一种基于UML模型的起源感知访问控制策略分析方法

起源(Provenance)是记录数据演变历史的元数据。最近研究者提出起源感知的访问控制,通过追溯和分析访问者或被访问对象的起源来决定允许或拒绝访问请求。由于起源通常由系统在运行时记录并呈现为复杂的有向图,识别、规约和管理起源感知的访问控制策略非常困难。为此,提出了一个基于UML模型的起源感知访问控制策略分析方法,包括对复杂起源图的抽象建模技术以及一个在面向对象的软件开发过程中系统地建立起源模型、规约起源感知访问控制策略的参考过程指南。最后结合企业在线培训系统案例说明如何应用所提出的方法。

A UML model-based analysis approach for provenance-aware access control policies

Provenance is the historical meta data of data objects. It has recently been used to enable provenance based access control (PBAC), which grants or denies an access request according to the provenance of either the subjects or the objects. However, provenance can only be collected at run time via complex directed acyclic graphs, so it is very difficult for security architects to efficiently specify PBAC policies due to the complexity of provenance graphs and its unavailability at design time. We explore a UML model based approach to analyze PBAC policies. Specifically, we first introduce a conceptual provenance model to shield the complexity of the provenance graphs and to enable policy analysis at the design time. We then introduce a UML model based process to guide the analysis of the conceptual provenance model and the PBAC policies along with the object oriented development. We validate the proposed approach within an enterprise online training system.