CN104780159A - Access control method based on dynamic trust thresholds - Google Patents
Access control method based on dynamic trust thresholds Download PDFInfo
- Publication number
- CN104780159A CN104780159A CN201510126508.0A CN201510126508A CN104780159A CN 104780159 A CN104780159 A CN 104780159A CN 201510126508 A CN201510126508 A CN 201510126508A CN 104780159 A CN104780159 A CN 104780159A
- Authority
- CN
- China
- Prior art keywords
- authority
- trust
- access
- trust threshold
- main body
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses an access control method based on dynamic trust thresholds. The method comprises: 1) merging permissions having identical trust value requirements for an access subject into the same permission set, wherein an object has a plurality of permissions and a trust threshold is set for each permission; 2) creating a permission distribution record table for each permission set; 3) when a subject sends an access request to the object, inspecting whether the trust value of the subject satisfies the requirements or not; if so, allowing the access request and recording the access into the permission distribution record table of the corresponding permission set; if not, refusing to perform; and 4) adjusting the trust threshold of the permission corresponding to the object: after the access is fed back and evaluated as fraud and the set number of times is exceeded, performing increasing adjustment on the trust threshold and updating the permission distribution record table; and if the access is fed back and evaluated as no fraud behavior, performing decreasing adjustment on the trust threshold and updating the permission distribution record table. The access control method of the present invention can flexibly realize access control on resources.
Description
Technical field
The invention belongs to computer network security field, be specifically related to a kind of access control method based on dynamic trust threshold value, for solving how to carry out right assignment problem according to its trust value during entities access resource in open network, can realize managing the fine granularity of access rights.
Background technology
Along with developing rapidly and extensive use of computer networking technology, current network develops into the open network towards a large amount of external user from early stage closed network.In open network, the behavior of entity and state have very strong independence and uncertainty.Entity can add certain Network Capture resource and service whenever and wherever possible, also can interrupt the connection with this network at any time, even after change of status mark, rejoins other networks.In addition, in open network, same entity both can be the supplier of resource or service, also can be the user of resource, and do not have center authoritative node to rely on, entity can not obtain the full detail of another entity.
Because open network has the feature such as dynamic, isomerism, traditional identity-based or the access control technology of role cannot meet the security needs of open dynamic network completely.Trust management provides a kind of new approaches for solving access control problem in open dynamic network, for the demand of open network resource or service access fail safe, faith mechanism is utilized to provide safe access control significant for open dynamic network.
In open network environment, the distribution of the authority that cannot conduct interviews according to the identity of entity, but can according to the trust value of entity for it distributes corresponding authority.When the trust value of entity changes, the authority distributing to it also changes thereupon, is how that it distributes suitable access rights and becomes problem demanding prompt solution according to the trust value of entity.
Summary of the invention
The object of this invention is to provide a kind of access control method based on dynamic trust threshold value.For the dynamic of trust and the changeability of access behavior, the trust threshold of application permission carries out fine granularity management to access control right, trust value during access resources each according to entity distributes corresponding access rights to it, to open network environment, there is stronger applicability, the access control to resource can be realized flexibly.
The present invention takes following technical scheme.
One, the trust threshold of authority
In the present invention, access request side is referred to as main body, and accessed side is referred to as object.Suppose that object has N number of different authority to distribute to main body, a given authority r, if main body trust value is T
mtime, have authority r, so as the trust value T>=T of main body
mtime, main body should have authority r; As the trust value T < T of main body
mtime, main body not necessarily has authority r.In order to solve according to the trust value of main body conduct interviews control problem, propose the trust threshold concept of authority, when the trust value of main body that namely and if only if is not less than the trust threshold of certain authority, just this authority can be had.
Define the trust threshold of 1 authority: a given access rights r, whether object is when having this authority according to trust value determination main body, rule of thumb or to after history access record reductive analysis, provide this authority to trusting the minimum value ε required, during the trust value T >=ε of main body that and if only if, this authority is just authorized main body by object, and ε is called the trust threshold of authority r.
Define the trust threshold of 2 authority set: the given access rights r with identical trust threshold ε
i-1, i=1,2,3 ..., by authority r
i-1, i=1,2,3 ... R={r is closed as element composition authority set
0, r
1r
i-1, i=1,2,3 ..., then the trust threshold of authority set R is ε.
From above-mentioned definition, the trust threshold of authority has certainty and dynamic.The certainty of trust threshold refers to that object is to the given minimum trust value determined of arbitrary access rights; The dynamic of authority trust threshold refers to that method that object arranges authority trust threshold is that the method such as reductive analysis rule of thumb or based on history access record is determined, enriching or the information in history access record fully excavated along with object mandate experience, dynamic conditioning can be carried out to the trust threshold of authority, make it more reasonable to the control of access rights.Each authority all has a trust threshold determined corresponding with it, only the trust threshold of the trust value of main body and this authority need be compared, just can carry out fine granularity management to access rights.
Two, based on the access control method of dynamic trust threshold value
The present invention proposes a kind of access control method based on dynamic trust threshold value.Its basic thought is: first according to concrete application rule, carries out initialization, its value ε to the trust threshold of each authority set
0, ε
1, ε
2... ε
n-1represent, and trust threshold is sorted: ε
0< ε
1< ε
2< ... ε
n-1, wherein, ε
icorresponding authority set R
i.The trust value T of given main body, obtains ε if search
i-1≤ T < ε
i, wherein i=1,2,3 ..., so this main body has the set of authority and is: R=R
0∪ R
1∪ ... ∪ R
i-1, any given access rights r ∈ R, this director has authority r; Otherwise the set that this main body has authority is
i.e. access denied.
Definition 3: access Feedback Evaluation: after authorization, according to the result that principal access behavior produces, object carries out qualitative evaluation to the credibility of principal access.
In general, the access Feedback Evaluation of object to main body is divided into: swindle, non-swindle, non-sincerity and sincere four classes.
Object builds an authority set assignment record table to each authority set, carries out detailed record according to trust threshold to the distribution condition of authority.Wherein, authority set assignment record table mainly comprises: main body mark, main body trust value, access rights, access Feedback Evaluation etc.The authorization conditions of right assignment record sheet to each authority set carries out record, and each object has the right assignment record sheet with authority number of sets equivalent number.For each right assignment record sheet, if when the twice access feedback that there is same main body is fraud, then carries out increase adjustment to the trust threshold of this authority set, and upgrade this right assignment record sheet.If after the certain number of times of connected reference, all access feedbacks all do not have fraud, in order to make more multiagent obtain access rights, attempt carrying out reduction adjustment to this authority set trust threshold; When the adjustment of increase property and reduction property adjustment amount are less than 10
-6time, current trust threshold is considered to the final trust threshold of this authority set.
Provide the iterative calculation method of the adjustment of trust threshold increase property and the adjustment of reduction property below:
For the n after given sequence authority set, appoint the authority set r got wherein
itrust threshold ε
i∈ [a, b], if i=0, i.e. r
iauthority set corresponding to minimum trust threshold, so a=0, b=ε
1; If i=n-1, i.e. r
iauthority set corresponding to maximum trust threshold, so a=ε
i-2, b=1; If i=1,2 ... during n-2, a=ε
i-1, and b=ε
i+1.
Work as ε
iwhen ∈ [a, b] needs increase property to adjust, get the maximum trust value T that twice access feedback is the main body of fraud, and ε
i≤ T < b, so
Work as ε
iwhen ∈ [a, b] needs reduction property to adjust, after getting adjustment last time, access the minimum trust value T of main body, and ε
i≤ T < b, so
From the trust threshold iterative calculation method of above-mentioned authority set, first the adjustment of each authority trust threshold will read the trust threshold of adjacent authority set, namely determines ε
i∈ [a, b], then by iterative computation, changes ε respectively
ithe value of the bound of ∈ [a, b], to the trust threshold Step wise approximation of optimum.After the trust threshold of each adjustment authority, by the assignment record table initialization of former authority trust threshold, as the assignment record table of authority trust threshold after adjustment.
Based on dynamic trust threshold value access control method as shown in the figure, its key step is as follows:
(1) object is according to the height required main body degree of belief, its all authority is classified, and carries out initialization to the trust threshold of each authority set;
(2) corresponding right assignment record sheet is built to the trust threshold of each new authority set;
(3) according to the trust value T of main body, the trust threshold sequence ε of authority set is searched
0< ε
1< ε
2< ... ε
n-1if there is ε
i-1≤ T < ε
itime, wherein i=1,2,3 ..., it is ε that main body has trust threshold
j-1, j=1,2,3 ... access rights all in the authority set of i; Otherwise, access denied;
(4) if the trust threshold ε of authority set
i-1for the final threshold value of adjustment, then turn to step (3);
(5) by the authority set of the trust value of main body, distribution and access Feedback Evaluation, be saved in right assignment record sheet;
(6) according to the record lastest imformation of right assignment record sheet, judge whether to trigger ε
i-1authority set trust threshold adjustment; If triggered, then authority set threshold value is adjusted;
(7) when trust threshold adjustment amount is less than 10
-6time, current trust threshold, as the final trust threshold of this authority set, turns to step (3); Otherwise the trust threshold of the authority set after adjustment substitutes former threshold value, by the assignment record list deletion of former authority set trust threshold, turn to step (2).
The present invention compared with prior art, has the following advantages:
The invention provides a kind of access control method based on dynamic trust threshold value, the method has responsive self adaptation and ability of regulation and control for the Behavioral change of entity.The trust threshold of application permission carries out fine granularity management to access control right, while coordinating suitable access rights for body portion, ensure that the fail safe of resource access, can meet the demand of dynamic access control in open network environment.
Accompanying drawing explanation
Accompanying drawing is flow chart of the present invention.
Embodiment
Below by embodiment, the present invention is described in detail.
Embody rule example:
(1) all authorities of main body can be distributed to respectively for file File: Read, Write, Modify, Print, Copy, the trust threshold of the authority of its correspondence is respectively: ε _ read=0.4, ε _ write=0.7, ε _ modify=0.9, ε _ print=0.5, ε _ copy=0.7.
(2) the authority set of file File respectively: R
0={ Read}, R
1={ Print}, R
2={ Write, Copy}, R
3={ Modify}, the trust threshold of the authority set of its correspondence is respectively: ε
0=0.4, ε
1=0.5, ε
2=0.7, ε
3=0.9.
(3) file File has assignment record table to each authority set, namely has 4 authority set assignment record tables.The structure of the assignment record table of each authority set is: main body mark, main body trust value, access rights, access Feedback Evaluation.The detail that the detailed in store File of every bar record of assignment record table is at every turn accessed.
(4) trust value supposing certain main body Subject is T=0.8, according to ε
2< T < ε
3, then Subject has the set of access rights R=R of File
0∪ R
1∪ R
2={ Read, Print, Write, Copy}.
(5) R at File is supposed
2={ in the record of the assignment record table of Write, Copy}, when the Feedback Evaluation of twice Visitor Logs occurring same main body Subject is swindle, trigger R
2trust threshold ε
2the increase adjustment of=0.7: search access right assignment record table is known, during twice swindle, maximum trust value T=0.8; According to trust threshold adjustment iterative calculation method, a=ε
2=0.7, b=ε
3=0.9, then
increase adjustment amount Δ t=0.15 > 10
-6, so by R
2authority set trust threshold be adjusted to ε
2=0.85, by R
2visitor Logs table empty, again record new right assignment record.
This time after adjustment, each authority set threshold value of file File respectively: ε
0=0.4, ε
1=0.5, ε
2=0.85, ε
3=0.9.
(6) R at File is supposed
1=in the record of Print} Visitor Logs table, when there is Feedback Evaluation to be continuously sincere number being M (M > 0) bar (the value rule of M determine according to different systems), triggering R
1trust threshold ε
1the reduction adjustment of=0.5: inquiry continuously sincere M bar record of accessing is known, minimum trust value T=0.55; According to trust threshold adjustment iterative calculation method, a=ε
0=0.4, b=ε
2=0.85, then
increase adjustment amount Δ t=0.025 > 10
-6, so by R
1authority set trust threshold be adjusted to ε
1=0.475, by R
1visitor Logs table empty, again record new right assignment record sheet.
This time after adjustment, each authority set threshold value of file File respectively: ε
0=0.4, ε
1=0.475, ε
2=0.85, ε
3=0.9.
The method application trust threshold carries out fine granularity management to access control right, and trust value during access resources each according to entity distributes corresponding access rights for it, ensure that the fail safe of resource access.In addition, bound parameter during trust threshold adjustment can be arranged according to different applied environments.
Claims (6)
1., based on an access control method for dynamic trust threshold value, the steps include:
1) all authorities of object are classified, require that identical authority is integrated in same authority set by the trust value of access main body, obtain some authority set; Wherein, this object has multiple authority, and each authority is provided with a trust threshold;
2) a right assignment record sheet is created to each authority set; Wherein, described right assignment record sheet comprises: main body identifies, main body trust value, access rights, access Feedback Evaluation;
3) when a main body sends an access request to this object, check whether the current trust value of this main body meets the trust threshold of authority corresponding to this access request; If met, then allow this main body to perform this access request, and by this Visitor Logs in the right assignment record sheet of corresponding authority set, if do not met, then refusal perform this access request;
4) according to described right assignment record sheet, adjust the trust threshold of the corresponding authority of this object: after the access of main body is fed back to fraud and exceedes set point number, then increase adjustment is carried out to the trust threshold of corresponding authority set, and upgrade corresponding right assignment record sheet; If there is not fraud and after exceeding set point number, then carry out reductions adjustment to the trust threshold of corresponding authority set, and upgrade corresponding right assignment record sheet in the access feedback of main body.
2. the method for claim 1, is characterized in that, the method obtaining described authority set is: the trust threshold ε first determining each authority of this object
0, ε
1, ε
2... ε
n-1, and trust threshold is sorted: ε
0< ε
1< ε
2< ... ε
n-1, wherein, n is authority set sum, i-th trust threshold ε
icorresponding i-th authority r
i.
3. the method for claim 1, is characterized in that, described according to described right assignment record sheet, and the method adjusting the trust threshold of the corresponding authority of this object is: as the trust threshold ε of i-th authority set
iwhen ∈ [a, b] needs increase property to adjust, first extract the trust threshold of adjacent authority set, i.e. a=ε
i-1, b=ε
i+1; Then get twice access feedback in corresponding right assignment record sheet and be the maximum trust value T of the main body of fraud, and ε
i≤ T < b; Then a=ε is made
i, and
as the trust threshold ε of i-th authority set
iwhen ∈ [a, b] needs reduction property to adjust, first extract the trust threshold of adjacent authority set, i.e. a=ε
i-1, b=ε
i+1; Then the minimum trust value T of main body in corresponding right assignment record sheet is got, and ε
i≤ T < b; Then b=ε is made
i, and
4. method as claimed in claim 3, is characterized in that, when the access of same main body in described right assignment record sheet be fed back to fraud and more than 2 numbers after, then the trust threshold of authority set corresponding to this right assignment record sheet is adjusted.
5. method as claimed in claim 3, is characterized in that, described a initial value is 0, b maximum be 1, T span is 0 ~ 1.
6. the method for claim 1, is characterized in that, described access Feedback Evaluation comprises: swindle, non-swindle, non-sincerity and sincerity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510126508.0A CN104780159A (en) | 2015-03-23 | 2015-03-23 | Access control method based on dynamic trust thresholds |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510126508.0A CN104780159A (en) | 2015-03-23 | 2015-03-23 | Access control method based on dynamic trust thresholds |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104780159A true CN104780159A (en) | 2015-07-15 |
Family
ID=53621403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510126508.0A Pending CN104780159A (en) | 2015-03-23 | 2015-03-23 | Access control method based on dynamic trust thresholds |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104780159A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107528861A (en) * | 2017-10-12 | 2017-12-29 | 山东浪潮云服务信息科技有限公司 | A kind of method and device for determining IP user's access rights |
| CN108111488A (en) * | 2017-12-06 | 2018-06-01 | 上海电机学院 | A kind of dynamic threshold consulting tactical method |
| CN108924120A (en) * | 2018-06-28 | 2018-11-30 | 电子科技大学 | A kind of dynamic accesses control method of multi-dimensional state perception |
| CN111310235A (en) * | 2020-05-11 | 2020-06-19 | 鹏城实验室 | Method and device for protecting network privacy information and computer storage medium |
| CN112035872A (en) * | 2020-08-12 | 2020-12-04 | 博泰车联网(南京)有限公司 | Application management method, terminal and computer storage medium |
| CN112270014A (en) * | 2020-10-16 | 2021-01-26 | 维沃移动通信有限公司 | Application program control method and device and electronic equipment |
| US11165788B2 (en) | 2019-09-16 | 2021-11-02 | International Business Machines Corporation | Score based permission system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108508A1 (en) * | 2003-11-18 | 2005-05-19 | Intel Corporation | Apparatus having a micro-instruction queue, a micro-instruction pointer programmable logic array and a micro-operation read only memory and method for use thereof |
| CN102347958A (en) * | 2011-11-18 | 2012-02-08 | 上海电机学院 | Dynamic hierarchical access control method based on user trust |
| CN103338194A (en) * | 2013-03-06 | 2013-10-02 | 中国电力科学研究院 | Credibility based cross- security domain access control system and method |
-
2015
- 2015-03-23 CN CN201510126508.0A patent/CN104780159A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108508A1 (en) * | 2003-11-18 | 2005-05-19 | Intel Corporation | Apparatus having a micro-instruction queue, a micro-instruction pointer programmable logic array and a micro-operation read only memory and method for use thereof |
| CN102347958A (en) * | 2011-11-18 | 2012-02-08 | 上海电机学院 | Dynamic hierarchical access control method based on user trust |
| CN103338194A (en) * | 2013-03-06 | 2013-10-02 | 中国电力科学研究院 | Credibility based cross- security domain access control system and method |
Non-Patent Citations (2)
| Title |
|---|
| 赵斌等: "《基于信任的动态访问控制方案》", 《北京工业大学学报》 * |
| 马书南: "《北京工业大学工学博士学位论文》", 31 December 2012 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107528861A (en) * | 2017-10-12 | 2017-12-29 | 山东浪潮云服务信息科技有限公司 | A kind of method and device for determining IP user's access rights |
| CN107528861B (en) * | 2017-10-12 | 2019-11-12 | 浪潮云信息技术有限公司 | A kind of method and device of determining IP user's access authority |
| CN108111488A (en) * | 2017-12-06 | 2018-06-01 | 上海电机学院 | A kind of dynamic threshold consulting tactical method |
| CN108111488B (en) * | 2017-12-06 | 2021-08-24 | 上海电机学院 | Dynamic threshold negotiation strategy method |
| CN108924120A (en) * | 2018-06-28 | 2018-11-30 | 电子科技大学 | A kind of dynamic accesses control method of multi-dimensional state perception |
| US11165788B2 (en) | 2019-09-16 | 2021-11-02 | International Business Machines Corporation | Score based permission system |
| CN111310235A (en) * | 2020-05-11 | 2020-06-19 | 鹏城实验室 | Method and device for protecting network privacy information and computer storage medium |
| CN111310235B (en) * | 2020-05-11 | 2020-11-03 | 鹏城实验室 | Method and device for protecting network privacy information and computer storage medium |
| CN112035872A (en) * | 2020-08-12 | 2020-12-04 | 博泰车联网(南京)有限公司 | Application management method, terminal and computer storage medium |
| CN112270014A (en) * | 2020-10-16 | 2021-01-26 | 维沃移动通信有限公司 | Application program control method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104780159A (en) | Access control method based on dynamic trust thresholds | |
| Falco et al. | IIoT cybersecurity risk modeling for SCADA systems | |
| US9240996B1 (en) | Method and system for risk-adaptive access control of an application action | |
| Shen et al. | Fuzzy adaptive control of a class of nonlinear systems with unmodeled dynamics | |
| US8250628B2 (en) | Dynamic augmentation, reduction, and/or replacement of security information by evaluating logical expressions | |
| CN112565453B (en) | Block chain access control strategy model and strategy protection scheme under Internet of things | |
| Navarro et al. | Coherent systems based on sequential order statistics | |
| CN102347958B (en) | Dynamic hierarchical access control method based on user trust | |
| CN110941856A (en) | Data differential privacy protection sharing platform based on block chain | |
| Krautsevich et al. | Risk-aware usage decision making in highly dynamic systems | |
| CN112134848B (en) | Fusion media cloud self-adaptive access control method, device, terminal and medium | |
| CN111464487B (en) | Access control method, device and system | |
| Jiang et al. | Further criterion for stochastic stability analysis of semi‐Markovian jump linear systems | |
| CN101493872A (en) | Fine grain authority management method based on classification method | |
| CN103532967A (en) | Trust quantification method based on subject access behavior | |
| Krautsevich et al. | Risk-based usage control for service oriented architecture | |
| Yang et al. | A differential privacy framework for collaborative filtering | |
| CN117499124A (en) | Access control method and device | |
| Pradeep et al. | Robust stability analysis of stochastic neural networks with M arkovian jumping parameters and probabilistic time‐varying delays | |
| Katsikogiannis et al. | An identity and access management approach for SOA | |
| US20100146595A1 (en) | Networking computers access control system and method | |
| Krautsevich et al. | Influence of attribute freshness on decision making in usage control | |
| Jo et al. | An adaptive window size selection method for differentially private data publishing over infinite trajectory stream | |
| CN110717192B (en) | Big data security oriented access control method based on Key-Value accelerator | |
| Radu et al. | Integrated cloud framework for farm management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150715 |