基于策略属性协商的云间组合服务访问控制机制

doi:10.3785/j.issn.1008-973X.2017.12.004

浙江大学学报(工学版)

2017, Vol. 51

Issue (12): 2332-2340 DOI: 10.3785/j.issn.1008-973X.2017.12.004

计算机与通信技术

基于策略属性协商的云间组合服务访问控制机制

刘敖迪, 王娜, 刘明聪

信息工程大学, 数学工程与先进计算国家重点实验室, 河南郑州 450001

Access control mechanism for cloud composite service with policy attribute negotiation

LIU Ao-di, WANG Na, LIU Ming-cong

Information Engineering University, State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China

全文: PDF(1126 KB) HTML

摘要：

提出一种基于策略属性协商的云间组合服务访问控制机制.使用属性来表达服务组件之间的授权关系，能够满足云环境下动态、弹性、点对点的交互特点，该机制使用策略属性协商来实现访问控制的交互，减少了服务内安全信息的披露，有效地保护了用户隐私，实现了云组合服务内不同服务组件的策略对外一致性的访问控制表现.设计一种基于历史信息的策略协商算法，通过同步高频协商策略、存储历史协商信息、计算属性披露开销，来优化协商流程，提高交互效率.仿真实验验证了该机制的可行性及其运行效率.

Abstract:

APoAN (access control mechanism based on policy attribute negotiation) was proposed for cloud composite servic. In APoAN, an authorization relation between service components was described at the attribute level that can meet the dynamic, flexible, point-to-point interaction characterisics in cloud environment. The mechanism used policy attribute negotiation to achieve interactive process of access control, which reduced the disclosure of security information within the service and effectively protected the user's privacy. The mechanism can ensure the consistent presentation of different service components policies in global composite service. A policy negotiation algorithm was designed based on historical information. The negotiation process was optimized and the efficiency of negotiation was improved by synchronizing high frequency negotiation policy, storing history information of negotiation and calculating the cost of attributes disclosure. Finally, the simulation results show the feasibility and efficiency of the proposed mechanism.

收稿日期: 2016-10-13 出版日期: 2017-11-22

CLC:

T393

基金资助:

国家“863”高技术研究发展计划资助项目（2015AA011705）；国家重点研发计划资助项目（2016YFB0501901，2015AA016006），国家自然科学基金资助项目（61502531）；河南省自然科学基金资助项目（162300410334）.

通讯作者: 王娜,女,副教授.orcid.org/0000-0003-2916-4087. E-mail: twftina_w@126.com

作者简介: 刘敖迪(1992-),男,博士生,从事云计算安全、网络信息安全研究.orcid.org/0000-0002-9644-3812.E-mail:ladyexue@163.com

	服务
	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	作者相关文章

引用本文:

刘敖迪, 王娜, 刘明聪. 基于策略属性协商的云间组合服务访问控制机制[J]. 浙江大学学报(工学版), 2017, 51(12): 2332-2340.

LIU Ao-di, WANG Na, LIU Ming-cong. Access control mechanism for cloud composite service with policy attribute negotiation. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(12): 2332-2340.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2017.12.004 或 http://www.zjujournals.com/eng/CN/Y2017/V51/I12/2332

[1] ARMBRUST M, FOX A, GRIFFITH R, et al. A view of cloud computing[J]. Communications of the ACM, 2010, 53(4):50-58.
[2] DIKAIAKOS M D, KATSAROS D, MEHRA P, et al. Cloud computing:distributed internet computing for IT and scientific research[J]. IEEE Internet Computing, 2009, 13(5):10-13.
[3] JULA A, SUNDARARAJAN E, OTHMAN Z. Cloud computing service composition:a systematic literature review[J]. Expert Systems with Applications, 2014,41(8):3809-3824.
[4] PAN L, LIU N, ZI X. Visualization framework forinter-domain access control policy integration[J]. Wireless Communication Over Zigbee for Automotive Inclination Measurement China Communications, 2013, 10(3):67-75.
[5] ALMUTAIRI A, SARFRAZ M I, BASALAMAH S, et al. A distributed access control architecture for cloud computing[J]. IEEE Software, 2012, 29(2):36-44.
[6] LI B, TIAN M, ZHANG Y, et al. Strategy of domain and cross-domain access control based on trust in cloud computing environment[J]. Lecture Notes in Electrical Engineering, 2014, 277:791-798.
[7] SATOH F, TOKUDA T. Security policy composition for composite web services[J]. IEEE Transactions on Services Computing, 2010, 4(4):314-327.
[8] BOELLA G, VAN D T L. Security policies for sharing knowledge in virtual communities[J]. IEEE Transactions on Systems, Man and Cybernetics, Part A:Systems and Humans, 2006, 36(3):439-450.
[9] BOELLA G, VAN D T L. A game theoretic approach to contracts in multiagent systems[J]. IEEE Transactions on Systems Man and Cybernetics, Part C:Applications and Reviews, 2015, 36(1):68-79.
[10] 林莉,怀进鹏,李先贤.基于属性的访问控制策略合成代数[J].软件学报,2009,20(2):403-414. LIN Li, HUAI Jin-ping, LI Xian-xian. Attribute-based access control policies composition algebra[J]. Journal of Software 2009,20(2):403-414.
[11] SRIVATSA M, IYENGAR A, MIKALSEN T, et al. An access control system for web service compositions[C]//IEEE International Conference on Web Services. Salt Lake City:IEEE, 2007:1-8.
[12] BRUNS G, DANTAS D S, HUTH M. A simple and expressive semantic framework for policy composition in access control[C]//ACM Workshop on Formal Methods in Security Engineering. New York:ACM, 2007:12-21.
[13] CHOU C, JHU J Y. Access control policy embedded composition algorithm for web services[C]//International Conference on Advanced Information Management and Service. Seoul:IEEE, 2010:54-59.
[14] SUN L, DONG H, HUSSAIN F, et al. Cloud service selection:state-of-the-art and future research directions[J]. Journal of Network and Computer Applications, 2014, 45(10):134-150.
[15] CHEN H, CHEN Q, WANG C. A CPN-based trust negotiation model on service level agreement in cloud environment[J]. International Journal of Grid and Distributed Computing, 2015, 8(2):247-258.
[16] WANG C, CHEN Q, CHEN H, et al. An SLA-oriented multiparty trust negotiation model based on HCPN in cloud environment[J]. International Journal of u-and e-Service, Science and Technology, 2015, 8(7):321-336.
[17] 马小信,曾国荪.一种基于模糊策略的自动信任协商方案[J].计算机科学,2015,42(12):220-223. MA Xiao-xin, ZENG Guo-sun. Scheme of automated trust negotiation based on fuzzy logic[J]. Computer Science, 2015,42(12):220-223.
[18] LU H, LIU B. DFANS:A highly efficient strategy for automated trust negotiation[J]. Computers andSecurity, 2009, 28(7):557-565.
[19] SQUICCIARINI A, BERINO E, FERRARI E, et al. PP-trust-X:a system for privacy preserving trust negotiations[J]. ACM Transactions on Information andSystem Security, 2007, 10(3):12.
[20] JIN X, KRISHNAN R, SANDHU R. An unifiedattribute-based access control model covering DAC, MAC and RBAC[C]//IFIP Annual Conference onData and Applications Security and Privacy. Paris:Springer, 2012:41-55.
[21] 王小明,付红,张立臣.基于属性的访问控制研究进展[J].电子学报,2010,38(7):1660-1667. WANG Xiao-ming, FU Hong, ZHANG Li-cen, Research progress on attribute-based access control[J]. Acta Electronica Sinica, 2010,38(7):1660-1667.

No related articles found!

Viewed

Full text

Abstract

Cited

Shared

Discussed