CN106953843A - A kind of spreadability detection method of the access control rule based on NuSMV - Google Patents
A kind of spreadability detection method of the access control rule based on NuSMV Download PDFInfo
- Publication number
- CN106953843A CN106953843A CN201710080002.XA CN201710080002A CN106953843A CN 106953843 A CN106953843 A CN 106953843A CN 201710080002 A CN201710080002 A CN 201710080002A CN 106953843 A CN106953843 A CN 106953843A
- Authority
- CN
- China
- Prior art keywords
- access control
- control rule
- nusmv
- spreadability
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of spreadability detection method of the access control rule based on NuSMV, belong to field of information security technology, specifically include following steps:Access control rule is standardized;The characteristic that access control system should be met is standardized;Negative to access control rule is standardized;Tectonic model and mutation model;NUSMV is called to carry out spreadability detection.The present invention can be analyzed the correctness of access control rule, further ensure the security of system.
Description
Technical field
The invention belongs to field of information security technology, it is related to access control rule verification of correctness technology.
Background technology
After a kind of access control model occurs, and after being typically embodied as, need to concentrate before coming into operation and tested,
Ensure that access control is correctly carried out, then need to simulate various requests (legal and illegal) to access system, it is ensured that
System stable operation, then this cost is sizable.NuSMV is the system for overcoming this cost very well.
Model inspection, with peculiar language to system modelling, is expired with reference to related tool, and using computer automatic analysis model
One class technology of foot.Its presenter be it is famous learn Clarke, Emerson, Quielle, Sifakis, and joined in 1981 years
Close and propose.Model inspection is to calculate two methods by state search and fixed point, to logic of modality formula describe it is finite
Status system property carries out automatic Verification.Model inspection technological thought can be described with algorithm, be performed using computer,
Therefore the suitable height of automaticity.Moreover, in the case of model is ungratified, it can analyze and obtain a paths to refer to
The invalid reason of representation model.This two big characteristic make it that the technology enjoys high praise in industrial quarters.
NuSMV (New Symbolic Model Verifier) is a kind of based on sign pattern matrix device, its distinctive language
Method structure can help our the system rapid modelings to state Finite, and model can directly detect linear temporal
The validity of LTL (or calculating tree temporal logic CTL) formula.
In view of high efficiency of the NuSMV in terms of checking, it is a kind of feasible side to analyze access control rule using NuSMV
Method.
The content of the invention
It is an object of the invention to provide a kind of spreadability detection method of access control rule, to improve access control system
The correctness of system.
In order to solve the above technical problems, the technical scheme of the use of the present invention is as follows:
A kind of spreadability detection method of the access control rule based on NuSMV, it is characterised in that comprise the following steps:
Step one, access control rule is standardized, i.e., be described with Formal Languages;
Step 2, is standardized to the characteristic that access control system should be met;
Step 3, the negative to access control rule is standardized;
Step 4, construction archetype and mutation model;
Step 5, calls NuSMV to carry out spreadability detection to access control rule.
Access control rule is standardized as if c then d, i.e., performs d if c is set up;
The c is the constraint in access control to entities such as main body, object, operations, and d represents the judgement under c constraint
As a result.
The characteristic standard that access control system should be met turns to p:B → e, i.e., rule p needs to meet if b is set up
Condition e;The b is the constraint in access control to main body, the characteristic that e meets for rule;P is rule.
The negative criterion of access control rule is turned into if c then ﹁ d, i.e., does not perform d if c is set up.
The set of access control rule formation after all standardization is set to archetype, by some in archetype
Rule is negated to obtain the regular corresponding mutation model.
The present invention has beneficial effect.The setting of access control rule is the key technology of guarantee system safety.The present invention
A kind of spreadability detection technique of access control rule is proposed, by entering row variation to archetype, it is ensured that access control is advised
Correctness then, it is ensured that system safety.
Embodiment
With reference to specific embodiment, technical scheme is described in further details.
Selling operation extends to all parts of the country in recent years for certain company, for convenience of the industry of company's sales force's promptly accepting various regions
Business, sale subdivision has been set up in Beijing, Shanghai, Jiangsu respectively, and distributes a line manager for each sale subdivision,
Each line manager possesses absolute control to department's sales figure in institute compass of competency, otherwise haves no right to access.So, it is
Raising department efficiency, each department has each recruited sales force, and sales force's number is relatively bulky, it is necessary to responsible pair
Whole selling operations in affiliated area, because each region area is very big, it is impossible to which a sales force is responsible for affiliated area
Each place, it is therefore desirable to sales force is divided into several groups, every group is set up a sales manager, and sales force has sale upwards
Manager, sales manager then has line manager upwards, and authority is line manager, sales manager, sales force, specific power from big to small
Limit is shown in as shown in table 1:
The authority distribution of table 1
Position | Resource | Operation |
Line manager | Sales figure | Reading and writing, modification, deletion |
Sales manager | Sales figure | Reading and writing |
Sales force | Sales figure | Write |
The corresponding authority of role is as shown in table 2.
The role-security of table 2
The sales figure in the region that the role of each branch is mainly administered to oneself branch can be operated, it is therefore desirable to right
Role adds region area attributes, while area attributes are also added in sales figure, then completely description is as shown in table 3 by role.
The complete Role delineation of table 3
Authority distribution should meet regular p:The read-write Shanghai sales figure of Shanghai line manager.
It is after p standardization:if
(role=DivisionManagerres&res=SaleNote&role.area=role.area=
Res.area&op=read) then permit
The characteristic that rule should be met is the sales figure that Shanghai line manager will be allowed to change Shanghai department.The rule
It is after standardization
p:AG (role=DivisionManager&res=SaleNote&role.area=res.area&op=
Edit&role.op_inherit=true → AF decision=permit)
Model is { if
(role=DivisionManagerres&res=SaleNote&role.area=role.area=
Res.area&op=read) then permit }.
The corresponding mutation model of regular p is { if
(role=DivisionManagerres&res=SaleNote&role.area=role.area=
Res.area&op=read) then ﹁ permit }
Meeting property of the model to property set is verified using model checking tools NuSMV, the result shows that we design
Model meet property set, in other words meet actual demand according to model.
Claims (5)
1. a kind of spreadability detection method of the access control rule based on NuSMV, it is characterised in that comprise the following steps:
Step one, access control rule is standardized, i.e., be described with Formal Languages;
Step 2, is standardized to the characteristic that access control system should be met;
Step 3, the negative to access control rule is standardized;
Step 4, construction archetype and mutation model;
Step 5, calls NuSMV to carry out spreadability detection to access control rule.
2. a kind of spreadability detection method of access control rule based on NUSMV according to claim 1, its feature exists
In access control rule is standardized as into if c then d, i.e., perform d if c is set up;The c be access control in master
The constraint of the entities such as body, object, operation, d represents the result of determination under c constraint.
3. a kind of spreadability detection method of access control rule based on NUSMV according to claim 1, its feature exists
P is turned in the characteristic standard that should meet access control system:B → e, i.e., rule p needs to meet condition e if b is set up;
The b is the constraint in access control to main body, the characteristic that e meets for rule;P is rule.
4. a kind of spreadability detection method of access control rule based on NUSMV according to claim 1, its feature exists
In the negative criterion of access control rule is turned into if c then ﹁ d, i.e., do not perform d if c is set up.
5. a kind of spreadability detection method of access control rule based on NUSMV according to claim 2, its feature exists
In:The set of access control rule formation after all standardization is set to archetype, by the rule of some in archetype
Negated to obtain the regular corresponding mutation model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710080002.XA CN106953843A (en) | 2017-02-15 | 2017-02-15 | A kind of spreadability detection method of the access control rule based on NuSMV |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710080002.XA CN106953843A (en) | 2017-02-15 | 2017-02-15 | A kind of spreadability detection method of the access control rule based on NuSMV |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106953843A true CN106953843A (en) | 2017-07-14 |
Family
ID=59466430
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710080002.XA Pending CN106953843A (en) | 2017-02-15 | 2017-02-15 | A kind of spreadability detection method of the access control rule based on NuSMV |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106953843A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101847125A (en) * | 2010-05-31 | 2010-09-29 | 高新宇 | Method and system for detecting quality defect of software based on intelligent dynamic fuzzy detection |
CN101894072A (en) * | 2010-07-20 | 2010-11-24 | 山东省计算中心 | Method for detecting abnormal termination during model detection |
CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
-
2017
- 2017-02-15 CN CN201710080002.XA patent/CN106953843A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101847125A (en) * | 2010-05-31 | 2010-09-29 | 高新宇 | Method and system for detecting quality defect of software based on intelligent dynamic fuzzy detection |
CN101894072A (en) * | 2010-07-20 | 2010-11-24 | 山东省计算中心 | Method for detecting abnormal termination during model detection |
CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
Non-Patent Citations (1)
Title |
---|
何洋 等: ""基于模型检测工具 NuSMV 的功能测试用例生成方法"", 《计算机应用》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109597994B (en) | Short text problem semantic matching method and system | |
Hongling et al. | BIM and safety rules based automated identification of unsafe design factors in construction | |
CN108062484A (en) | A kind of classification stage division based on data sensitive feature and database metadata | |
CN103853738A (en) | Identification method for webpage information related region | |
CN104516882B (en) | The method and apparatus for determining the density of infection of SQL statement | |
CN105045847A (en) | Method for extracting Chinese institutional unit name from text information | |
KR20190053616A (en) | Data merging device and method for bia datda analysis | |
CN111159396A (en) | Method for establishing text data classification hierarchical model facing data sharing exchange | |
CN111177332A (en) | Method and device for automatically extracting referee document case-related mark and referee result | |
CN106033392A (en) | Method and device for detecting based on inspection word requirement | |
CN107300907A (en) | With reference to the flight control system Reliable Evaluating Methods of Their Performance of comprehensive assessment and hypothesis testing | |
Chen et al. | A unified framework for layout pattern analysis with deep causal estimation | |
CN108108477B (en) | A kind of the KPI system and Rights Management System of linkage | |
CN114005135A (en) | Intelligent construction project drawing verification method, system and device and readable storage medium | |
Lee et al. | Ripple effect and regional house prices dynamics in China | |
CN106408028A (en) | Urban-rural planning inspection and plotting data processing method | |
CN106953843A (en) | A kind of spreadability detection method of the access control rule based on NuSMV | |
CN102591732A (en) | Security evaluation system of information system and evaluation method of the system | |
Wang et al. | Temperature forecast based on SVM optimized by PSO algorithm | |
CN102194061A (en) | Method for verifying security model of computer system | |
von Cramon‐Taubadel et al. | Testing the equivalence of modern human cranial covariance structure: Implications for bioarchaeological applications | |
Lu et al. | Acquisition of typical occupancy schedules for commercial buildings from social networks | |
Wang et al. | A propagating update method of multi-represented vector map data based on spatial objective similarity and unified geographic entity code | |
CN113158682A (en) | Product name identification method and device, electronic equipment and medium | |
Kounis | Quality Control and Assurance: An Ancient Greek Term Re-Mastered |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170714 |
|
RJ01 | Rejection of invention patent application after publication |