CN111818059A - Automatic construction system and method for access control strategy of high-level information system - Google Patents
Automatic construction system and method for access control strategy of high-level information system Download PDFInfo
- Publication number
- CN111818059A CN111818059A CN202010659138.8A CN202010659138A CN111818059A CN 111818059 A CN111818059 A CN 111818059A CN 202010659138 A CN202010659138 A CN 202010659138A CN 111818059 A CN111818059 A CN 111818059A
- Authority
- CN
- China
- Prior art keywords
- access control
- module
- information
- access
- subject
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a high-level information system access control strategy automatic construction system and a method, the scheme is based on an information resource acquisition module, an access control mechanism hierarchical division module, a subject-object and relationship carding module, a high-level demand gradual essence module and a strategy automatic generation module, wherein the information resource acquisition module is used for acquiring information resources of software and hardware products in the whole network system; the access control mechanism hierarchical division module carries out hierarchical division on the access control mechanism; the subject and object relationship combing module combs the subject, the object and the relationship structure of the object by analyzing the whole network system; the high-level demand gradual essence module gradually refines, and meets the essence service access demand and the operation and maintenance management access demand; and the automatic strategy generation module generates the access control strategy of each access control mechanism layer. The scheme ensures that the network system user can accurately control the access of the user no matter what level the user accesses in the process of accessing the resources.
Description
Technical Field
The invention relates to a network security level protection technology, in particular to an access control technology of a network system.
Background
At present, access control points in the whole network system are respectively administrative and have no relation with each other, so that the phenomenon of 'no relevance, no integrity and no consistency' appears on access control in the process of accessing resources by users, and the phenomenon is mainly embodied in the following two aspects:
1) misses on access control
I.e. the user is not allowed access at a higher level but is allowed access at a lower level, resulting in that the user's access control to the resource can be bypassed. For example, in an FTP-based application system, a user is not provided with the ability to "write" a file, and when the user logs in to access the file via an FTP client, the user is not allowed to "write" the file, but when the user logs in to the operating system directly, the user can "write" the file, resulting in an omission in access control.
2) Conflicts on access control
I.e. the user is allowed access control at a higher level but not at a lower level, resulting in a failure of the user to access the resource. For example, in an office system, according to the rule that a certain user has the ability of "approval" for a certain document, in an office application system access control policy, the ability of "approval" is assigned to the user, and the "approval" operation may be converted into a plurality of operations for operating system resources on an operating system level, but one of the plurality of operations is prohibited, so that the "approval" operation fails, and an access control conflict occurs.
With the increase of system complexity and the continuous increase of access control technologies, the above phenomena are more and more, and how to effectively solve the problems existing in the access control scheme of the network system is a problem that needs to be solved urgently in the field.
Disclosure of Invention
In view of the problems of the access control technology in the existing network system, a new network system access control strategy is needed.
Therefore, the invention aims to provide an automatic construction system of the access control strategy of the high-grade information system, and simultaneously provides an automatic construction method of the access control strategy of the high-grade information system based on the automatic construction system. According to the scheme, the user can be accurately controlled to access from any level in the resource access process.
The high-level information system in the invention refers to an information system with a network security protection level of third level and above.
In order to achieve the above object, the present invention provides an automatic construction system for access control policy of high-level information system, comprising:
the system comprises an information resource acquisition module, a data processing module and a data processing module, wherein the information resource acquisition module is used for acquiring information resources of software and hardware products in areas such as internet boundaries, area boundaries, business applications, hosts and the like in the whole network system;
the access control mechanism hierarchical division module is used for carrying out hierarchical division on the access control mechanism by analyzing the information resources acquired by the information resource acquisition module;
the system comprises a subject and object relationship combing module, a host and object relationship combing module and a host and object relationship combing module, wherein the subject and object relationship combing module combs a subject, an object and a relationship structure of the object by analyzing the whole network system;
the high-level demand gradual essence module gradually refines, extracts the service access demand and the operation and maintenance management access demand by analyzing the service flow access control points in the whole network system according to the subject and the object which are combed by the subject and object relation combing module and the relationship structure of the subject and the object;
and the automatic strategy generation module generates access control strategies of each access control mechanism layer according to the access control mechanism layers divided by the access control mechanism layer division module, the subjects and the objects which are combed by the subject and object relationship combing module and the relationship structures thereof, the access requirements gradually refine the access requirements of the essence modules and the access control strategies of each access control mechanism layer.
Furthermore, the information resource acquisition module combines with trusted computing, and adopts a white list mechanism to provide a standardized security control model to perform trusted measurement on the security component and the security policy of the information system.
Further, the information resource acquisition module acquires hardware information of each safety protection device in the information system in an automatic discovery and manual input mode, and establishes and maintains credibility measurement of safety components and safety strategies of the information system.
Further, the information resource acquisition module analyzes the acquired information resources and draws an information resource map.
Furthermore, the access control mechanism hierarchical division module makes a main body security mark for natural people, security protection equipment, key processes and modules in the information system, and generates security strategies of user login, file resource access control, system equipment service start control, process resource use and the like of the system according to the security requirements of the information system.
Furthermore, the access control mechanism hierarchical division module authorizes the user login authority according to the safety requirement of the information system, and adopts a role-based user authentication and management mode.
Further, the subject and the object and the relationship combing module thereof can divide information system resources into a subject and an object according to the properties of the entities in the system, wherein the subject is an active entity, and the object is a passive entity containing or receiving information.
Furthermore, the subject and the relationship combing module thereof, on the premise that the trusted subject must obey the minimum privilege principle, utilize the confidentiality identification and the credibility identification to jointly form the access identification of the subject, make corresponding security marks for the subject and the object of the information system to process general access, and when the integrity level of the subject is lower than that of the object, the subject can read the object; when the subject integrity level is higher than the object integrity level, the subject may write to the object.
Furthermore, the subject and the object relationship combing module thereof introduce the subject with credibility checking capability for access violating confidentiality policy and integrity policy, and dynamically adjust the object by checking the subject so that the level of the subject and the object meets the requirement of general access.
Further, the high-level demand gradual essence module realizes an effective fine-grained mandatory access control security policy by dividing a plurality of domains and types, allocating a subject in the system to different domains, allocating different objects to different types, and defining access rights of different domains to different types and rules for converting the subject in different domains.
Further, the automatic policy generation module generates security policies for user login, file resource access control, system device service start control, process resource usage, and the like of the system according to the security requirements of the information system.
In order to achieve the above object, the method for automatically constructing an access control policy of a high-level information system provided by the present invention comprises:
acquiring information resources of software and hardware products in areas such as internet boundaries, area boundaries, service applications, hosts and the like in the whole network system;
analyzing the acquired information resources, and performing hierarchical division on the access control mechanism according to the analysis result;
by analyzing the whole network system, the subject, the object and the relation structure thereof are combed;
according to the combed subjects and objects and the relationship structure thereof, analyzing service flow access control points in the whole network system, and gradually refining the essential service access requirement and the operation and maintenance management access requirement;
and according to the divided access control mechanism levels, the combed subject, object and relationship structure thereof, the good access requirements are refined, and the access control strategy of each access control mechanism level is generated.
Further, the method analyzes the acquired information resources and draws an information resource map.
According to the automatic construction scheme of the access control strategy of the high-level information system, the problems of omission, conflict and the like in access control are solved through the technologies of acquisition of information resources, division of access control mechanism levels, combing of subjects and objects and relationship structures thereof, gradual essence of high-level requirements, formulation of a safety access control strategy and the like, so that a user can accurately control access to the user no matter what level the user accesses in the process of accessing resources.
Compared with the situation that the security policies between the existing application systems and the bottom operating system are still in respective administration, the scheme provided by the invention can comprehensively arrange all access control marks and policies including the network, the operating system and the application system, really establish a globally consistent access control system, and realize the globally consistent security policy of the cross-operating system and the application service of the high-level information system security protection.
Drawings
The invention is further described below in conjunction with the appended drawings and the detailed description.
FIG. 1 is a schematic block diagram of a high level information system access control policy automation building system in an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating an exemplary information resource collection method according to an embodiment of the present invention;
FIG. 3 is a view showing an example of a structure of a relationship between comb bodies according to an embodiment of the present invention;
FIG. 4 is a diagram showing an example of a structure of a relationship between objects combed in an embodiment of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
Aiming at the problems that the existing access control system is incomplete and cannot provide access control relevance, integrity, consistency and the like, the high-level information system access control strategy automatic construction platform (namely a system) is constructed by the embodiment so as to effectively solve the problems of omission, conflict and the like in access control.
Referring to fig. 1, there is shown an example of the construction of the high-level information system access control policy automation build platform given in this example.
As can be seen from the figure, the high-level information system access control policy automation construction platform 100 is mainly formed by an information resource acquisition module 110, an access control mechanism hierarchical division module 120, a subject and object relationship combing module 130, a high-level demand gradual essence module 140, and a policy automation generation module 150, which are cooperated with each other.
The information resource collection module 110 in the present platform mainly adopts SNMP scanning tool, agent installation and other modes to collect information resources (such as brand, type, basic policy information) of software and hardware products in the area of internet boundary, area boundary, service application, host and the like in the whole network system. Meanwhile, the module analyzes the acquired information resources and draws an information resource map (as shown in fig. 2).
By drawing the information resource map, corresponding host-guest security marks can be made for natural people, security protection equipment, key processes, modules and the like in the system.
Specifically, the information resource acquisition module combines trusted computing, and provides a standardized security control model by adopting a white list mechanism to perform trusted measurement on a security component and a security policy of an information system.
The information resource acquisition module acquires hardware information of each safety protection device in the information system in an automatic discovery and manual input mode, and establishes and maintains credibility measurement of safety components and safety strategies of the information system. The hardware information includes type, model, IP address, common port, deployment position, requirement strategy template, responsible person and so on.
The information resource acquisition module 100 thus constructed analyzes the acquired information resources and draws an information resource map.
The information resource collection module 100 may first obtain hardware information (including types, models, IP addresses, common ports, deployment locations, and other contents) of each safety protection device in the information system through an automatic discovery technique; on the basis, the corresponding content such as a requirement strategy template, a responsible person and the like is determined in a manual input mode.
The access control mechanism in the present platform is a hierarchical division module 120, which divides information resources collected by the information resource collection module, for example: and analyzing the access control attribute and the access control capability of equipment and systems such as a firewall and a security gateway, and performing hierarchical division on an access control mechanism.
Specifically, the inter-control mechanism hierarchical division module 120 formulates a main body security label for natural persons, security protection devices, and key processes and modules in the information system, and generates security policies such as user login, file resource access control, system device service start control, process resource use, and the like of the system according to the security requirements of the information system.
For example, when the access control mechanism hierarchical division module is implemented specifically, the access control mechanism hierarchical division module authorizes user login permission according to the security requirement of an information system, and adopts a role-based user authentication and management mode, so that one user can belong to multiple roles, one role can be allocated with multiple resource permissions, and the user and the resource permissions are connected through roles.
The subject and object relationship combing module 130 in the platform, by analyzing the whole service access flow in the whole network system, from the network to the host, then to the operating system, to the final service application system, the subject and object accessed by the service and the access relationship thereof, the subject and object accessed by the system operation and maintenance management and the access relationship thereof, and other factors, combs the subject, object and relationship structure thereof.
For example, as shown in fig. 3, it shows an example of the relationship structure between the subject and the object and the subject combed by the relationship combing module 130; fig. 4 shows an example of the relationship structure between the subject and the object combed by the relationship combing module 130.
Specifically, the subject and object and relationship combing module 130 divides the information system resources into subjects and objects according to the nature of the entity in the system. A principal, i.e. an active entity, refers to a user or process or the like that causes information to flow in the system or changes the state of the system. An object refers to a passive entity, such as a file, a block of memory, etc., that contains or receives information.
Thus, the host and the relationship combing module 130, on the premise that the trusted subject must comply with the least privilege principle, utilize the confidentiality identifier and the credibility identifier to jointly form the access identifier of the host, and make corresponding security labels for the user (i.e. the host) and the data (i.e. the object) of the information system to process general access, when the integrity level of the host is lower than that of the object, the host can read the object; when the subject integrity level is higher than the object integrity level, the subject may write to the object. And if the access violating the confidentiality policy and the integrity policy is carried out, introducing a subject with credibility checking capability, and dynamically adjusting the object by checking the subject so that the level of the subject and the object meets the requirement of general access.
The high-level access demand gradual essence module 140 in the platform analyzes service flow access control points in the whole network system according to the subject and object and the relationship structure thereof sorted by the subject and object relationship sorting module, and gradually refines and essences the service access demand and the operation and maintenance management access demand.
Specifically, the high-level demand gradual essence module realizes an effective fine-grained mandatory access control security policy by dividing a plurality of domains (domains) and types (types), allocating subjects (users/processes) in the system to different domains, allocating different objects to different types, and defining access rights of different domains to different types and rules for converting subjects in different domains.
The method is characterized in that through strict isolation, the unauthorized access of a subject to an object is prevented inside and outside a security domain, and security protection mechanisms such as confidentiality, integrity, minimum privilege and the like are realized.
The strategy automatic generation module 150 in the platform generates access control strategies of each access control mechanism level according to the access control mechanism level divided by the access control mechanism level division module, the subject and object and relationship structure thereof combed by the subject and object and relationship combing module, the access requirements gradually refine the access requirements of the essence module and the like.
Specifically, the policy automatic generation module 150 generates security policies such as user login, file resource access control, system device service start control, process resource usage, and the like of the information system according to the security marks and requirements of the information system.
For example, according to the subject-object information of the nature, the security protection device, the key process and the module in the system, and in combination with the user role and the resource authority, security policies such as user login, file resource access control, system device service start control, process resource use and the like of the system are automatically generated.
For example, when generating the access control policy of each access control mechanism level, the policy automatic generation module 150 may divide the access control mechanism "allow the user a to access the network address C through the program B", and may automatically generate a series of relevant access control policies such as a corresponding compute node file access control/execution policy, a network access control policy, a region boundary filtering policy, and a firewall rule.
The automatic construction platform of the access control strategy of the high-level information system, which is formed according to the above, can ensure that a user can accurately control access to the user no matter what level the user accesses in the process of accessing resources when being matched with the corresponding network system to run.
By way of example, through implementation of the automated construction platform, all access control marks and policies including a network, an operating system and an application system can be integrated, a globally consistent access control system is really constructed, a globally consistent security policy of a cross-operating system and an application service of high-level information system security protection is realized, and the situation that security policies between the application system and a bottom operating system are administrative is solved.
As can be seen from the above example, the scheme of this example starts from access control of the whole network system, i.e. from the composition of the access control architecture and the interrelationship among the various parts, analyzes the subject and object of service access and the access relationship thereof, and manages the subject and object of access and the access relationship thereof by system operation and maintenance, in the whole network system, from the network to the host, then to the operating system, to the final business application system on a whole business access flow, the problems of omission and conflict in access control and the like are solved by the technologies of acquisition of information resources, division of access control mechanism levels, combing of a subject and an object and a relationship structure thereof, gradual essence of high-level requirements, formulation of a security access control strategy and the like, therefore, the user can accurately control the access to the user no matter what level the user accesses in the process of accessing the resources.
The method of the present invention, or the specific system unit or some of the units thereof, is a pure software architecture, and can be distributed on a physical medium such as a hard disk, an optical disk, or any electronic device (e.g., a smart phone, a computer readable storage medium) through a program code, and when the program code is loaded and executed by a machine (e.g., loaded and executed by a smart phone), the machine becomes an apparatus for implementing the present invention. The methods and apparatus of the present invention may also be embodied in the form of program code transmitted over some transmission medium, such as electrical cable, fiber optics, or via any other form of transmission, wherein, when the program code is received and loaded into and executed by a machine, such as a smart phone, the machine becomes an apparatus for practicing the invention.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (13)
1. The automatic construction system of the high-grade information system access control strategy is characterized by comprising the following steps:
the system comprises an information resource acquisition module, a data processing module and a data processing module, wherein the information resource acquisition module is used for acquiring information resources of software and hardware products in areas such as internet boundaries, area boundaries, business applications, hosts and the like in the whole network system;
the access control mechanism hierarchical division module is used for carrying out hierarchical division on the access control mechanism by analyzing the information resources acquired by the information resource acquisition module;
the system comprises a subject and object relationship combing module, a host and object relationship combing module and a host and object relationship combing module, wherein the subject and object relationship combing module combs a subject, an object and a relationship structure of the object by analyzing the whole network system;
the high-level demand gradual essence module gradually refines, extracts the service access demand and the operation and maintenance management access demand by analyzing the service flow access control points in the whole network system according to the subject and the object which are combed by the subject and object relation combing module and the relationship structure of the subject and the object;
and the automatic strategy generation module generates access control strategies of each access control mechanism layer according to the access control mechanism layers divided by the access control mechanism layer division module, the subjects and the objects which are combed by the subject and object relationship combing module and the relationship structures thereof, the access requirements gradually refine the access requirements of the essence modules and the access control strategies of each access control mechanism layer.
2. The automated construction system of access control policies of a high-level information system according to claim 1, wherein the information resource collection module employs a white list mechanism to provide a normalized security control model in combination with trusted computing to perform trusted measurement on the security components and security policies of the information system.
3. The automated high-level information system access control policy construction system according to claim 2, wherein the information resource collection module obtains hardware information of each safety protection device in the information system by means of automatic discovery and manual input, and establishes and maintains credible metrics of safety components and safety policies of the information system.
4. The automated construction system of access control policies of a high-level information system according to claim 1, wherein the information resource collection module analyzes the acquired information resources and plots the information resources into an information resource map.
5. The automated construction system of access control policies of a high-level information system according to claim 1, wherein the access control mechanism hierarchical partitioning module makes a main body security label for natural people, security protection devices, and key processes and modules in the information system, and generates security policies for user login, file resource access control, system device service start control, process resource usage, and the like of the system according to security requirements of the information system.
6. The automated high-level information system access control policy construction system according to claim 5, wherein the access control mechanism hierarchical module authorizes user login rights according to security requirements of the information system, and employs a role-based user authentication and management mode.
7. The automated construction system of access control policies of a high-level information system according to claim 1, wherein the host and the relationship combing module thereof can divide the information system resources into a host and an object according to the nature of the entity in the system, the host is an active entity, and the object is a passive entity that contains or receives information.
8. The automated construction system of access control policies of a high-level information system according to claim 7, wherein the host and the relationship combing module thereof use the confidentiality flag and the credibility flag to jointly form the access flag of the host on the premise that the trusted host must comply with the least privilege principle, and make corresponding security flags for the host and the object of the information system to process general access, and when the integrity level of the host is lower than the integrity level of the object, the host can read the object; when the subject integrity level is higher than the object integrity level, the subject may write to the object.
9. The automated construction system of access control policies of a high-level information system according to claim 8, wherein the host and the relationship combing module thereof introduce a host with a reliability checking capability for access violating security policies and integrity policies, and by checking the host, the object is dynamically adjusted to make the level of the host meet the requirements of general access.
10. The automated construction system of access control policies of a high-level information system according to claim 1, wherein the high-level demand gradual essence module implements the security policies of effective fine-grained mandatory access control by dividing a plurality of domains and types, allocating a subject in the system to different domains, allocating different objects to different types, and defining access rights of different domains to different types and rules for conversion of the subject in different domains.
11. The automated construction system of access control policies of a high-level information system according to claim 1, wherein the policy automatic generation module generates security policies for user login, file resource access control, system device service initiation control, process resource usage, etc. of the system according to security requirements of the information system.
12. The automatic construction method of the access control strategy of the high-grade information system is characterized by comprising the following steps:
acquiring information resources of software and hardware products in areas such as internet boundaries, area boundaries, service applications, hosts and the like in the whole network system;
analyzing the acquired information resources, and performing hierarchical division on the access control mechanism according to the analysis result;
by analyzing the whole network system, the subject, the object and the relation structure thereof are combed;
according to the combed subjects and objects and the relationship structure thereof, analyzing service flow access control points in the whole network system, and gradually refining the essential service access requirement and the operation and maintenance management access requirement;
and according to the divided access control mechanism levels, the combed subject, object and relationship structure thereof, the good access requirements are refined, and the access control strategy of each access control mechanism level is generated.
13. The automated construction method of access control policies of a high-level information system according to claim 12, characterized in that the method analyzes the acquired information resources and plots them into an information resource map.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010659138.8A CN111818059B (en) | 2020-07-09 | 2020-07-09 | Automatic construction system and method for access control strategy of high-level information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010659138.8A CN111818059B (en) | 2020-07-09 | 2020-07-09 | Automatic construction system and method for access control strategy of high-level information system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111818059A true CN111818059A (en) | 2020-10-23 |
| CN111818059B CN111818059B (en) | 2022-07-12 |
Family
ID=72842129
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010659138.8A Active CN111818059B (en) | 2020-07-09 | 2020-07-09 | Automatic construction system and method for access control strategy of high-level information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111818059B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113127904A (en) * | 2021-04-26 | 2021-07-16 | 北京中启赛博科技有限公司 | Intelligent optimization system and method for access control strategy |
| CN114448659A (en) * | 2021-12-16 | 2022-05-06 | 河南大学 | Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration |
| CN114726639A (en) * | 2022-04-24 | 2022-07-08 | 国网河南省电力公司信息通信公司 | Automatic arrangement method and system for access control strategy |
| WO2022183912A1 (en) * | 2021-03-05 | 2022-09-09 | 华为技术有限公司 | Mandatory access control mac method and related device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101534300A (en) * | 2009-04-17 | 2009-09-16 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN101783799A (en) * | 2010-01-13 | 2010-07-21 | 苏州国华科技有限公司 | Mandatory access control method and system thereof |
| US20110173084A1 (en) * | 2007-01-17 | 2011-07-14 | George A. Willinghan, III | Risk Adaptive Information Flow Based Access Control |
| CN105450660A (en) * | 2015-12-23 | 2016-03-30 | 北京安托软件技术有限公司 | Business resource security control system |
| CN107426162A (en) * | 2017-05-10 | 2017-12-01 | 北京理工大学 | A kind of method based on attribute base encryption Implement Core mutual role help |
| US20200107216A1 (en) * | 2018-10-02 | 2020-04-02 | The Government Of The United States, As Represented By The Secretary Of The Army | Multiple-Input, Multiple-Output (MIMO) Multihop Mobile Ad-Hoc Network (MANET) Routing |
-
2020
- 2020-07-09 CN CN202010659138.8A patent/CN111818059B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110173084A1 (en) * | 2007-01-17 | 2011-07-14 | George A. Willinghan, III | Risk Adaptive Information Flow Based Access Control |
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN101534300A (en) * | 2009-04-17 | 2009-09-16 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
| CN101783799A (en) * | 2010-01-13 | 2010-07-21 | 苏州国华科技有限公司 | Mandatory access control method and system thereof |
| CN105450660A (en) * | 2015-12-23 | 2016-03-30 | 北京安托软件技术有限公司 | Business resource security control system |
| CN107426162A (en) * | 2017-05-10 | 2017-12-01 | 北京理工大学 | A kind of method based on attribute base encryption Implement Core mutual role help |
| US20200107216A1 (en) * | 2018-10-02 | 2020-04-02 | The Government Of The United States, As Represented By The Secretary Of The Army | Multiple-Input, Multiple-Output (MIMO) Multihop Mobile Ad-Hoc Network (MANET) Routing |
Non-Patent Citations (4)
| Title |
|---|
| YOONSOO KIM: ""On the Stability Margin of Networked Dynamical Systems"", 《IEEE TRANSACTIONS ON AUTOMATIC CONTROL》 * |
| 李亚平: ""多主体协同的网络个人信息使用控制方案研究"", 《重庆工商大学学报(自然科学版)》 * |
| 郎园园: ""三级等级保护信息系统建设方案的设计"", 《信息科技辑》 * |
| 龚雷: ""应用安全透明支撑平台体系结构与模型研究"", 《信息科技辑》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022183912A1 (en) * | 2021-03-05 | 2022-09-09 | 华为技术有限公司 | Mandatory access control mac method and related device |
| CN113127904A (en) * | 2021-04-26 | 2021-07-16 | 北京中启赛博科技有限公司 | Intelligent optimization system and method for access control strategy |
| CN114448659A (en) * | 2021-12-16 | 2022-05-06 | 河南大学 | Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration |
| CN114448659B (en) * | 2021-12-16 | 2022-10-11 | 河南大学 | Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration |
| CN114726639A (en) * | 2022-04-24 | 2022-07-08 | 国网河南省电力公司信息通信公司 | Automatic arrangement method and system for access control strategy |
| CN114726639B (en) * | 2022-04-24 | 2023-08-22 | 国网河南省电力公司信息通信公司 | Automatic arrangement method and system for access control policy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111818059B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111818059B (en) | Automatic construction system and method for access control strategy of high-level information system | |
| US8381306B2 (en) | Translating role-based access control policy to resource authorization policy | |
| Ubale Swapnaja et al. | Analysis of dac mac rbac access control based models for security | |
| Barka et al. | Securing the web of things with role-based access control | |
| KR20090048489A (en) | Security authorization queries | |
| US20080066147A1 (en) | Composable Security Policies | |
| CN103414585A (en) | Method and device for building safety baselines of service system | |
| Ameziane El Hassani et al. | Integrity-OrBAC: a new model to preserve Critical Infrastructures integrity | |
| US20080066158A1 (en) | Authorization Decisions with Principal Attributes | |
| WO2009145760A1 (en) | Hierarchical administration of resources | |
| US20080066170A1 (en) | Security Assertion Revocation | |
| KR20050014678A (en) | Zoned based security administration for data items | |
| Verma et al. | Comparative analysis of role base and attribute base access control model in semantic web | |
| US20060259955A1 (en) | Attribute-based allocation of resources to security domains | |
| CN100574210C (en) | A kind of based on the access control method that shines upon between the off grade role | |
| US8819231B2 (en) | Domain based management of partitions and resource groups | |
| Abou El Kalam et al. | Access control for collaborative systems: A web services based approach | |
| KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
| KR100673329B1 (en) | User Role / Permission Setting System using Certificate in Grid Environment and Its Method | |
| CN116089970A (en) | Power distribution operation and maintenance user dynamic access control system and method based on identity management | |
| CN108366068A (en) | Cloud network resource management control system based on policy language under a kind of software defined network | |
| CN201557132U (en) | Cross-domain management device based on PKI/PMI technology | |
| KR100697995B1 (en) | Context role based access control and mandatory access control fussion method in ubiquitous environments | |
| Belim et al. | Using the decision support algorithms combining different security policies | |
| Shi et al. | Overview of Cross-Domain Access Control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |