CN108366068A - Cloud network resource management control system based on policy language under a kind of software defined network - Google Patents
Cloud network resource management control system based on policy language under a kind of software defined network Download PDFInfo
- Publication number
- CN108366068A CN108366068A CN201810159706.0A CN201810159706A CN108366068A CN 108366068 A CN108366068 A CN 108366068A CN 201810159706 A CN201810159706 A CN 201810159706A CN 108366068 A CN108366068 A CN 108366068A
- Authority
- CN
- China
- Prior art keywords
- policy
- user
- network
- execution engine
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Artificial Intelligence (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses the cloud network resource management control systems based on policy language under a kind of software defined network, including policy language interpreter, policy database, policy execution engine and access filter;Error configurations and the unauthorized access of cloud network resource can be isolated in the system.For the fine-grained access control language of cloud network resource, the present invention can express cloud service provider network administrator and be intended to the access control of cloud network resource, and language can be directed to different cloud users, user group, Internet resources and its different access control rule of attribute description.To realize that cloud network resource access control system under software defined network, the present invention give its required specific implementation details, include the design scheme of insertion method of the system in software defined network controller, language interpreter and policy execution engine.
Description
Technical field
The invention belongs to network communication technology fields, and in particular to the cloud based on policy language under a kind of software defined network
Hold network resource management control system.
Background technology
Software defined network (SDN) is a kind of novel network architecture, compared to traditional seven layer network frameworks, SDN cores
Design be to detach control plane with Forwarding plane, network is divided into application layer, control layer and forwarding, net from top to bottom
All configurations and management of network are focused on by controller, and the equipment of forwarding is merely responsible for efficient converting flow.Net in SDN
The centralized control of network greatly simplifies the work of network administrator, and flexible programmable provides wide for upper layer application exploitation
Space.
Cloud computing has been obtained for widely research and practical application in academia and industrial quarters, and the cloud based on SDN is then
It is a new bold combination;SDN provides the network service and network management on basis for the cloud on upper layer in cloud based on SDN,
While possessing cloud level elasticity and retractility, the good characteristics such as centralized management, the flexible programmable of SDN are had both, are provided for network
Source and network service provide flexible, efficient, easily control mode.
World-leading cloud service provider (MicrosoftAzure, IBM, Google Cloud) all applies SDN
In their network architecture.The investigation of Synergy Research Group is shown, on the global cloud of the third season in 2017 basis
Service 12,000,000,000 dollars of business revenue;With huge economic well-being of workers and staff, any tiny loophole and attack may all be brought greatly
Economic loss, the information leakage and data tampering that attack is brought of especially going beyond one's commission can further threaten the safety of the whole network.
Traditional network is mainly partial to the access control of resource the addressable intercommunity between the network segment, such as utilizes fire prevention
Accesses control list (ACL) in wall configures corresponding forward rule, realizes the control forwarded to network flow.And for
There is no relevant mechanism of control for the management of high in the clouds Internet resources (such as network state, flow table) in SDN.Internet resources management and control can
It is divided into two stages:Network configuration stage and network dial-tone stage.Correct network configuration can ensure that tenant is legal at one
Cyberspace in operation, and effective management and control can manage the permission of tenant and protect controller and Internet resources.
There is certain research in academia for the resource management and control aspect in traditional network and SDN, but cannot all solve well
The certainly above problem.PayLess provides the RESTAPI flow statistics come in collection network equipment for upper layer application, with realization pair
The monitoring of SDN network, but be only capable of being monitored network connectivty etc. according to stream information, can not to network configuration and access into
Row management and control.SDNShield has made the plug-in unit inside controller certain modification, and management and control and solution application access are accessed to realize
The problem of going beyond one's commission, but such method changes code due to be directed to each plug-in unit, and applicability and portability are poor, and not
It can solve the problems, such as network configuration management and control.Although having technology in existing cloud environment to realize the isolation between tenant, for renting
There is no good management and control for the granularity of indoor portion's accessible resource.
It can be seen that the prior art at present there are still the problem of be:Controller lacks the access request of upper level applications
Weary fine-grained behavior and authority managing and controlling;There is abuse risk to underlying services by application program in user;User's malicious operation
It can steal or destroy network;The waste of controller resource, i.e. controller can handle many this and processed should not ask.
Specifically there are problems that following two aspect:(1) there may be network configuration mistakes in terms of network configuration;Creating net
When network, requested resource may be not added with management and control meeting with existing in the presence of conflicting (administrator may have forgotten or input error)
Lead to network configuration failure or generate conflict, and can only could be found when actually occurring problem on being deployed to equipment, cost
It is very big, it can also consume controller resource.(2) there may be unauthorized access in terms of network access, specifically can be described as user
A has resource R1, R2 respectively;It goes beyond one's commission between resource in user, A can access resource R1 but not allow to access resource R2, but pass through
URL is aware of the access address of resource R2, has then just got the information of resource R2;Operation is gone beyond one's commission in resource in user, and A can
It to be created to resource R1, but cannot delete, if uncontrolled, can ask to carry out delete operation to R1 by REST.
In conclusion lacking the cloud network resource accessed through network configuration and network in the cloud environment based on SDN
Mechanism of control, traditional access control technology can only access intercommunication between network up to angle from path and carry out management and control (such as fire wall
The function of middle accesses control list), can not access to the resource of request control.The relevant access control skill in the fields SDN
Though art can identify the access request gone beyond one's commission, due to needing to modify to each plug-in unit inside controller, can not meet
To the generality of access request management and control, and illegal access request still can occupy additional controller resource, cause preciousness
Computing resource waste.
Invention content
In view of above-mentioned, the present invention provides the cloud network resource managements based on policy language under a kind of software defined network
Control system, to realize that running through network configuration and network accesses the network resource accession management and control of overall process.
Cloud network resource management control system based on policy language under a kind of software defined network, including policy language
Interpreter, policy database, policy execution engine and access filter;Wherein:
The policy language interpreter utilizes syntax analyzer ANTLR (ANother Tool for Language
Recognition the semantic strategy that network administrator formulates) is converted into the tree structure strategy of the recognizable processing of system and is deposited
In storage to policy database, the semantic strategy is the regular collection of the network administrator behavior of specification user's operation and permission;
The access filter is used to intercept and capture the operation requests of user and is sent to policy execution engine;
The policy execution engine is used to read tree structure strategy from policy database, and then according to the tree structure
Strategy carries out permission examination to the operation requests of user, and returns to examination result to access filter, if examination result is
Reject, access filter then refuse the operation requests of user and examination result are returned to user;If examination result is
The operation requests of user are then transferred to system controller to carry out subsequent processing by Accept, access filter.
Further, the semantic strategy includes global policies and local policy two parts, and the request of all users is first
It is examined by global policies, if any rule in global policies is violated in request, policy execution engine passes through access
Filter returns to Reject to user, further to asking by local policy if request is by strictly all rules in global policies
It examines;Policy execution engine, which is extracted according to user property from policy database, to match with the user role and user name
Local policy, if any rule in local policy is violated in request, policy execution engine is by access filter to user
Reject is returned to, if request, by strictly all rules in local policy, policy execution engine is returned by access filter to user
Accept is returned, and transfers to system controller to carry out subsequent processing user's request by access filter.
Above-mentioned technical proposal gives control and the management system architecture of cloud network resource under software defined network,
Error configurations and the unauthorized access of cloud network resource can be isolated;For the fine-grained access control language of cloud network resource
Speech, the present invention can express cloud service provider network administrator and be intended to the access control of cloud network resource, and language can
For different cloud users, user group, Internet resources and its different access control rule of attribute description.To realize software definition
Cloud network resource access control system under network, the present invention give its required specific implementation details, including system
The design scheme of insertion method, language interpreter and policy execution engine in software defined network controller.Therefore, this hair
It is bright that there are following advantageous effects compared with the prior art:
1. designing fine-grained policy language;The present invention is that network administrator devises the policy language based on attribute, is used for
The security strategy for describing network can accurately describe security management and control intention, by access requestor, requested resource and be
Each attribute of system itself provides strong support to the management and control of Internet resources for precisely realization as decision-making foundation.
2. simultaneously isolation network configuration error and illegal unauthorized access can be identified;Based on network administrator formulate strategy,
When occurring violating the network configuration request and network access request of strategy, the present invention can accurately identify the network to make mistake
Configuring request and the request of illegal unauthorized access, and be isolated in outside controller.
3. supporting dynamic configuration policy;Demand for security can change in the actual use process, and the present invention is supported in system
It dynamic configuration security strategy and comes into force in operational process, is recompilated without shutting down, this advantage greatly improves this
Invention flexibility in actual use and applicability.
4. flexibly convenient;Different from the prior art, the present invention is not necessarily to modify to plug-in unit in controller and upper layer application,
Only as filter run on controller north orientation for intercept filtering illegal request, illegal request can be isolated in controller
Outside, outer to which risk to be isolated in, and save valuable controller resource and be used for handling legitimate request.
Description of the drawings
Fig. 1 is the structural schematic diagram of cloud network resource management control system of the present invention.
Fig. 2 is the structural schematic diagram of the tactful semantic tree of the present invention.
Specific implementation mode
In order to more specifically describe the present invention, below in conjunction with the accompanying drawings and specific implementation mode is to technical scheme of the present invention
It is described in detail.
S1:System structure and workflow
Invention software defines the cloud network resource management control system based on policy language under network, as shown in Figure 1,
Cloud service provider 101 provides for tenant 102 including calculating the functions of modules such as 103, network 104 and storage 105, high in the clouds beyond the clouds
Internet resources controlled by software defined network controller 201.When the network that tenant provides controller card 203 provides
Source accesses and in use, the network module (Neutron in such as OpenStack) in high in the clouds can be connect by the north orientation of controller
Mouth (North-Bound Interface, NBI) sends REST requests 403 to controller, and the REST in controller asks service group
Part 202 can receive, parse these requests, and they are distributed in corresponding controller card 203 and is handled.
Core of the invention component includes policy language interpreter 301, policy execution engine 302,303 and of access filter
Policy database 304;Wherein, access filter will be inserted in the REST components 202 of controller, all controllers that are sent to
The all accessed filter process of REST requests 403.The uniform data that policy database will be provided directly using controller kernel 204
Storage service.
The present invention general execution step be:
1. the language that the network administrator 401 of cloud service provider designs according to the present invention, by the access pipe of Internet resources
Reason rule is written as strategy 402.
2. access strategy file is issued to 301 module of language parser of the present invention.
3. the strategy that administrator writes is converted to the lattice that computer is appreciated that and stores by 301 module of language interpreter
Formula is stored in the policy database 304 of controller kernel 204.
4. high in the clouds tenant 102 is desirable for Internet resources, REST requests 403 can be issued by cloud network component 104
To the REST components 202 of controller.
5. the access that all REST requests for being sent to REST components 202 will be all inserted into REST components by the present invention
The processing of filter 303.REST requests are transferred to policy execution engine 302 to judge whether to approve to execute by access filter.
6. policy execution engine 302 can compare REST requests to be judged with the policing rule in policy database 304,
It makes approval ACCEPT or refuses the decision of REJECT;Approved REST requests will be distributed by REST components to be executed, and is refused
Exhausted REST requests will not be handled, and controller directly returns to " request is rejected " instruction to tenant.
S2:Policy language designs
S2-1:REST is asked
High in the clouds tenant uses these networks to provide by sending REST requests in software defined network controller northbound interface
Source;One typical REST requests example is as follows, including the component part that four groups are wanted:
1. requesting method Method:Requesting method shows this REST requests to the desired operation side of Internet resources
Formula generally comprises four kinds of different request types, that is, inquires GET, creates POST, update or replace PUT, delete DELETE mono-
Internet resources.
2. uniform resource identifier (URI):URI required Internet resources for identification, each Internet resources
There is unique URI in the controller.
3. asking packet header Headers:Packet header generally comprises the transmission required information of HTTP message, such as content format
(Content-Type) show that this REST requests have used JSON formats (application/json), authentication information
(Authorization) the tenant's information for sending this REST requests is contained, usually there are many cipher modes for authentication information.
4) text Body:The body part of REST requests contains the specific object value of its requested Internet resources;This
The policy language for inventing design being capable of each attribute value in fine-grained identification text.
It, can be with the resource in access controller, then by controlling by RESTAPI when tenant is when accessing Internet resources
Device processed configures underlying device, and basic operation is exactly to change to look into the additions and deletions of resource, and the abstract resource in upper layer is exactly network, son
Net, routing, fire wall, load balancing etc. are exactly to flow table is written in equipment, to realize to flow when specific controller is realized
Forwarding.The system that the present invention designs can execute fine-grained resources accessing control.
S2-2:Policy language grammer
Present system determines to ratify or refuse a REST request, the language of access control policy language using strategy
Method details is as follows:
The present invention by tactful P it is abstract based on S, object O and environment E combination:
P(S,O,E):=(ATTR (S) op ATTR (O) op ATTR (E))
1. main body S, tenant and its relevant information;Such as the user name of the parts Header role corresponding with the user.
2. object O, the Internet resources and its attribute of tenant request;Such as the parts URI and Body.
3. environment E, the residing environment when REST asks to occur;Such as the resource tenant of high in the clouds, whether lease
Expire is to determine whether user is able to access that the key message of the resource.
The present invention predefine a data structure obtain REST request in above- mentioned information, predefined data structure
Detail is as follows.
predefined:’subject.’(’role’|’user’)
|’action.’(’uri’|’query’|’method’)
|’environment.’(’date’|’time’|’week’)
Such as the tenant role for sending out REST requests and rent can be obtained using subject.role and subject.user
Family user name;The URI information in REST requests can be got using action.uri;It can be obtained using environment
To the information of environmental correclation.Meanwhile by using the request specification of JSON data formats:' $ ' string (' ' string) * energy
Enough get the detailed attributes of object in REST request texts;Such as request net can be got using " $ .network.type "
The type attribute of network.
Each strategy (policy) carries out true and false judgement by a series of assertion statements, finally return that receive ACCEPT or
Person refuses the decision of REJECT, formal definitions details such as foregoing description.Following example is to follow policy language language of the present invention
One strategy of method design, this tactful entitled Bob_can_post_vlan.Sentence is judged by first, to use by oneself
The REST requests of family Bob will be by this strategy matching;Sentence is judged by Article 2, when Bob creates (POST) network
When type is the network of Vlan, request can go through.
One strategy file is made of a group policy, and strategy is divided into global policies (global policy) and local plan
Slightly (localpolicy).Global policies come into force to all requests, and whether all requests will be all examined is refused by global policies
Absolutely;Local policy includes role (role) attribute, thereby increases and it is possible to include user (user) attribute, the request of a tenant can only be had
There is the processing of the local policy of same role and user name.A strategy file example is the following is, wherein containing a global plan
Slightly and two local policies, user Alice belong to user role, her REST requests will be by system_update, user_
Tri- strategy processing of can_get_on_mondy and alice_cannot_delete_firewall, and for the another of user role
As soon as outer user Bob, his REST requests only can be by two strategies of system_update, user_can_get_on_mondy
The formal definitions details of processing, strategy file refers to foregoing description.
S3:Policy language interpreter
Policy language interpreter the strategy based on human language is translated to computer it will be appreciated that and storage tree-shaped
Data structure.It is illustrated in figure 2 the semantic tree example of global policies, the strategy in the semantic tree indicates that administrator role possesses visit
Ask all access authorization for resource;In tactful semantic tree, each leaf node indicates that an attribute or value, other nodes indicate ratio
Compared with or logical operator.Therefore, each expression formula is exactly a subtree in semantic tree, by the left side for traversing a node
Subtree and right subtree are just able to know that returning the result for the strategy.
When realizing by inputting sloth in Karaf consoles:Reload orders, you can the plan for formulating administrator
It is slightly converted, final all strategies can be stored with tree structure to be examined into the database of controller for subsequent request permission
It looks into;Wherein, it is tree structure to have used syntax analyzer ANTLR to read when switching strategy and parsed strategy.
S4:Policy execution engine
When a REST request reaches, policy execution engine will be corresponding by global policies and transmission request tenant
Local policy handles the request.It is determined if any one strategy returns to REJECT, policy execution engine termination at once, and
Refuse REST requests;If ACCEPT decisions are matched and returned without any strategy, policy execution engine refusal should
REST is asked, and otherwise policy execution engine ratifies the request according to the ACCEPT of return.
In actual use, REST requests are typically concurrent, in order to enable policy execution engine promptly and accurately
Ground handles these requests, creates multiple Actor present invention employs Akka to realize the parallel processing of request, while devising and asking
Queue and response queue is asked to cache the inspection result of pending request and processed request respectively, this design can effectively be alleviated
The problem of asking congestion.Policy database monitor is used for the dynamic change of perceptual strategy, and after strategy is updated, strategy is dynamic
State monitor can be updated policy database accordingly, and new strategy can come into force, and subsequent request can be according to most
New strategy carries out permission examination, equally can execute sloth in Karaf consoles:It is current that cache orders carry out real time inspection
Strategy in database.
The above-mentioned description to embodiment can be understood and applied the invention for ease of those skilled in the art.
Person skilled in the art obviously easily can make various modifications to above-described embodiment, and described herein general
Principle is applied in other embodiment without having to go through creative labor.Therefore, the present invention is not limited to the above embodiments, ability
Field technique personnel announcement according to the present invention, the improvement made for the present invention and modification all should be in protection scope of the present invention
Within.
Claims (2)
1. the cloud network resource management control system based on policy language under a kind of software defined network, which is characterized in that packet
Include policy language interpreter, policy database, policy execution engine and access filter;Wherein:
The semantic strategy that network administrator formulates is converted into system by the policy language interpreter using syntax analyzer ANTLR
The tree structure strategy of recognizable processing is simultaneously stored into policy database, and the semantic strategy is network administrator specification user
The regular collection of operation behavior and permission;
The access filter is used to intercept and capture the operation requests of user and is sent to policy execution engine;
The policy execution engine is used to read tree structure strategy from policy database, and then according to the tree structure strategy
Permission examination is carried out to the operation requests of user, and examination result is returned to access filter, if examination result is Reject, is visited
Ask that filter then refuses the operation requests of user and examination result is returned to user;If examination result is Accept, accessed
The operation requests of user are then transferred to system controller to carry out subsequent processing by filter.
2. cloud network resource management control system according to claim 1, it is characterised in that:It is described semanteme strategy include
Global policies and local policy two parts, the request of all users first pass through global policies and examine, if request is violated
Any rule in global policies, then policy execution engine returns to Reject by access filter to user, if request passes through
Strictly all rules in global policies, then by local policy to asking further to examine;Policy execution engine is according to user property from plan
The local policy that slightly extraction matches with the user role and user name in database, appoints if request is violated in local policy
One rule, then policy execution engine returns to Reject by access filter to user, if request passes through institute in local policy
Regular, then policy execution engine returns to Accept by access filter to user, and is asked user by access filter
System controller is transferred to carry out subsequent processing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810159706.0A CN108366068B (en) | 2018-02-26 | 2018-02-26 | Policy language-based cloud network resource management control system in software defined network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810159706.0A CN108366068B (en) | 2018-02-26 | 2018-02-26 | Policy language-based cloud network resource management control system in software defined network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108366068A true CN108366068A (en) | 2018-08-03 |
CN108366068B CN108366068B (en) | 2020-10-13 |
Family
ID=63002538
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810159706.0A Active CN108366068B (en) | 2018-02-26 | 2018-02-26 | Policy language-based cloud network resource management control system in software defined network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108366068B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113141341A (en) * | 2020-11-19 | 2021-07-20 | 北京航空航天大学 | Programmable software-defined network security policy system |
CN113381969A (en) * | 2020-03-09 | 2021-09-10 | 北京达佳互联信息技术有限公司 | Resource access control method, device and equipment and storage medium |
CN115333832A (en) * | 2022-08-12 | 2022-11-11 | 格尔软件股份有限公司 | Access right judging method and device, computer equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106453332A (en) * | 2016-10-18 | 2017-02-22 | 上海斐讯数据通信技术有限公司 | SDN-based dynamic user permission control method, device and system |
CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
CN106790219A (en) * | 2017-01-10 | 2017-05-31 | 中国科学院信息工程研究所 | The access control method and system of a kind of SDN controllers |
CN106790147A (en) * | 2016-12-28 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of access control method and its device |
CN106992877A (en) * | 2017-03-08 | 2017-07-28 | 中国人民解放军国防科学技术大学 | Network Fault Detection and restorative procedure based on SDN frameworks |
US20180026987A1 (en) * | 2016-07-21 | 2018-01-25 | At&T Intellectual Property I, L.P. | Systems and methods for providing software defined network based dynamic access control in a cloud |
-
2018
- 2018-02-26 CN CN201810159706.0A patent/CN108366068B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180026987A1 (en) * | 2016-07-21 | 2018-01-25 | At&T Intellectual Property I, L.P. | Systems and methods for providing software defined network based dynamic access control in a cloud |
CN106453332A (en) * | 2016-10-18 | 2017-02-22 | 上海斐讯数据通信技术有限公司 | SDN-based dynamic user permission control method, device and system |
CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
CN106790147A (en) * | 2016-12-28 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of access control method and its device |
CN106790219A (en) * | 2017-01-10 | 2017-05-31 | 中国科学院信息工程研究所 | The access control method and system of a kind of SDN controllers |
CN106992877A (en) * | 2017-03-08 | 2017-07-28 | 中国人民解放军国防科学技术大学 | Network Fault Detection and restorative procedure based on SDN frameworks |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113381969A (en) * | 2020-03-09 | 2021-09-10 | 北京达佳互联信息技术有限公司 | Resource access control method, device and equipment and storage medium |
CN113381969B (en) * | 2020-03-09 | 2023-06-27 | 北京达佳互联信息技术有限公司 | Resource access control method, device and equipment and storage medium |
CN113141341A (en) * | 2020-11-19 | 2021-07-20 | 北京航空航天大学 | Programmable software-defined network security policy system |
CN115333832A (en) * | 2022-08-12 | 2022-11-11 | 格尔软件股份有限公司 | Access right judging method and device, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108366068B (en) | 2020-10-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111488595B (en) | Method for realizing authority control and related equipment | |
Han et al. | A survey on policy languages in network and security management | |
CN111726353A (en) | Sensitive data grading protection method and grading protection system based on numerical control system | |
EP2370928B1 (en) | Access control | |
CN109302310B (en) | Network operation and maintenance vulnerability analysis method | |
CN111818059B (en) | Automatic construction system and method for access control strategy of high-level information system | |
CN108366068A (en) | Cloud network resource management control system based on policy language under a kind of software defined network | |
Alkhresheh et al. | DACIoT: Dynamic access control framework for IoT deployments | |
Pérez et al. | Semantic-based authorization architecture for grid | |
Mohamed et al. | Extended authorization policy for graph-structured data | |
Stojanov et al. | Linked data authorization platform | |
Liu et al. | DACAS: integration of attribute-based access control for northbound interface security in SDN | |
Iqbal et al. | Corda Security Ontology: Example of Post-Trade Matching and Confirmation. | |
Fernandez et al. | Using patterns to understand and compare web services security products and standards | |
US20220141256A1 (en) | Method and system for performing security management automation in cloud-based security services | |
Khalil et al. | IoT-MAAC: Multiple attribute access control for IoT environments | |
Bruno et al. | Enforcing access controls in IoT networks | |
Hebig et al. | A web service architecture for decentralised identity-and attribute-based access control | |
Hernandez et al. | TIKD: A Trusted Integrated Knowledge Dataspace for Sensitive Data Sharing and Collaboration | |
Nabil et al. | ABAC conceptual graph model for composite web services | |
Allison et al. | A privacy manager for collaborative working environments | |
Karafili et al. | Automatic firewalls’ configuration using argumentation reasoning | |
JP2004110806A (en) | Information filtering device, information filtering method, method execution program and program storage medium | |
Zaborovsky et al. | Dynamic firewall configuration: Security system architecture and algebra of the filtering rules | |
Ward et al. | Analysis of Identity Access Management Controls in IoT Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |