012-10-31 2014-05-14 中国航天科工集团第二研究院七○六所 Attribute-based fuzzy access control calculation method
CN104683362A (en) * 2015-03-27 2015-06-03 合肥工业大学 Access control system and access control method of fine-grained privacy security
CN104735055A (en) * 2015-02-12 2015-06-24 河南理工大学 Cross-domain security access control method based on credibility

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9396343B2 (en) * 2014-10-20 2016-07-19 International Business Machines Corporation Policy access control lists attached to resources

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2631841A2 (en) * 2012-02-27 2013-08-28 Axiomatics AB Provisioning authorization claims using attribute-based access-control policies
CN103795688A (en) * 2012-10-31 2014-05-14 中国航天科工集团第二研究院七○六所 Attribute-based fuzzy access control calculation method
CN104735055A (en) * 2015-02-12 2015-06-24 河南理工大学 Cross-domain security access control method based on credibility
CN104683362A (en) * 2015-03-27 2015-06-03 合肥工业大学 Access control system and access control method of fine-grained privacy security

Also Published As

Publication number Publication date
CN107623684A (en) 2018-01-23

Similar Documents

Publication Publication Date Title
CN104683362B (en) Access control system and access control method of fine-grained privacy security
CN104580344A (en) method and system for generating resource access control desition
US20050132215A1 (en) Dynamic delegation method and device using the same
CN110247906A (en) A kind of method for monitoring network and device, equipment, storage medium
CN114205191B (en) API gateway system and operation method
WO2017121240A1 (en) Resource access control method, device and system
CN111221649A (en) Edge resource storage method, access method and device
CN111935115A (en) Block chain adopting multiple information integration modes
CN107623684B (en) Method for controlling access of network service combination by using ABAC model
CN107846676A (en) Safety communicating method and system based on network section security architecture
CN108924086A (en) A kind of host information acquisition method based on TSM Security Agent
US20220311773A1 (en) Method and device for communication between microservices
CN113067861A (en) Distributed extensible access control authorization system and method based on block chain
CN102972005A (en) Consigning authentication method
CN116170806B (en) Smart power grid LWM2M protocol security access control method and system
CN103069767A (en) Consigning authentication method
US20200274753A1 (en) Method for creating and managing permissions for accessing yang data in yang-based datastores
CN113518124B (en) Internet of things equipment authentication method based on cellular block chain network
CN113807700B (en) Method and system for issuing and receiving aircraft in-wing command scheduling based on block chain
CN115550010A (en) Key environment access control method based on block chain
CN115022008A (en) Access risk assessment method, device, equipment and medium
CN108809941B (en) Marginal Internet of things range query method with privacy protection function
CN109218324A (en) A kind of extended access control method based on traffic statistics
CN101515874A (en) Access control method and access control system for network server
JP2004110806A (en) Information filtering device, information filtering method, method execution program and program storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant