CN108366068A - Cloud network resource management control system based on policy language under a kind of software defined network - Google Patents

Cloud network resource management control system based on policy language under a kind of software defined network Download PDF

Info

Publication number
CN108366068A
CN108366068A CN201810159706.0A CN201810159706A CN108366068A CN 108366068 A CN108366068 A CN 108366068A CN 201810159706 A CN201810159706 A CN 201810159706A CN 108366068 A CN108366068 A CN 108366068A
Authority
CN
China
Prior art keywords
policy
user
network
execution engine
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810159706.0A
Other languages
Chinese (zh)
Other versions
CN108366068B (en
Inventor
冷雪
陈焰
侯开宇
卜凯
李星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201810159706.0A priority Critical patent/CN108366068B/en
Publication of CN108366068A publication Critical patent/CN108366068A/en
Application granted granted Critical
Publication of CN108366068B publication Critical patent/CN108366068B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/253Grammatical analysis; Style critique
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Linguistics (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Artificial Intelligence (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses the cloud network resource management control systems based on policy language under a kind of software defined network, including policy language interpreter, policy database, policy execution engine and access filter;Error configurations and the unauthorized access of cloud network resource can be isolated in the system.For the fine-grained access control language of cloud network resource, the present invention can express cloud service provider network administrator and be intended to the access control of cloud network resource, and language can be directed to different cloud users, user group, Internet resources and its different access control rule of attribute description.To realize that cloud network resource access control system under software defined network, the present invention give its required specific implementation details, include the design scheme of insertion method of the system in software defined network controller, language interpreter and policy execution engine.

Description

Cloud network resource management control based on policy language under a kind of software defined network System
Technical field
The invention belongs to network communication technology fields, and in particular to the cloud based on policy language under a kind of software defined network Hold network resource management control system.
Background technology
Software defined network (SDN) is a kind of novel network architecture, compared to traditional seven layer network frameworks, SDN cores Design be to detach control plane with Forwarding plane, network is divided into application layer, control layer and forwarding, net from top to bottom All configurations and management of network are focused on by controller, and the equipment of forwarding is merely responsible for efficient converting flow.Net in SDN The centralized control of network greatly simplifies the work of network administrator, and flexible programmable provides wide for upper layer application exploitation Space.
Cloud computing has been obtained for widely research and practical application in academia and industrial quarters, and the cloud based on SDN is then It is a new bold combination;SDN provides the network service and network management on basis for the cloud on upper layer in cloud based on SDN, While possessing cloud level elasticity and retractility, the good characteristics such as centralized management, the flexible programmable of SDN are had both, are provided for network Source and network service provide flexible, efficient, easily control mode.
World-leading cloud service provider (MicrosoftAzure, IBM, Google Cloud) all applies SDN In their network architecture.The investigation of Synergy Research Group is shown, on the global cloud of the third season in 2017 basis Service 12,000,000,000 dollars of business revenue;With huge economic well-being of workers and staff, any tiny loophole and attack may all be brought greatly Economic loss, the information leakage and data tampering that attack is brought of especially going beyond one's commission can further threaten the safety of the whole network.
Traditional network is mainly partial to the access control of resource the addressable intercommunity between the network segment, such as utilizes fire prevention Accesses control list (ACL) in wall configures corresponding forward rule, realizes the control forwarded to network flow.And for There is no relevant mechanism of control for the management of high in the clouds Internet resources (such as network state, flow table) in SDN.Internet resources management and control can It is divided into two stages:Network configuration stage and network dial-tone stage.Correct network configuration can ensure that tenant is legal at one Cyberspace in operation, and effective management and control can manage the permission of tenant and protect controller and Internet resources.
There is certain research in academia for the resource management and control aspect in traditional network and SDN, but cannot all solve well The certainly above problem.PayLess provides the RESTAPI flow statistics come in collection network equipment for upper layer application, with realization pair The monitoring of SDN network, but be only capable of being monitored network connectivty etc. according to stream information, can not to network configuration and access into Row management and control.SDNShield has made the plug-in unit inside controller certain modification, and management and control and solution application access are accessed to realize The problem of going beyond one's commission, but such method changes code due to be directed to each plug-in unit, and applicability and portability are poor, and not It can solve the problems, such as network configuration management and control.Although having technology in existing cloud environment to realize the isolation between tenant, for renting There is no good management and control for the granularity of indoor portion's accessible resource.
It can be seen that the prior art at present there are still the problem of be:Controller lacks the access request of upper level applications Weary fine-grained behavior and authority managing and controlling;There is abuse risk to underlying services by application program in user;User's malicious operation It can steal or destroy network;The waste of controller resource, i.e. controller can handle many this and processed should not ask.
Specifically there are problems that following two aspect:(1) there may be network configuration mistakes in terms of network configuration;Creating net When network, requested resource may be not added with management and control meeting with existing in the presence of conflicting (administrator may have forgotten or input error) Lead to network configuration failure or generate conflict, and can only could be found when actually occurring problem on being deployed to equipment, cost It is very big, it can also consume controller resource.(2) there may be unauthorized access in terms of network access, specifically can be described as user A has resource R1, R2 respectively;It goes beyond one's commission between resource in user, A can access resource R1 but not allow to access resource R2, but pass through URL is aware of the access address of resource R2, has then just got the information of resource R2;Operation is gone beyond one's commission in resource in user, and A can It to be created to resource R1, but cannot delete, if uncontrolled, can ask to carry out delete operation to R1 by REST.
In conclusion lacking the cloud network resource accessed through network configuration and network in the cloud environment based on SDN Mechanism of control, traditional access control technology can only access intercommunication between network up to angle from path and carry out management and control (such as fire wall The function of middle accesses control list), can not access to the resource of request control.The relevant access control skill in the fields SDN Though art can identify the access request gone beyond one's commission, due to needing to modify to each plug-in unit inside controller, can not meet To the generality of access request management and control, and illegal access request still can occupy additional controller resource, cause preciousness Computing resource waste.
Invention content
In view of above-mentioned, the present invention provides the cloud network resource managements based on policy language under a kind of software defined network Control system, to realize that running through network configuration and network accesses the network resource accession management and control of overall process.
Cloud network resource management control system based on policy language under a kind of software defined network, including policy language Interpreter, policy database, policy execution engine and access filter;Wherein:
The policy language interpreter utilizes syntax analyzer ANTLR (ANother Tool for Language Recognition the semantic strategy that network administrator formulates) is converted into the tree structure strategy of the recognizable processing of system and is deposited In storage to policy database, the semantic strategy is the regular collection of the network administrator behavior of specification user's operation and permission;
The access filter is used to intercept and capture the operation requests of user and is sent to policy execution engine;
The policy execution engine is used to read tree structure strategy from policy database, and then according to the tree structure Strategy carries out permission examination to the operation requests of user, and returns to examination result to access filter, if examination result is Reject, access filter then refuse the operation requests of user and examination result are returned to user;If examination result is The operation requests of user are then transferred to system controller to carry out subsequent processing by Accept, access filter.
Further, the semantic strategy includes global policies and local policy two parts, and the request of all users is first It is examined by global policies, if any rule in global policies is violated in request, policy execution engine passes through access Filter returns to Reject to user, further to asking by local policy if request is by strictly all rules in global policies It examines;Policy execution engine, which is extracted according to user property from policy database, to match with the user role and user name Local policy, if any rule in local policy is violated in request, policy execution engine is by access filter to user Reject is returned to, if request, by strictly all rules in local policy, policy execution engine is returned by access filter to user Accept is returned, and transfers to system controller to carry out subsequent processing user's request by access filter.
Above-mentioned technical proposal gives control and the management system architecture of cloud network resource under software defined network, Error configurations and the unauthorized access of cloud network resource can be isolated;For the fine-grained access control language of cloud network resource Speech, the present invention can express cloud service provider network administrator and be intended to the access control of cloud network resource, and language can For different cloud users, user group, Internet resources and its different access control rule of attribute description.To realize software definition Cloud network resource access control system under network, the present invention give its required specific implementation details, including system The design scheme of insertion method, language interpreter and policy execution engine in software defined network controller.Therefore, this hair It is bright that there are following advantageous effects compared with the prior art:
1. designing fine-grained policy language;The present invention is that network administrator devises the policy language based on attribute, is used for The security strategy for describing network can accurately describe security management and control intention, by access requestor, requested resource and be Each attribute of system itself provides strong support to the management and control of Internet resources for precisely realization as decision-making foundation.
2. simultaneously isolation network configuration error and illegal unauthorized access can be identified;Based on network administrator formulate strategy, When occurring violating the network configuration request and network access request of strategy, the present invention can accurately identify the network to make mistake Configuring request and the request of illegal unauthorized access, and be isolated in outside controller.
3. supporting dynamic configuration policy;Demand for security can change in the actual use process, and the present invention is supported in system It dynamic configuration security strategy and comes into force in operational process, is recompilated without shutting down, this advantage greatly improves this Invention flexibility in actual use and applicability.
4. flexibly convenient;Different from the prior art, the present invention is not necessarily to modify to plug-in unit in controller and upper layer application, Only as filter run on controller north orientation for intercept filtering illegal request, illegal request can be isolated in controller Outside, outer to which risk to be isolated in, and save valuable controller resource and be used for handling legitimate request.
Description of the drawings
Fig. 1 is the structural schematic diagram of cloud network resource management control system of the present invention.
Fig. 2 is the structural schematic diagram of the tactful semantic tree of the present invention.
Specific implementation mode
In order to more specifically describe the present invention, below in conjunction with the accompanying drawings and specific implementation mode is to technical scheme of the present invention It is described in detail.
S1:System structure and workflow
Invention software defines the cloud network resource management control system based on policy language under network, as shown in Figure 1, Cloud service provider 101 provides for tenant 102 including calculating the functions of modules such as 103, network 104 and storage 105, high in the clouds beyond the clouds Internet resources controlled by software defined network controller 201.When the network that tenant provides controller card 203 provides Source accesses and in use, the network module (Neutron in such as OpenStack) in high in the clouds can be connect by the north orientation of controller Mouth (North-Bound Interface, NBI) sends REST requests 403 to controller, and the REST in controller asks service group Part 202 can receive, parse these requests, and they are distributed in corresponding controller card 203 and is handled.
Core of the invention component includes policy language interpreter 301, policy execution engine 302,303 and of access filter Policy database 304;Wherein, access filter will be inserted in the REST components 202 of controller, all controllers that are sent to The all accessed filter process of REST requests 403.The uniform data that policy database will be provided directly using controller kernel 204 Storage service.
The present invention general execution step be:
1. the language that the network administrator 401 of cloud service provider designs according to the present invention, by the access pipe of Internet resources Reason rule is written as strategy 402.
2. access strategy file is issued to 301 module of language parser of the present invention.
3. the strategy that administrator writes is converted to the lattice that computer is appreciated that and stores by 301 module of language interpreter Formula is stored in the policy database 304 of controller kernel 204.
4. high in the clouds tenant 102 is desirable for Internet resources, REST requests 403 can be issued by cloud network component 104 To the REST components 202 of controller.
5. the access that all REST requests for being sent to REST components 202 will be all inserted into REST components by the present invention The processing of filter 303.REST requests are transferred to policy execution engine 302 to judge whether to approve to execute by access filter.
6. policy execution engine 302 can compare REST requests to be judged with the policing rule in policy database 304, It makes approval ACCEPT or refuses the decision of REJECT;Approved REST requests will be distributed by REST components to be executed, and is refused Exhausted REST requests will not be handled, and controller directly returns to " request is rejected " instruction to tenant.
S2:Policy language designs
S2-1:REST is asked
High in the clouds tenant uses these networks to provide by sending REST requests in software defined network controller northbound interface Source;One typical REST requests example is as follows, including the component part that four groups are wanted:
1. requesting method Method:Requesting method shows this REST requests to the desired operation side of Internet resources Formula generally comprises four kinds of different request types, that is, inquires GET, creates POST, update or replace PUT, delete DELETE mono- Internet resources.
2. uniform resource identifier (URI):URI required Internet resources for identification, each Internet resources There is unique URI in the controller.
3. asking packet header Headers:Packet header generally comprises the transmission required information of HTTP message, such as content format (Content-Type) show that this REST requests have used JSON formats (application/json), authentication information (Authorization) the tenant's information for sending this REST requests is contained, usually there are many cipher modes for authentication information.
4) text Body:The body part of REST requests contains the specific object value of its requested Internet resources;This The policy language for inventing design being capable of each attribute value in fine-grained identification text.
It, can be with the resource in access controller, then by controlling by RESTAPI when tenant is when accessing Internet resources Device processed configures underlying device, and basic operation is exactly to change to look into the additions and deletions of resource, and the abstract resource in upper layer is exactly network, son Net, routing, fire wall, load balancing etc. are exactly to flow table is written in equipment, to realize to flow when specific controller is realized Forwarding.The system that the present invention designs can execute fine-grained resources accessing control.
S2-2:Policy language grammer
Present system determines to ratify or refuse a REST request, the language of access control policy language using strategy Method details is as follows:
The present invention by tactful P it is abstract based on S, object O and environment E combination:
P(S,O,E):=(ATTR (S) op ATTR (O) op ATTR (E))
1. main body S, tenant and its relevant information;Such as the user name of the parts Header role corresponding with the user.
2. object O, the Internet resources and its attribute of tenant request;Such as the parts URI and Body.
3. environment E, the residing environment when REST asks to occur;Such as the resource tenant of high in the clouds, whether lease Expire is to determine whether user is able to access that the key message of the resource.
The present invention predefine a data structure obtain REST request in above- mentioned information, predefined data structure Detail is as follows.
predefined:’subject.’(’role’|’user’)
|’action.’(’uri’|’query’|’method’)
|’environment.’(’date’|’time’|’week’)
Such as the tenant role for sending out REST requests and rent can be obtained using subject.role and subject.user Family user name;The URI information in REST requests can be got using action.uri;It can be obtained using environment To the information of environmental correclation.Meanwhile by using the request specification of JSON data formats:' $ ' string (' ' string) * energy Enough get the detailed attributes of object in REST request texts;Such as request net can be got using " $ .network.type " The type attribute of network.
Each strategy (policy) carries out true and false judgement by a series of assertion statements, finally return that receive ACCEPT or Person refuses the decision of REJECT, formal definitions details such as foregoing description.Following example is to follow policy language language of the present invention One strategy of method design, this tactful entitled Bob_can_post_vlan.Sentence is judged by first, to use by oneself The REST requests of family Bob will be by this strategy matching;Sentence is judged by Article 2, when Bob creates (POST) network When type is the network of Vlan, request can go through.
One strategy file is made of a group policy, and strategy is divided into global policies (global policy) and local plan Slightly (localpolicy).Global policies come into force to all requests, and whether all requests will be all examined is refused by global policies Absolutely;Local policy includes role (role) attribute, thereby increases and it is possible to include user (user) attribute, the request of a tenant can only be had There is the processing of the local policy of same role and user name.A strategy file example is the following is, wherein containing a global plan Slightly and two local policies, user Alice belong to user role, her REST requests will be by system_update, user_ Tri- strategy processing of can_get_on_mondy and alice_cannot_delete_firewall, and for the another of user role As soon as outer user Bob, his REST requests only can be by two strategies of system_update, user_can_get_on_mondy The formal definitions details of processing, strategy file refers to foregoing description.
S3:Policy language interpreter
Policy language interpreter the strategy based on human language is translated to computer it will be appreciated that and storage tree-shaped Data structure.It is illustrated in figure 2 the semantic tree example of global policies, the strategy in the semantic tree indicates that administrator role possesses visit Ask all access authorization for resource;In tactful semantic tree, each leaf node indicates that an attribute or value, other nodes indicate ratio Compared with or logical operator.Therefore, each expression formula is exactly a subtree in semantic tree, by the left side for traversing a node Subtree and right subtree are just able to know that returning the result for the strategy.
When realizing by inputting sloth in Karaf consoles:Reload orders, you can the plan for formulating administrator It is slightly converted, final all strategies can be stored with tree structure to be examined into the database of controller for subsequent request permission It looks into;Wherein, it is tree structure to have used syntax analyzer ANTLR to read when switching strategy and parsed strategy.
S4:Policy execution engine
When a REST request reaches, policy execution engine will be corresponding by global policies and transmission request tenant Local policy handles the request.It is determined if any one strategy returns to REJECT, policy execution engine termination at once, and Refuse REST requests;If ACCEPT decisions are matched and returned without any strategy, policy execution engine refusal should REST is asked, and otherwise policy execution engine ratifies the request according to the ACCEPT of return.
In actual use, REST requests are typically concurrent, in order to enable policy execution engine promptly and accurately Ground handles these requests, creates multiple Actor present invention employs Akka to realize the parallel processing of request, while devising and asking Queue and response queue is asked to cache the inspection result of pending request and processed request respectively, this design can effectively be alleviated The problem of asking congestion.Policy database monitor is used for the dynamic change of perceptual strategy, and after strategy is updated, strategy is dynamic State monitor can be updated policy database accordingly, and new strategy can come into force, and subsequent request can be according to most New strategy carries out permission examination, equally can execute sloth in Karaf consoles:It is current that cache orders carry out real time inspection Strategy in database.
The above-mentioned description to embodiment can be understood and applied the invention for ease of those skilled in the art. Person skilled in the art obviously easily can make various modifications to above-described embodiment, and described herein general Principle is applied in other embodiment without having to go through creative labor.Therefore, the present invention is not limited to the above embodiments, ability Field technique personnel announcement according to the present invention, the improvement made for the present invention and modification all should be in protection scope of the present invention Within.

Claims (2)

1. the cloud network resource management control system based on policy language under a kind of software defined network, which is characterized in that packet Include policy language interpreter, policy database, policy execution engine and access filter;Wherein:
The semantic strategy that network administrator formulates is converted into system by the policy language interpreter using syntax analyzer ANTLR The tree structure strategy of recognizable processing is simultaneously stored into policy database, and the semantic strategy is network administrator specification user The regular collection of operation behavior and permission;
The access filter is used to intercept and capture the operation requests of user and is sent to policy execution engine;
The policy execution engine is used to read tree structure strategy from policy database, and then according to the tree structure strategy Permission examination is carried out to the operation requests of user, and examination result is returned to access filter, if examination result is Reject, is visited Ask that filter then refuses the operation requests of user and examination result is returned to user;If examination result is Accept, accessed The operation requests of user are then transferred to system controller to carry out subsequent processing by filter.
2. cloud network resource management control system according to claim 1, it is characterised in that:It is described semanteme strategy include Global policies and local policy two parts, the request of all users first pass through global policies and examine, if request is violated Any rule in global policies, then policy execution engine returns to Reject by access filter to user, if request passes through Strictly all rules in global policies, then by local policy to asking further to examine;Policy execution engine is according to user property from plan The local policy that slightly extraction matches with the user role and user name in database, appoints if request is violated in local policy One rule, then policy execution engine returns to Reject by access filter to user, if request passes through institute in local policy Regular, then policy execution engine returns to Accept by access filter to user, and is asked user by access filter System controller is transferred to carry out subsequent processing.
CN201810159706.0A 2018-02-26 2018-02-26 Policy language-based cloud network resource management control system in software defined network Active CN108366068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810159706.0A CN108366068B (en) 2018-02-26 2018-02-26 Policy language-based cloud network resource management control system in software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810159706.0A CN108366068B (en) 2018-02-26 2018-02-26 Policy language-based cloud network resource management control system in software defined network

Publications (2)

Publication Number Publication Date
CN108366068A true CN108366068A (en) 2018-08-03
CN108366068B CN108366068B (en) 2020-10-13

Family

ID=63002538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810159706.0A Active CN108366068B (en) 2018-02-26 2018-02-26 Policy language-based cloud network resource management control system in software defined network

Country Status (1)

Country Link
CN (1) CN108366068B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113141341A (en) * 2020-11-19 2021-07-20 北京航空航天大学 Programmable software-defined network security policy system
CN113381969A (en) * 2020-03-09 2021-09-10 北京达佳互联信息技术有限公司 Resource access control method, device and equipment and storage medium
CN115333832A (en) * 2022-08-12 2022-11-11 格尔软件股份有限公司 Access right judging method and device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453332A (en) * 2016-10-18 2017-02-22 上海斐讯数据通信技术有限公司 SDN-based dynamic user permission control method, device and system
CN106572120A (en) * 2016-11-11 2017-04-19 中国南方电网有限责任公司 Access control method and system based on mixed cloud
CN106790219A (en) * 2017-01-10 2017-05-31 中国科学院信息工程研究所 The access control method and system of a kind of SDN controllers
CN106790147A (en) * 2016-12-28 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of access control method and its device
CN106992877A (en) * 2017-03-08 2017-07-28 中国人民解放军国防科学技术大学 Network Fault Detection and restorative procedure based on SDN frameworks
US20180026987A1 (en) * 2016-07-21 2018-01-25 At&T Intellectual Property I, L.P. Systems and methods for providing software defined network based dynamic access control in a cloud

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026987A1 (en) * 2016-07-21 2018-01-25 At&T Intellectual Property I, L.P. Systems and methods for providing software defined network based dynamic access control in a cloud
CN106453332A (en) * 2016-10-18 2017-02-22 上海斐讯数据通信技术有限公司 SDN-based dynamic user permission control method, device and system
CN106572120A (en) * 2016-11-11 2017-04-19 中国南方电网有限责任公司 Access control method and system based on mixed cloud
CN106790147A (en) * 2016-12-28 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of access control method and its device
CN106790219A (en) * 2017-01-10 2017-05-31 中国科学院信息工程研究所 The access control method and system of a kind of SDN controllers
CN106992877A (en) * 2017-03-08 2017-07-28 中国人民解放军国防科学技术大学 Network Fault Detection and restorative procedure based on SDN frameworks

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113381969A (en) * 2020-03-09 2021-09-10 北京达佳互联信息技术有限公司 Resource access control method, device and equipment and storage medium
CN113381969B (en) * 2020-03-09 2023-06-27 北京达佳互联信息技术有限公司 Resource access control method, device and equipment and storage medium
CN113141341A (en) * 2020-11-19 2021-07-20 北京航空航天大学 Programmable software-defined network security policy system
CN115333832A (en) * 2022-08-12 2022-11-11 格尔软件股份有限公司 Access right judging method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN108366068B (en) 2020-10-13

Similar Documents

Publication Publication Date Title
CN111488595B (en) Method for realizing authority control and related equipment
Han et al. A survey on policy languages in network and security management
CN111726353A (en) Sensitive data grading protection method and grading protection system based on numerical control system
EP2370928B1 (en) Access control
CN109302310B (en) Network operation and maintenance vulnerability analysis method
CN111818059B (en) Automatic construction system and method for access control strategy of high-level information system
CN108366068A (en) Cloud network resource management control system based on policy language under a kind of software defined network
Alkhresheh et al. DACIoT: Dynamic access control framework for IoT deployments
Pérez et al. Semantic-based authorization architecture for grid
Mohamed et al. Extended authorization policy for graph-structured data
Stojanov et al. Linked data authorization platform
Liu et al. DACAS: integration of attribute-based access control for northbound interface security in SDN
Iqbal et al. Corda Security Ontology: Example of Post-Trade Matching and Confirmation.
Fernandez et al. Using patterns to understand and compare web services security products and standards
US20220141256A1 (en) Method and system for performing security management automation in cloud-based security services
Khalil et al. IoT-MAAC: Multiple attribute access control for IoT environments
Bruno et al. Enforcing access controls in IoT networks
Hebig et al. A web service architecture for decentralised identity-and attribute-based access control
Hernandez et al. TIKD: A Trusted Integrated Knowledge Dataspace for Sensitive Data Sharing and Collaboration
Nabil et al. ABAC conceptual graph model for composite web services
Allison et al. A privacy manager for collaborative working environments
Karafili et al. Automatic firewalls’ configuration using argumentation reasoning
JP2004110806A (en) Information filtering device, information filtering method, method execution program and program storage medium
Zaborovsky et al. Dynamic firewall configuration: Security system architecture and algebra of the filtering rules
Ward et al. Analysis of Identity Access Management Controls in IoT Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant