CN113590742B - Cloud platform access control method - Google Patents
Cloud platform access control method Download PDFInfo
- Publication number
- CN113590742B CN113590742B CN202110671457.5A CN202110671457A CN113590742B CN 113590742 B CN113590742 B CN 113590742B CN 202110671457 A CN202110671457 A CN 202110671457A CN 113590742 B CN113590742 B CN 113590742B
- Authority
- CN
- China
- Prior art keywords
- rule
- rules
- conflict
- authorization
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000013475 authorization Methods 0.000 claims abstract description 107
- 238000001514 detection method Methods 0.000 claims abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 9
- 230000009467 reduction Effects 0.000 claims abstract description 9
- 150000001875 compounds Chemical class 0.000 claims abstract description 8
- 238000006243 chemical reaction Methods 0.000 claims abstract description 5
- 238000004364 calculation method Methods 0.000 claims description 24
- 238000004458 analytical method Methods 0.000 claims description 22
- 238000007726 management method Methods 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 5
- 238000005457 optimization Methods 0.000 claims description 5
- 230000000295 complement effect Effects 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 17
- 101100379080 Emericella variicolor andB gene Proteins 0.000 description 4
- 238000013139 quantization Methods 0.000 description 4
- 101100379081 Emericella variicolor andC gene Proteins 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000209504 Poaceae Species 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000013329 compounding Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000029087 digestion Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
- G06F40/289—Phrasal analysis, e.g. finite state techniques or chunking
- G06F40/295—Named entity recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/30—Semantic analysis
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Audiology, Speech & Language Pathology (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a cloud platform access control method, which comprises the following steps: based on the constructed knowledge base model, extracting knowledge according to the structured data, and storing the knowledge into a knowledge base; establishing an inference rule, and carrying out compound rule reduction based on logic conversion to enable rules in a rule base to accord with atomic rules expressed by SWRL rules; rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triplet dynamic connection mode; conflict detection and redundancy detection; and carrying out automatic resolution of rule conflict based on the hierarchy aiming at two rules which are conflict pairs, and carrying out automatic resolution of rule redundancy based on the hierarchy aiming at two rules which are redundancy pairs. According to the invention, a knowledge base is formed through structured data, dynamic authority grant is realized through reasoning based on the ontology and rules, and access control mechanism with expandability, dynamic property and optimal management suitable for the cloud platform is realized by adopting rule conflict redundancy detection and automatic resolution processing based on the hierarchy.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a cloud platform access control method.
Background
The cloud computing technology utilizes the characteristics of on-demand service, virtualized resources and the like, and becomes an indispensable foundation in academic circles and informatization construction of enterprises. While cloud computing is continuously developed, the problems of illegal access of unauthorized users to resources and the like are still faced, and an access control technology is a method for solving the problems. The traditional access control model such as RBAC, DAC, MAC plays a significant role in the traditional platform and can ensure the security of the system. However, since the cloud platform has the following characteristics: the resource attribute, the user attribute, the environment attribute and the like in the cloud platform dynamically change at any time, which can influence the access and the use of the data by the user, so that a dynamic access control mechanism is required; the attribute atomic items contained in the access strategy in the cloud platform are rich, the implicit semantics are complex, and the cost of manual control and management is very high, so that an access control mechanism with expandability is required; the cloud platform has more limits on the subject, object and authorized operation levels, more attribute value types and higher rule management cost caused by detecting the conflict of the policy rules during running, so that the policy rules need to be optimally managed.
Based on the above characteristics, there is a need to propose an access control mechanism applicable to a cloud platform.
Disclosure of Invention
The invention aims to provide a cloud platform access control method, which realizes an access control mechanism with expandability, dynamicity and optimal management suitable for a cloud platform through the processing of dynamic authorization reasoning based on ontology and rules, rule conflict detection and redundancy resolution based on hierarchy and the like.
The invention provides a cloud platform access control method, which comprises the following steps:
1) Knowledge extraction
Based on the constructed knowledge base model, extracting knowledge according to the structured data, and storing the knowledge into a knowledge base;
2) Rule preprocessing
Establishing an inference rule, and carrying out compound rule reduction based on logic conversion to enable rules in a rule base to accord with atomic rules expressed by SWRL rules;
3) Rule-based dynamic authorization reasoning
Rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triplet dynamic connection mode;
4) Rule optimization management
Adopting a conflict analysis method based on hierarchy inheritance to carry out conflict detection on the custom rule in the step 3) to obtain a conflict detection result;
adopting a redundancy analysis method based on hierarchy inheritance to carry out redundancy detection on the custom rule in the step 3) to obtain a redundancy detection result;
if the two rules meet the redundant pair or conflict pair in the rule detection result, similarity calculation based on attribute atoms is performed, automatic resolution of rule conflict based on the hierarchy is performed on the two rules which are the conflict pair according to the similarity calculation result, and automatic resolution of rule redundancy based on the hierarchy is performed on the two rules which are the redundancy pair.
Further, the method for constructing the knowledge base model in the step 1) includes:
constructing a knowledge base in a top-down mode, performing access control conceptual analysis, defining an access control model class and establishing a class hierarchy system, completing attribute definition of the class and establishing the attribute hierarchy system according to the characteristic analysis of the defined class, and filling entities according to the defined class and the attribute; wherein the attributes include data attributes and object attributes.
Further, the step 1) includes:
storing the relation between the entities in a TDB database in the form of triples;
and forming an access control entity relation network by using the extracted knowledge, and acquiring the implicit semantic relation among multiple entities through the connectivity of knowledge nodes.
Further, the method comprises the steps of, the formula of rule reduction in the step 2) is A.cndot.B.cndot.C.cndot.F which is equivalent to A.cndot.B.cndot.C.cndot.2.cndot.C.1.cndot.C.cndot.2.cndot.F which is equivalent to A.cndot.B.cndot.C1.cndot.F and A.cndot.B.cndot.2.cndot.F. Wherein the union of C2 of C1 is the complement of C.
Further, the step 3) includes:
the node connectivity between the main body and the dynamic attribute is dynamically increased by dynamically adding the triples, and the knowledge base is queried and traversed by using the SPARQL query language, so that the rule-based dynamic authorization reasoning is realized.
Further, the conflict analysis based on hierarchy inheritance in the step 4) includes role hierarchy conflict, object hierarchy conflict and authorized operation hierarchy conflict analysis; wherein,
role level conflict is defined as: role A2 inherits from role A1, and positive authorization inheritance and negative authorization inheritance are realized by utilizing forward inheritance; if the role A1 performs the operation C on the object B, a positive authorization is obtained; when the role A2 carries out operation C on the object B, negative authorization is obtained; or if the role A1 performs the operation C on the object B, negative authorization is obtained; when the role A2 performs operation C on the object B, positive authorization is obtained; at this time, the two rules generate conflict due to role inheritance;
object level conflict is defined as: the object B2 is a sub-level of the object B1, and realizes negative positive authorization inheritance and positive negative authorization inheritance; if the role A carries out the operation C on the object B1, negative authorization is obtained; when the role A carries out operation C on the object B2, positive authorization is obtained; at this time, two rules collide with each other due to object level;
the authorized operation level conflict is defined as: the authorization operation C2 is the subordinate operation of the authorization operation C1, and the operation C2 carries out deep processing on the object to realize negative positive authorization inheritance and positive negative authorization inheritance; if the role A carries out the operation C1 on the object B, negative authorization is obtained; when the role A performs operation C2 on the object B, positive authorization is obtained; at this time, the two rules conflict with each other due to the operation level;
by analyzing the conflicts generated by the three levels, the conflict pairs of < A, B, C > and < A1, B1, C1> are obtained.
Further, the rule redundancy detection and the general redundancy detection in the step 4) include:
hierarchy-based definition of positive authorized redundancy pairs: given rule 1, when role A1 operates C1 on object B1, it has positive authorization; if the existence rule 2 is that the role A2 operates C2 on the object B2, the method has positive authorization; if and only if character A2 is a subordinate character of character A1, B2 is an superordinate object of B1, C2 is a superordinate operation of C1, < A, B, C > and < A1, B1, C1> are positive authorized redundant pairs;
hierarchical-based negative authorized redundancy pair definition: given rule 1, when role A1 operates C1 on object B1, it has negative authorization; if the existence rule 2 is that the role A2 operates C2 on the object B2, the negative authorization is possessed; if and only if character A2 is a subordinate character of character A1, B2 is a subordinate object of B1, C2 is a subordinate operation of C1, < A, B, C > and < A1, B1, C1> are a negative-authority redundant pair; the roles, objects, and authorization operations of both rules are the same, defined as general redundancy.
Further, the similarity calculation based on attribute atoms in step 4) includes:
and carrying out similarity calculation on attribute atoms in the two rules one by one, adopting Jaccard coefficients as a calculation formula and coefficients, and quantifying the size of an intersecting region of attribute atomic values between the two rules through the similarity.
Further, the automatic resolution of the rule conflict in step 4) includes:
calculating a similarity value between two rules based on attribute atoms according to two rules which are conflict pairs < A, B, C >, < A1, B1 and C1>, and if and only if roles, objects and authorized operations in the two rules are conflict pairs and the similarity value is not 0, the two rules conflict; for two conflicting rules, the resolving principle is that the resolving conflict probability is larger; the collision probability is quantitatively expressed by adopting the similarity between the rule and the full collision rule; the full conflict rule indicates that the rule is applicable to all conditions, namely, the value of each attribute atomic item is the whole set of value fields.
Further, the automatic resolution of rule redundancy in step 4) includes:
when the attribute prime items of the former rule are the subset of the attribute prime items of the latter rule and the constraint range of each attribute prime item is the subset of the former rule in the two rules of the redundant pairs < A, B, C >, < A1, B1, C1>, and the constraint range of each attribute prime item is the subset of the former rule, digesting the latter rule;
and if the two rules meet the general redundancy condition, analyzing the attribute atomic items of the two rules, and if the attribute atomic items are the same and the similarity of the constraint range of the attribute atomic items is not 0, merging the constraint ranges of the attribute atomic items with the similarity of not 0 in the two rules.
By means of the scheme, through the cloud platform access control method, in the access control mechanism, a knowledge base is formed through structured data, dynamic authority grant is achieved through reasoning based on the ontology and rules, and the access control mechanism with expandability, dynamic performance and optimal management, which is applicable to the cloud platform, is achieved through rule conflict redundancy detection and automatic resolution processing based on the hierarchy.
The foregoing description is only an overview of the present invention, and is intended to provide a better understanding of the present invention, as it is embodied in the following description, with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
FIG. 1 is a schematic diagram of the present invention;
FIG. 2 is a knowledge base modeling model of the present invention.
Detailed Description
The following describes in further detail the embodiments of the present invention with reference to the drawings and examples. The following examples are illustrative of the invention and are not intended to limit the scope of the invention.
Referring to fig. 1, this embodiment provides a cloud platform access control method (mechanism), including:
1) Knowledge extraction
Based on the constructed knowledge base model, extracting knowledge according to the structured data, and storing the knowledge into a knowledge base;
2) Rule preprocessing
Establishing an inference rule, and carrying out compound rule reduction based on logic conversion to enable rules in a rule base to accord with atomic rules expressed by SWRL rules;
3) Rule-based dynamic authorization reasoning
Rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triplet dynamic connection mode;
4) Rule optimization management
Adopting a conflict analysis method based on hierarchy inheritance to carry out conflict detection on the custom rule in the step 3) to obtain a conflict detection result (whether the conflict exists or not);
performing redundancy detection on the custom rules in the step 3) by adopting a redundancy analysis method based on hierarchy inheritance, wherein the redundancy detection comprises rule redundancy detection and general redundancy detection, so as to obtain a redundancy detection result (whether redundancy exists);
if the two rules meet the redundant pair or conflict pair in the rule detection result, similarity calculation based on attribute atoms is performed, automatic resolution of rule conflict based on the hierarchy is performed on the two rules which are the conflict pair according to the similarity calculation result, and automatic resolution of rule redundancy based on the hierarchy is performed on the two rules which are the redundancy pair.
In the access control mechanism, a knowledge base is formed by structuring data, dynamic authority grant is realized by reasoning based on an ontology and rules, and the access control mechanism with expandability, dynamic property and optimized management suitable for a cloud platform is realized by adopting the processes of rule conflict redundancy detection, automatic resolution and the like based on a hierarchy.
In this embodiment, the knowledge base is a structured, highly summarized, easy-to-describe, easy-to-use, and extensible knowledge node group in knowledge engineering, and is a set of interrelated knowledge pieces stored, organized, managed, and used in a computer memory by adopting a certain (or several) knowledge representation manner to solve a problem in a certain (or some) domain. Here a knowledge piece set of a priori knowledge about access control.
In this embodiment, the dynamic authority grant performs inference learning based on ontology and rule on knowledge, uses data in a knowledge base as priori knowledge, uses ontology and rule as reasoning basis, and outputs the result as dynamic operation authority of a subject on an object.
In this embodiment, the automatic detection of collision redundancy is: the compound rules in the rule base are reduced, the positive and negative directions between layers are inherited as prior facts, the similarity of attribute atoms between rules is used as a quantization criterion, and whether the rules are conflicted or not or whether the rules are redundant or not is output.
In this embodiment, the conflict redundancy automatic resolution method includes: and for two rules with conflict or redundancy, taking the similarity of rule attribute atoms as a quantization criterion, taking the constraint condition set relation of the rule attribute atoms as a processing basis, and outputting the rule as the rule with conflict or redundancy resolved.
The present invention will be described in further detail below.
The mechanism includes: an ontology model is constructed, dynamic permission grant is realized by adopting a knowledge reasoning method, rule conflict detection and redundancy resolution are realized by adopting policy optimization management, and the purposes of expanding an access control policy required by characteristics such as attribute dynamic change, rule multi-attribute, element multi-level, rule implicit semantics and the like in a cloud platform and eliminating the limitation of realizing resource authorization management and control of a traditional access control model are achieved.
As shown in fig. 1, the method comprises the steps of:
(1) Modeling a knowledge base. And constructing a knowledge base in a top-down mode, completing access control conceptual analysis, defining an access control model class and establishing a class hierarchy system, finally completing attribute definition of the class and establishing the attribute hierarchy system according to the characteristic analysis of the defined class, wherein the attribute comprises a data attribute and an object attribute, and finally filling an entity according to the defined class and the attribute. In the access control ontology model of the present patent, a subject, a role, a tenant, an object, and a dynamic attribute are taken as classes, and a subject name, a role name, a tenant name, a subject age, an object name, a geographic location, an IP address, a system state, an object level, and the like are taken as data attributes, wherein the attributes having dynamic change characteristics such as the geographic location, the IP address, the system state, and the object level are defined as the data attributes of the dynamic attribute class. In addition, the relationships between subjects and subjects, subjects and roles, roles and tenants, tenants and objects, objects and objects, etc. are defined as object attributes, and specific subjects, roles, tenants, etc. are modeled as instance models.
(2) And (5) knowledge extraction. The step aims at extracting the knowledge contained in the data source to form a knowledge element base and storing the knowledge. In order to reduce the cost of most enterprises to migrate the access control mechanism of the patent, knowledge sources in the patent are structured data, and the acquired data are converted into a triplet knowledge element base according to ontology semantic mapping rules. In order to improve the characteristics of data storage speed, operability, concurrency and the like, the mechanism adopts TDB as a knowledge storage database. And forming an access control entity relation network by using the extracted knowledge, and acquiring the implicit semantic relation among multiple entities through the connectivity of knowledge nodes.
(3) Composite rule reduction based on logical transformations. The compound rule comprises a plurality of complex logic combinations, such as AND, OR and NOT, and when rule reasoning, rule conflict detection and rule redundancy detection are carried out, the detection difficulty is higher and the detection cost is higher. Thus, the access control mechanism in this patent performs logic transition based compounding.
(4) The rule is reduced, and the reduction formula is A.andB.andNOT (C) →F is equivalent to A.andB.andC (C1 U.C 2) →F is equivalent to A.andB.andC 1 →F and A.andB.andC 2 →F. Wherein the union of C2 of C1 is the complement of C.
(5) Rule-based dynamic authorization reasoning. Step 2, storing the relation between the entities in the TDB database in the form of triples. And for rule-based dynamic authorization reasoning in the knowledge base, rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triplet dynamic connection mode. In the access control mechanism, elements such as a subject, a role, a tenant, a guest and the like exist, and dynamic attributes of all authorization systems are summarized as attribute elements. Because the data attribute and the object attribute among the subject, the role, the tenant and the object have no dynamic property, when the authorization request occurs, only a dynamic attribute element instance is generated according to the authorization request, the data attribute is filled, and the subject-attribute triples are dynamically connected. In addition, access control rules need to be customized, such as that the tenant domain where the main body is located is still in the lease time and the role allocated by the main body is a student, and the main body can have the authority of reading resources at two times per week, not 22:00-8:00. Because the knowledge base has dynamic attribute data of the occurrence place of the request and triples between the main body and the attributes, the connectivity of the main body node and the resource node can be deduced according to the self-defined rule, and the dynamic authorization reasoning judgment based on the rule is realized.
(6) Hierarchical-based rule conflict detection. In this step, conflict detection is performed on the custom rules in step 3 to optimize access control policy management. The implementation method adopts conflict pair analysis based on hierarchical inheritance. After the rule is reduced in the step 4, the attribute of each rule is an atomic item, the analysis of conflict pairs based on the hierarchy can be carried out, and the access control mechanism of the patent researches the conflict caused by the following three hierarchies: role level conflicts, object level conflicts, and authorized operation level conflicts. Role level conflict is defined as follows: role A2 inherits from role A1, and positive and negative authorization inheritance can be achieved by forward inheritance. If the character A1 performs the operation C on the object B, a positive authorization is obtained. And when the role A2 performs the operation C on the object B, negative authorization is obtained. Or if the role A1 performs the operation C on the object B, a negative authorization is obtained. The role A2 gets a positive authorization when it performs operation C on the object B. At this time, the two rules collide due to role inheritance. The object level conflict is defined as follows: the guest B2 is a sub-hierarchy of the guest B1, and the guest B2 requires finer granularity.
(7) Access control, negative positive authorization inheritance and positive negative authorization inheritance can be realized. And if the role A performs the operation C on the object B1, obtaining negative authorization. Role a gets a positive authorization when it performs operation C on object B2. At this time, the two rules collide due to the object hierarchy. The authorized operation level conflict is defined as follows: the authorization operation C2 is a subordinate operation of the authorization operation C1, and the operation C2 can perform deep processing on the object, so that negative positive authorization inheritance and positive negative authorization inheritance can be realized. And if the role A performs the operation C1 on the object B, obtaining negative authorization. Role a gets a positive authorization when it performs operation C2 on object B. At this time, the two rules collide due to the operation level. The above only analyzes the conflict caused by single-level inheritance, and the multi-level inheritance conflict can be deduced through single-level inheritance conflict. By studying the collisions generated by the three levels, a pair of collisions of < a, B, C > and < A1, B1, C1> can be obtained.
(8) Hierarchical-based rule redundancy detection and general redundancy detection. The step is to perform redundancy detection on the custom rule in the step 4 to optimize access control policy management. The implementation method adopts redundancy pair analysis based on hierarchical inheritance. Similar to the conflict analysis based on hierarchy inheritance in step 5, the redundant pair analysis is still performed from three dimensions of role, object and authorization operation in this step, and the inheritance authorization directions of the above three dimensions are already stated in step 5, which is not described here again. The definition of a hierarchy-based positive authorized redundancy pair is given in this step: given rule 1, a positive authorization is possessed by role A1 when it operates C1 on object B1. If there is a rule 2 that role A2 operates C2 on object B2, then there is a positive authorization. If and only if character A2 is a lower character of character A1, B2 is an upper object of B1, C2 is an upper operation of C1, < a, B, C > and < A1, B1, C1> are positive authorized redundant pairs. Hierarchical-based negative authorized redundancy pair definition: given rule 1, a negative authorization is possessed by role A1 when it operates C1 on object B1. If the existence rule 2 is that the role A2 performs the operation C2 on the object B2, the negative authorization is possessed. If and only if character A2 is a subordinate character of character A1, B2 is a subordinate object of B1, C2 is a subordinate operation of C1, < a, B, C > and < A1, B1, C1> are a negative-authority redundant pair. There is a special case where the roles, objects, and authorization operations of both rules are the same, defined as general redundancy. Redundant pairs of two rules by the above operations
(9) After analysis, the similarity calculation based on the attribute atoms is needed.
(10) And calculating based on the similarity of the attribute atoms. The similarity calculation based on the attribute atoms aims at carrying out the similarity calculation on the attribute atoms in the two rules one by one, a calculation formula and a coefficient adopt Jaccard coefficients, and the size of an intersecting area of attribute atomic values between the two rules is quantified through the similarity.
(11) Hierarchy-based rule conflict is automatically resolved. And calculating the similarity value between two rules based on attribute atoms for the two rules of the conflict pair < A, B, C >, < A1, B1 and C1 >. Two rules collide if and only if the roles, objects, and authorized operations in the two rules are conflicting pairs and the similarity value is not 0. For two conflicting rules, the resolution principle is to resolve the conflict with a larger probability. The collision probability is quantitatively expressed by the similarity of the rule and the full collision rule. Here, a full conflict rule indicates that the rule applies in all cases, i.e., the value of each attribute atom item is a full set of value ranges.
(12) Hierarchy-based rule redundancy is automatically resolved. In this step, based on the similarity calculation of the attribute atoms, it is required to determine that the attribute element items of the former rule are a subset of the attribute element items of the latter rule, and the constraint range of each attribute element item has the latter subset of the former rule, in the two rules of redundancy pairs < a, B, C >, < A1, B1, C1 >. At this point, the latter rule may be resolved. And if the two rules meet the general redundancy condition, analyzing the attribute atomic items of the two rules, and if the attribute atomic items are the same and the similarity of the constraint range of the attribute atomic items is not 0, merging the constraint ranges of the attribute atomic items with the similarity of not 0 in the two rules.
The access control mechanism overall structure for the cloud platform mainly comprises four parts: (1) knowledge extraction layer: the method is mainly responsible for collecting various data, analyzing the collected data, extracting knowledge according to the established knowledge ontology model and storing the knowledge into a knowledge base. (2) rule pretreatment layer: the method is mainly responsible for establishing reasoning rules and reducing compound rules, and ensures that the rules in a rule base are atomic rules which can be expressed by SWRL rules. (3) inference layer: the reasoning layer mainly uses SWRL rules in the rule base to infer the authorization operation between the subject and the object. (4) rule optimization management layer: the method is mainly responsible for optimizing rules in a rule base, including conflict detection and redundancy detection, and resolving or merging detected results. This layer uses the similarity of attribute atoms as a quantization index.
In this example implementation, the process data flow is as follows:
step one: the knowledge base model is constructed by utilizing the OWL technology, the knowledge base model is convenient to infer the knowledge base, knowledge base modeling is conducted on a subject, a role, a tenant, an object, dynamic attributes and authorized operation, the subject has object attributes userHasRole, userHasAttr, and the role and the subject allocated by the subject have dynamic attributes respectively. The roles have object attributes rolehas Tenanant, which refers to tenant domains to which the roles belong, and further have object attributes roleprier and roleNext, which respectively represent an upper level role and a lower level role. The tenant has an object attribute tenantTenRes, which refers to an object that is rented by the current tenant domain, and the tenant has a data attribute tenantTime, which refers to the time that the tenant domain rents an object. The objects have object properties resPrior and resNext, which represent the upper level object and the lower level object, respectively. The object has data attributes resName, resType indicating the object name and the object class, respectively. The dynamic attribute has data attributes poi_long, poi_ lati, sysStatus, userAge, sysTime, sysWeek, representing geographical location longitude, geographical location latitude, system status, object age, system time, week, respectively. The authorization operation has a data attribute actionName indicating the name of the authorization operation. Having object properties actPrior, actNext representing upper and lower level authorizations, respectively.
Step two: and extracting knowledge according to the structured data. The structured data is in the form of a data table, a User, role, tenant, resource, attribute, action database table is established, and the structures of the subject, the role, the tenant, the object, the dynamic attribute and the authorized operation are respectively defined and stored. And establishing a user_to_role table, and storing the connection relation between the main body and the roles. And establishing a role_to_tent table, and storing the connection relation between the roles and the tenant domains. And establishing a tenant_to_res table, and storing the connection relation between the tenant and the object. And establishing a user_to_attr table, storing the relation between the main body and the dynamic attribute, wherein the table is an empty table, only defining the structural use, and realizing the connectivity between the main body node and the dynamic attribute node through dynamic connection and release of triples. The information of each table is filled, and the three databases are converted into RDF type data by using tools.
Step three: constructing inference rules and performing compound rule reduction based on logic transitions, using SWRL language descriptions for the reduced rules, for example 1:user (. For example 2, a rule that a principal already has the lease rights for a resource and is a student may have rights to write a private ciphertext resource at a time other than 10:00-12:00 per week two. Through logic conversion, two reduced rules are obtained: (1) The principal already has the right to rent resources and is a student who can have the right to write to the private ciphertext resources at 0:00-10:00 every week two. (2) The principal already has the right to rent resources and is a student who can have the right to write to the private ciphertext resources at 12:00-24:00 every week two. The SWRL rules are described as follows:
rule 3-1:
User(?u)^userHasRole(?u,?r)^roleName(?r,‘Student’)^userHasTenResource(?u,?re)^resName(?re,‘PrivateFile’)^userHasAttr(?u,?attr)^sysTime(?attr,?systime)^swrlb:lessThan(?systime,?1000)^swrlb:greaterThan(?systime,?0000)^week(?attr,‘Tuesday’)^Action(?act)^actionName(?act,‘WRITE’)->permit(?u,?re)。
rule 3-2:
User(?u)^userHasRole(?u,?r)^roleName(?r,‘Student’)^userHasTenResource(?u,?re)^resName(?re,‘PrivateFile’)^userHasAttr(?u,?attr)^sysTime(?attr,?systime)^swrlb:lessThan(?systime,?2400)^swrlb:greaterThan(?systime,?1200)^week(?attr,‘Tuesday’)^Action(?act)^actionName(?act,‘WRITE’)->permit(?u,?re)。
step four: the node connectivity between the main body and the dynamic attribute is dynamically increased by dynamically adding the triples, and the knowledge base is queried and traversed by using the SPARQL query language, so that the rule-based dynamic authorization reasoning can be realized. Such as a dynamically added triplet: a user/1:userHasattr:/attr/1>, <:/attr/1:systime 0900>, <:/attr/1:week 'Tuesday' >, at this time, reasoning authorization can be performed according to a knowledge base and rules, and the reasoning can meet rules 3-2, allowing write resources.
Step five: in order to optimize the management rule base, conflict detection is required to be carried out on rules in the rule base. Three rules are presented herein, exemplified from three dimensions of roles, objects, and authorization operations, respectively, as follows:
rule 5-1:
user (. This rule states that the principal already has the lease of the resource and is a raw, it is denied when it requests to write the private ciphertext resource at 1:00-10:00 every week two. Since the Gramineae is a subordinate character of the student and the character hierarchy has positive authorization inheritance, authorization conflict is generated with the rule 3-1 due to the character hierarchy. The conflict pair is < Student, private file, WRITE >, < underwrites, private file, WRITE >.
Rule 5-2:
user (. This rule states that the principal already has the lease rights for the resource and is a student, who is denied when writing to a common file resource is requested at 0:00-10:00 every Tuesday. Because the common file is an upper object of the private file and the object layer has negative positive authorization inheritance, the rule and the rule 3-1 generate authorization conflict due to the object layer. The conflict pair is < Student, private file, WRITE >, < Student, normal file, WRITE >.
Rule 5-3:
user (. This rule states that the principal already has the right to lease the resource and is the student, and is denied when a read request is made for the private ciphertext resource at 0:00-10:00 every week two. Since the read request is the upper-level authorization operation of the write request and the authorization operation hierarchy has negative positive authorization inheritance, the rule and rule 3-1 generate authorization conflict due to the authorization operation hierarchy. The conflict pair is < Student, private file, WRITE >, < Student, private file, READ >.
Step six: similarity calculation based on attribute atoms
In order to optimize the management rule base, conflict detection is required to be carried out on rules in the rule base. Three rules are presented here, illustrated and given examples of general redundancy from three dimensions of roles, objects, and authorized operations, respectively, as follows:
rule 6-1:
user (. This rule states that the principal already has the lease of the resource and is a raw, it is denied when it requests to write the private ciphertext resource at 1:00-10:00 every week two. Since the Gramineae is a subordinate role of the student and the role hierarchy has positive authorization inheritance, authorization redundancy is generated with rule 3-1 due to the role hierarchy. The redundant pair is < Student, private file, WRITE >, < underwrites, private file, WRITE >.
Rule 6-2:
user (. This rule states that the principal already has the lease rights for the resource and is a student, who is denied when writing to a common file resource is requested at 0:00-10:00 every Tuesday. Because the common file is an upper object of the private file and the object layer has negative positive authorization inheritance, the rule 3-1 and the rule 3-1 generate authorization redundancy due to the object layer. The redundant pair is < Student, private file, WRITE >, < Student, normal file, WRITE >.
Rule 6-3:
user (. This rule states that the principal already has the right to lease the resource and is a student, who is denied when a read request is made for the file resource at 0:00-10:00 every Tuesday. Since the read request is the upper-level authorization operation of the write request and the authorization operation hierarchy has negative positive authorization inheritance, the rule 3-1 and the rule 3-1 generate authorization redundancy due to the authorization operation hierarchy. The redundant pair is < Student, private file, WRITE >, < Student, private file, READ >.
Rule 6-4:
user (. The rule is the same as the role, object and authorization operation of the rule 3-1, and the general redundancy is met.
Step seven: similarity calculation based on attribute atoms
If the two rules meet the redundant pair or the conflict pair, similarity calculation based on attribute atoms can be performed. In this step, quantization is performed by taking rule 3-1 and rule 5-1 as examples. The rule 3-1 and the rule 5-1 generate conflict pairs due to role hierarchy, and in the step, the attributes of the two rules are split into atomic items for similarity calculation. The result after the splitting is as follows: sysTime and week, the similarity of the two attributes is calculated respectively, and the calculation formula is as follows:
step eight: automatic resolution of rule conflicts based on hierarchy
And aiming at two conflicting rules, such as rule 3-1 and rule 5-1, automatically resolving the conflict, wherein the processing principle is that the conflict resolution probability is larger. The value range of the attribute atom entries in the full conflict rule for both rules should be {0000-2400}, { ' Monday ', ' Tuesday ', ' Wednesday ', ' Thurs day ', ' Friday ', ' Saturday ', ' Sunday ', '. The similarity calculation result of the rule 3-1 and the full conflict rule is 0.059, and the similarity calculation result of the rule 5-1 and the full conflict rule is 0.053, so that the rule 3-1 is resolved.
Step nine: automatic resolution of rule redundancy based on hierarchy
For two rules of the hierarchical redundancy, such as rule 3-1 and rule 6-1, automatic digestion processing is performed. The former attribute atom sysTime constraint is 0000-1000, and the latter constraint is 0100-1000. The constraint of the former and latter attribute atoms week is 'Tuesday'. The latter rule can be resolved. For two rules of general redundancy, such as rule 3-1 and rule 6-1, an automatic merge process is performed. The former attribute atom sysTime constraint is 0000-1000, and the latter constraint is 0100-1100. The constraint of the former and latter attribute atoms week is 'Tuesday'. Then both attribute atom sysTime constraints may be merged into 0000-1100.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and it should be noted that it is possible for those skilled in the art to make several improvements and modifications without departing from the technical principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention.
Claims (4)
1. The cloud platform access control method is characterized by comprising the following steps of:
1) Knowledge extraction
Based on the constructed knowledge base model, extracting knowledge according to the structured data, and storing the knowledge into a knowledge base;
2) Rule preprocessing
Establishing an inference rule, and carrying out compound rule reduction based on logic conversion to enable rules in a rule base to accord with atomic rules expressed by SWRL rules;
3) Rule-based dynamic authorization reasoning
Rule reasoning is realized by adopting a self-defined rule mode, dynamic authorization is realized by adopting a triplet dynamic connection mode, and the method comprises the following steps: the node connectivity between the main body and the dynamic attribute is dynamically increased by dynamically adding the triples, and the knowledge base is queried and traversed by using the SPARQL query language, so that the rule-based dynamic authorization reasoning is realized;
4) Rule optimization management
Adopting a conflict analysis method based on hierarchy inheritance to carry out conflict detection on the custom rule in the step 3) to obtain a conflict detection result;
adopting a redundancy analysis method based on hierarchy inheritance to carry out redundancy detection on the custom rule in the step 3) to obtain a redundancy detection result;
if the two rules meet the redundant pair or conflict pair in the rule detection result, performing similarity calculation based on attribute atoms, performing automatic resolution based on the rule conflict of the two rules which are mutually conflicting pairs according to the similarity calculation result, and performing automatic resolution based on the rule redundancy of the two rules which are mutually redundant pairs according to the rule conflict;
the conflict analysis based on hierarchy inheritance comprises role hierarchy conflict, object hierarchy conflict and authorized operation hierarchy conflict analysis; wherein,
role level conflict is defined as: role A2 inherits from role A1, and positive authorization inheritance and negative authorization inheritance are realized by utilizing forward inheritance; if the role A1 performs the operation C on the object B, a positive authorization is obtained; when the role A2 carries out operation C on the object B, negative authorization is obtained; or if the role A1 performs the operation C on the object B, negative authorization is obtained; when the role A2 performs operation C on the object B, positive authorization is obtained; at this time, the two rules generate conflict due to role inheritance;
object level conflict is defined as: the object B2 is a sub-level of the object B1, and realizes negative positive authorization inheritance and positive negative authorization inheritance; if the role A carries out the operation C on the object B1, negative authorization is obtained; when the role A carries out operation C on the object B2, positive authorization is obtained; at this time, two rules collide with each other due to object level;
the authorized operation level conflict is defined as: the authorization operation C2 is the subordinate operation of the authorization operation C1, and the operation C2 carries out deep processing on the object to realize negative positive authorization inheritance and positive negative authorization inheritance; if the role A carries out the operation C1 on the object B, negative authorization is obtained; when the role A performs operation C2 on the object B, positive authorization is obtained; at this time, the two rules conflict with each other due to the operation level;
by analyzing the conflicts generated by the three levels, the conflict pairs of < A, B, C > and < A1, B1, C1> are obtained;
the rule redundancy detection and the general redundancy detection comprise:
hierarchy-based definition of positive authorized redundancy pairs: given rule 1, when role A1 operates C1 on object B1, it has positive authorization; if the existence rule 2 is that the role A2 operates C2 on the object B2, the method has positive authorization; if and only if character A2 is a subordinate character of character A1, B2 is an superordinate object of B1, C2 is a superordinate operation of C1, < A, B, C > and < A1, B1, C1> are positive authorized redundant pairs;
hierarchical-based negative authorized redundancy pair definition: given rule 1, when role A1 operates C1 on object B1, it has negative authorization; if the existence rule 2 is that the role A2 operates C2 on the object B2, the negative authorization is possessed; if and only if character A2 is a subordinate character of character A1, B2 is a subordinate object of B1, C2 is a subordinate operation of C1, < A, B, C > and < A1, B1, C1> are a negative-authority redundant pair; the roles, objects and authorized operations of the two rules are the same and are defined as general redundancy;
the attribute atom-based similarity calculation includes:
carrying out similarity calculation on attribute atoms in the two rules one by one, adopting Jaccard coefficients as a calculation formula and coefficients, and quantifying the size of an intersecting region of attribute atomic values between the two rules through the similarity;
the automatic resolution of rule conflict comprises:
calculating a similarity value between two rules based on attribute atoms according to two rules which are conflict pairs < A, B, C >, < A1, B1 and C1>, and if and only if roles, objects and authorized operations in the two rules are conflict pairs and the similarity value is not 0, the two rules conflict; for two conflicting rules, the resolving principle is that the resolving conflict probability is larger; the collision probability is quantitatively expressed by adopting the similarity between the rule and the full collision rule; the full conflict rule indicates that the rule is applicable to all conditions, namely, the value of each attribute atomic item is the whole set of value fields;
the rule redundancy automatic resolution includes:
when the attribute prime items of the former rule are the subset of the attribute prime items of the latter rule and the constraint range of each attribute prime item is the subset of the former rule in the two rules of the redundant pairs < A, B, C >, < A1, B1, C1>, and the constraint range of each attribute prime item is the subset of the former rule, digesting the latter rule;
and if the two rules meet the general redundancy condition, analyzing the attribute atomic items of the two rules, and if the attribute atomic items are the same and the similarity of the constraint range of the attribute atomic items is not 0, merging the constraint ranges of the attribute atomic items with the similarity of not 0 in the two rules.
2. The cloud platform access control method according to claim 1, wherein the method for constructing the knowledge base model in step 1) includes:
constructing a knowledge base in a top-down mode, performing access control conceptual analysis, defining an access control model class and establishing a class hierarchy system, completing attribute definition of the class and establishing the attribute hierarchy system according to the characteristic analysis of the defined class, and filling entities according to the defined class and the attribute; wherein the attributes include data attributes and object attributes.
3. The cloud platform access control method according to claim 2, wherein the step 1) includes:
storing the relation between the entities in a TDB database in the form of triples;
and forming an access control entity relation network by using the extracted knowledge, and acquiring the implicit semantic relation among multiple entities through the connectivity of knowledge nodes.
4. The cloud platform access control method according to claim 3, wherein the formula of rule reduction in step 2) is a ∈b ∈not (C) →f equivalent to a ∈b → (C1 →c2) →f equivalent to a ∈b →c1→f and a ∈b →c2→f in a set of a ∈b →c1→f; wherein the union of C2 of C1 is the complement of C.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110671457.5A CN113590742B (en) | 2021-06-17 | 2021-06-17 | Cloud platform access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110671457.5A CN113590742B (en) | 2021-06-17 | 2021-06-17 | Cloud platform access control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113590742A CN113590742A (en) | 2021-11-02 |
| CN113590742B true CN113590742B (en) | 2023-12-26 |
Family
ID=78243883
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110671457.5A Active CN113590742B (en) | 2021-06-17 | 2021-06-17 | Cloud platform access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113590742B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1885297A (en) * | 2006-06-02 | 2006-12-27 | 石杰 | Method for role-based access control model with precise access control strategy |
| CN101339591A (en) * | 2008-08-29 | 2009-01-07 | 中国科学院软件研究所 | XACML policy rule checking method |
| CN101453475A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Authentication management system and method |
| CN101571897A (en) * | 2009-06-04 | 2009-11-04 | 浙江大学 | Method for controlling access permission of massive objects in computer system |
| CN103745161A (en) * | 2013-12-23 | 2014-04-23 | 东软集团股份有限公司 | Method and device for controlling access security |
| CN103905468A (en) * | 2014-04-23 | 2014-07-02 | 西安电子科技大学 | XACML frame extension system and method for network access control system |
| CN104580163A (en) * | 2014-12-19 | 2015-04-29 | 南阳师范学院 | System for establishing access control policies in private cloud environment |
| CN104794150A (en) * | 2015-01-30 | 2015-07-22 | 北京东方泰坦科技股份有限公司 | Cloud storage model and management method based on space knowledge cloud environment |
| CN104794326A (en) * | 2015-03-11 | 2015-07-22 | 中国人民解放军装甲兵工程学院 | Conflict analysis method |
| CN107426134A (en) * | 2016-05-23 | 2017-12-01 | 上海神计信息系统工程有限公司 | A kind of access control method based on relation |
| CN110224977A (en) * | 2019-04-30 | 2019-09-10 | 南瑞集团有限公司 | A kind of composite defense policy conflict digestion procedure and system |
| CN111898098A (en) * | 2020-08-18 | 2020-11-06 | 哈尔滨工业大学 | Multi-party cooperation oriented interest correlator service value conflict discovering and resolving method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9449068B2 (en) * | 2012-06-13 | 2016-09-20 | Oracle International Corporation | Information retrieval and navigation using a semantic layer and dynamic objects |
| US20150206207A1 (en) * | 2013-03-15 | 2015-07-23 | Gravitant, Inc | Pricing rules management functionality within a cloud service brokerage platform |
-
2021
- 2021-06-17 CN CN202110671457.5A patent/CN113590742B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1885297A (en) * | 2006-06-02 | 2006-12-27 | 石杰 | Method for role-based access control model with precise access control strategy |
| CN101339591A (en) * | 2008-08-29 | 2009-01-07 | 中国科学院软件研究所 | XACML policy rule checking method |
| CN101453475A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Authentication management system and method |
| CN101571897A (en) * | 2009-06-04 | 2009-11-04 | 浙江大学 | Method for controlling access permission of massive objects in computer system |
| CN103745161A (en) * | 2013-12-23 | 2014-04-23 | 东软集团股份有限公司 | Method and device for controlling access security |
| CN103905468A (en) * | 2014-04-23 | 2014-07-02 | 西安电子科技大学 | XACML frame extension system and method for network access control system |
| CN104580163A (en) * | 2014-12-19 | 2015-04-29 | 南阳师范学院 | System for establishing access control policies in private cloud environment |
| CN104794150A (en) * | 2015-01-30 | 2015-07-22 | 北京东方泰坦科技股份有限公司 | Cloud storage model and management method based on space knowledge cloud environment |
| CN104794326A (en) * | 2015-03-11 | 2015-07-22 | 中国人民解放军装甲兵工程学院 | Conflict analysis method |
| CN107426134A (en) * | 2016-05-23 | 2017-12-01 | 上海神计信息系统工程有限公司 | A kind of access control method based on relation |
| CN110224977A (en) * | 2019-04-30 | 2019-09-10 | 南瑞集团有限公司 | A kind of composite defense policy conflict digestion procedure and system |
| CN111898098A (en) * | 2020-08-18 | 2020-11-06 | 哈尔滨工业大学 | Multi-party cooperation oriented interest correlator service value conflict discovering and resolving method |
Non-Patent Citations (4)
| Title |
|---|
| Revocable attribute-based access control in mutli-autority systems;Youcef Imine 等;《Journal of Network and Computer Applications》;第122卷;61-76 * |
| 云计算环境下数据安全访问控制机制研究;陈彦竹;《中国优秀硕士学位论文全文数据库 信息科技辑》(第02期);I138-164 * |
| 基于属性的云制造协同平台访问控制模型;余洋 等;《计算机集成制造系统》;第23卷(第1期);196-202 * |
| 网络安全策略求精一致性检测和冲突消解机制的研究;倪俊 等;《计算机科学》;第38卷(第2期);32-37 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113590742A (en) | 2021-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rabitti et al. | A model of authorization for next-generation database systems | |
| US8555378B2 (en) | Authorization caching in a multithreaded object server | |
| CN109726758B (en) | Data fusion issuing algorithm based on differential privacy | |
| US9111104B2 (en) | Entitlements determination via access control lists | |
| Lisboa-Filho et al. | A uml profile for conceptual modeling in gis domain | |
| CN103745161A (en) | Method and device for controlling access security | |
| Lee et al. | Ontology management for large-scale enterprise systems | |
| Fernandez et al. | A method-based authorization model for object-oriented databases | |
| CN112699410B (en) | Massive graph data fine-grained access control method based on security label | |
| CN113590742B (en) | Cloud platform access control method | |
| Afonin | Ontology models for access control systems | |
| Obreiter et al. | Towards scalability in tuple spaces | |
| Jukic et al. | A belief-consistent multilevel secure relational data model | |
| Sull et al. | A self-organizing knowledge representation scheme for extensible heterogeneous information environment | |
| Boulahia-Cuppens et al. | Multiview model for object-oriented database | |
| El Ouazzani et al. | Dynamic management of data warehouse security levels based on user profiles | |
| Smith | Managing rules in active databases | |
| Gao et al. | Role-Based Authority Control in Management Information System under the Background of Internet | |
| Alwehaibi et al. | A rule-based relational xml access control model in the presence of authorization conflicts | |
| US20060155755A1 (en) | Constructing and referring objects in a computing environment | |
| Craß et al. | A coordination-based access control model for space-based computing | |
| Guyo et al. | Evaluating the Efficiency and Performance of Data Persistent Systems in Managing Building and Environmental Data | |
| Chountas et al. | The notion of H‐IFS: An approach for enhancing the OLAP capabilities in oracle10g | |
| Naidenova et al. | Context-dependent incremental learning of good maximally redundant tests | |
| El Ouazzani et al. | Dynamic Classification of Sensitivity Levels of Datawarehouse Based on User Profiles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |