CN115189906B - Multi-domain security management method for network management system - Google Patents

Multi-domain security management method for network management system Download PDF

Info

Publication number
CN115189906B
CN115189906B CN202210566388.6A CN202210566388A CN115189906B CN 115189906 B CN115189906 B CN 115189906B CN 202210566388 A CN202210566388 A CN 202210566388A CN 115189906 B CN115189906 B CN 115189906B
Authority
CN
China
Prior art keywords
security
domain
role
request
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210566388.6A
Other languages
Chinese (zh)
Other versions
CN115189906A (en
Inventor
李运佳
肖新祥
陈知新
张智勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Normal University
Original Assignee
Hunan Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Normal University filed Critical Hunan Normal University
Priority to CN202210566388.6A priority Critical patent/CN115189906B/en
Publication of CN115189906A publication Critical patent/CN115189906A/en
Application granted granted Critical
Publication of CN115189906B publication Critical patent/CN115189906B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a multi-domain security management method of a network management system, which comprises the following steps: requesting a security domain user to generate a service request; the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain; if the related access service policy exists in the security policy library of the security domain, the access request carries the inter-domain access control policy and is sent to the target security domain; the target security domain administrator receives and analyzes the role-mapping request information and performs security policy authentication on the request. According to the invention, the access decision is directly executed through the role mapping relation, the accurate authority search method is adopted, the corresponding target role is found according to the access request authority, the access control decision is executed through the role mapping, the multi-level access requirement and the security assurance among security domains are met, and the security and the efficiency of the security collaboration of the multi-domain system components are improved.

Description

Multi-domain security management method for network management system
Technical Field
The invention relates to the technical field of network management, in particular to a multi-domain security management method of a network management system.
Background
In recent years, as the size of the transmission network is continuously increased, the transmission network of the telecom operator forms a situation of coexistence of multiple manufacturers and multiple transmissions. The transmission network management centrally manages various types and various factories' equipment, monitors alarms and performances in real time, configures various network connections and services, and because the transmission network management is centrally managed and the management range and the realization functions are more and more, the security management of the network management is more and more demanding, and clients expect to provide flexible authority control means to give one or more operation authorities to appointed users.
The network management system manages various types of equipment of various factories and is distributed in different physical areas, and clients expect different management authorities for different areas. The existing user authority allocation is complicated, the multi-level access requirements and the security guarantee among security domains can not be met, and the security and the efficiency of the security collaboration of the multi-domain system components can not be guaranteed.
Disclosure of Invention
Based on the technical problems existing in the background technology, the invention provides a multi-domain security management method of a network management system.
The multi-domain security management method of the network management system provided by the invention comprises the following steps:
s1, requesting a security domain user to generate a service request;
s2, the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain;
s3, if the related access service policies exist in the security policy library of the security domain, enabling the access request to carry the inter-domain access control policies and send the inter-domain access control policies to the target security domain;
s4, the target security domain administrator receives and analyzes the role-mapping request information, carries out security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains;
s5, if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy;
s6, carrying out static policy combination on the service output policy returned in the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
Preferably, the access policy repository stores a request security domain policy and a part of target security domain policies, and mainly includes: PA, PH and inter-domain role mapping.
Preferably, the step S6 of static policy combination mainly completes role mapping between different role systems, and constructs global role hierarchy.
Preferably, the step S5 inter-domain authorization search process is divided into two steps:
and (5) role finding: searching a matching role set meeting the service request permission set in the target security domain role system according to a certain searching principle;
character activation detection: and performing an activation detection contract bundle check on the character set obtained in the color searching process to determine whether the character set can be activated in a single Session of the user.
Preferably, the hierarchical relationship of the roles: rights inheritance, role activation inheritance, and a combination of rights inheritance and role activation inheritance.
Preferably, the step S5 role finding is to find a set of roles meeting the access request authority in the current security domain.
Preferably, the step S5 role finding follows the following principle:
the algorithm complexity meets the polynomial time requirement;
adopting a role adding method to enable the system to meet the access request permission to the maximum extent;
the integrity and the security of the role hierarchy are guaranteed, and the number of roles contained in the role set matched with the permission set is minimum.
In the multi-domain security management method of the network management system, multi-domain access control is divided into a static mode and a dynamic mode, the static multi-domain access control searches security policies related to request service in a policy library of the system, the dynamic multi-domain access control searches a role set meeting access request permission in a target security domain by a multi-domain authorized search method, returns the role set to the security domain, and then performs static policy combination on the access request security domain to obtain a global security policy so as to realize multi-domain access control;
the invention directly executes the access decision through the role mapping relation, adopts an accurate authority search method, finds the corresponding target role according to the access request authority, executes the access control decision through the role mapping, meets the multi-level access requirement and the security assurance among the security domains, and improves the security and the efficiency of the security collaboration of the multi-domain system components.
Drawings
Fig. 1 is a flow chart of a multi-domain security management method of a network management system according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
Referring to fig. 1, the multi-domain security management method of a network management system includes the steps of:
s1, requesting a security domain user to generate a service request;
s2, the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain;
s3, if the related access service policies exist in the security policy library of the security domain, enabling the access request to carry the inter-domain access control policies and send the inter-domain access control policies to the target security domain;
s4, the target security domain administrator receives and analyzes the role-mapping request information, carries out security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains;
s5, if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy;
s6, carrying out static policy combination on the service output policy returned in the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
In the invention, the access policy library stores a request security domain policy and a part of target security domain policies, and mainly comprises: PA, PH and inter-domain role mapping.
In the invention, the step S6 of static strategy combination mainly completes role mapping among different role systems and constructs global role hierarchical relationship.
In the invention, the step S5 inter-domain authorization searching process is divided into two steps:
and (5) role finding: searching a matching role set meeting the service request permission set in the target security domain role system according to a certain searching principle;
character activation detection: and performing an activation detection contract bundle check on the character set obtained in the color searching process to determine whether the character set can be activated in a single Session of the user.
In the invention, the hierarchical relationship of the roles: rights inheritance, role activation inheritance, and a combination of rights inheritance and role activation inheritance.
In the invention, the step S5 role searching is to search the role set meeting the access request authority in the current security domain.
In the invention, the step S5 role finding follows the following principle:
the algorithm complexity meets the polynomial time requirement;
adopting a role adding method to enable the system to meet the access request permission to the maximum extent;
the integrity and the security of the role hierarchy are guaranteed, and the number of roles contained in the role set matched with the permission set is minimum.
The invention comprises the following steps: requesting a security domain user to generate a service request; the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain; if the related access service policy exists in the security policy library of the security domain, the access request carries the inter-domain access control policy and is sent to the target security domain; the target security domain administrator receives and analyzes the role-mapping request information, performs security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains; if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy; and carrying out static policy combination on the service output policy returned by the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
The foregoing is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical scheme of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.

Claims (7)

1. The multi-domain security management method of the network management system is characterized by comprising the following steps:
s1, requesting a security domain user to generate a service request;
s2, the system administrator extracts the security attribute of the access service request and searches the related access service policy in the security policy library of the security domain;
s3, if the related access service policies exist in the security policy library of the security domain, enabling the access request to carry the inter-domain access control policies and send the inter-domain access control policies to the target security domain;
s4, the target security domain administrator receives and analyzes the role-mapping request information, carries out security policy authentication on the request, and then returns corresponding service resources to the requesting user according to the service attribute of the request to realize security interaction among the domains;
s5, if the related access service strategies do not exist in the security strategy library of the security domain, an inter-domain authorized search request is sent to the target security domain, and the inter-domain authorized search process searches the optimal role set meeting the authority requirements in the target security domain according to the authority of the service request and returns the optimal role set to the requested security domain in the form of a service output strategy;
s6, carrying out static policy combination on the service output policy returned in the step and the security policy of the request security domain, and finally adding the combined policy into the security policy of the request security domain.
2. The method for multi-domain security management of a network management system according to claim 1, wherein the access policy repository stores a requested security domain policy and a part of target security domain policies, and mainly comprises: PA, PH and inter-domain role mapping.
3. The method for multi-domain security management of network management system according to claim 1, wherein the step S6 of static policy combination mainly completes role mapping between different role systems, and constructs global role hierarchy.
4. The method for multi-domain security management of a network management system according to claim 1, wherein the step S5 of inter-domain authorized search is divided into two steps:
and (5) role finding: searching a matching role set meeting the service request permission set in the target security domain role system according to a certain searching principle;
character activation detection: and performing an activation detection contract bundle check on the character set obtained in the color searching process to determine whether the character set can be activated in a single Session of the user.
5. The network management system multi-domain security management method according to claim 1, wherein the hierarchical relationship of the roles: rights inheritance, role activation inheritance, and a combination of rights inheritance and role activation inheritance.
6. The multi-domain security management method of the network management system according to claim 1, wherein the step S5 of role finding is to find a set of roles satisfying the access request authority within the current security domain.
7. The method for multi-domain security management of a network management system according to claim 1, wherein the step S5 role finding follows the following principle:
the algorithm complexity meets the polynomial time requirement;
adopting a role adding method to enable the system to meet the access request permission to the maximum extent;
the integrity and the security of the role hierarchy are guaranteed, and the number of roles contained in the role set matched with the permission set is minimum.
CN202210566388.6A 2022-05-24 2022-05-24 Multi-domain security management method for network management system Active CN115189906B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210566388.6A CN115189906B (en) 2022-05-24 2022-05-24 Multi-domain security management method for network management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210566388.6A CN115189906B (en) 2022-05-24 2022-05-24 Multi-domain security management method for network management system

Publications (2)

Publication Number Publication Date
CN115189906A CN115189906A (en) 2022-10-14
CN115189906B true CN115189906B (en) 2023-07-07

Family

ID=83513721

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210566388.6A Active CN115189906B (en) 2022-05-24 2022-05-24 Multi-domain security management method for network management system

Country Status (1)

Country Link
CN (1) CN115189906B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338194A (en) * 2013-03-06 2013-10-02 中国电力科学研究院 Credibility based cross- security domain access control system and method
CN103378987A (en) * 2012-04-24 2013-10-30 国际商业机器公司 Policy management method and system of multiple security domains

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100997802B1 (en) * 2008-10-20 2010-12-01 한국전자통신연구원 Apparatus and method for security managing of information terminal
US20120291089A1 (en) * 2011-05-13 2012-11-15 Raytheon Company Method and system for cross-domain data security
US10721237B2 (en) * 2016-08-05 2020-07-21 Oracle International Corporation Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103378987A (en) * 2012-04-24 2013-10-30 国际商业机器公司 Policy management method and system of multiple security domains
CN103338194A (en) * 2013-03-06 2013-10-02 中国电力科学研究院 Credibility based cross- security domain access control system and method

Also Published As

Publication number Publication date
CN115189906A (en) 2022-10-14

Similar Documents

Publication Publication Date Title
Qiu et al. A survey on access control in the age of internet of things
Chen et al. Bidm: a blockchain-enabled cross-domain identity management system
KR20040048814A (en) Method for communication between nodes in peer-to-peer networks using common group label
Adda et al. Toward an access control model for IOTCollab
Lican et al. Virtual and dynamic hierarchical architecture for E-science grid
CN114666067B (en) Cross-domain fine-grained attribute access control method and system based on block chain
CN114268493B (en) Cross-domain access method and server on block chain
Poolsappasit et al. Towards Achieving Personalized Privacy for Location-Based Services.
Zeydan et al. Blockchain-Based Service Orchestration for 5G Vertical Industries in Multicloud Environment
CN115189906B (en) Multi-domain security management method for network management system
Ahmed et al. Trust management for IoT security: taxonomy and future research directions
Moghaddam et al. A multi-layered policy generation and management engine for semantic policy mapping in clouds
Feeney et al. A trust model for capability delegation in federated policy systems
Lampropoulos et al. Introducing a cross federation identity solution for converged network environments
Ramalingam et al. Secure Semantic Aware Middleware: a Security-Based Semantic Access Control for Web Services
Zhu et al. Microthingschain: blockchain-based controlled data sharing platform in multi-domain iot
Gatial et al. Platform for distributed execution of agents for trusted data collection
Priesnitz Filho et al. Obtaining strong identifiers through attribute aggregation
Xiang et al. Approaches to access control policy comparison and the inter-domain role mapping problem
Ponomarev et al. Attribute-Based Encryption with Authentication Provider in FIWARE Platform
Ciuciu et al. Ontology based interoperation for securely shared services: Security concept matching for authorization policy interoperability
Nath et al. An authorization mechanism for access control of resources in the web services paradigm
Panneerselvam et al. Mutual-contained access delegation scheme for the Internet of Things user services
Saadi et al. The Chameleon: A Pervasive Grid Security Architecture
Chuang et al. An Integrated Framework for Trust-Based Access Control for Open Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant