一种支持更新操作的数据空间访问控制方法

数据空间是一种新型的数据管理方式,能够以pay-as-you-go模式管理海量、动态、异构的数据。然而,由于数据空间环境下数据的动态演化、数据描述的细粒度和极松散性等原因,难于构建有效的访问控制机制。该文提出一个针对数据空间环境下极松散结构模型,重点支持更新操作的细粒度和动态的访问控制框架。首先定义更新操作集用于数据空间的数据更新,提出支持更新操作的映射方法,可将动态数据映射到关系数据库中;给出支持更新操作权限的数据空间访问控制规则的定义,并分析与关系数据库的访问控制规则二者转换的一致性;然后提出具有可靠性和完备性的访问请求动态重写算法,该算法根据用户的读/写访问请求检索相关访问控制规则,使用相关权限信息重写访问请求,从而实现支持动态更新的细粒度数据空间访问控制。理论和实验证明该框架是可行和有效的。     

P2P网络基于蚁群优化的动态细粒度访问控制框架

RBAC是目前流行的访问控制模型,用户到角色的映射过程是其中非常重要的一个环节.分析了P2P网络访问控制的特点,提出了一种基于信任的访问控制框架-AT-RBAC.在该模型中,使用蚁群优化收集节点间直接信任和推荐信任值.另外,为适应映射过程的动态性,建立了信任条件列表,通过向该列表加入更加符合要求的条件可以使模型细粒度化.分析表明,本模型可以节省大量网络带宽.     

基于角色的轻量级多粒度访问控制框架研究

以基于角色的访问控制为理论依据,提出了一种轻量级的通用访问控制框架,应用.Net平台的代码访问安全及对象关系映射技术实现了Web页面及Web服务资源的访问控制,以及不同层次的访问控制粒度,并将该框架应用于某市软件信息网的开发.     

基于Shiro的某高校科研信息管理系统的设计与实现

高校科研信息管理系统主要提供高校对科研成果的录入、材料的初核、成果的评定、查询统计与汇总等各类处理.本文介绍了Shiro框架的主要功能特征,并基于Shiro应用框架对现有的高校科研信息管理系统实现系统集成,提供系统所需要的用户、角色、资源管理.为科研管理实现细粒度的访问控制,为科研信息安全提供保障,满足了高校对科研信息管理的需求.     

基于Command模式的CSCW系统访问控制研究

针对CSCW系统的特点及其对用户访问控制的特殊要求,本文在RBAC(基于角色的访问控制)模型的基础上进行了优化,并引入Command设计模式,设计并实现了分级、细粒度的权限管理模型.该模型结合用户权限驱动的动态多级导航,在很大程度上提高了CSCW系统的易用性.系统的实现基于统一的基类,大大提高了代码复用,几乎无需修改现有程序就可以把本系统无缝的集成到现有CSCW系统中.实验证明,该方案不仅可以满足大中型CSCW系统对权限管理的需求,而且能随组织结构或安全需求的变化而变化,具有很好的灵活性和可操作性.     

移动云中支持健康数据共享的可追责大属性多授权CP-ABE方案

在移动医疗健康(mHealth)云中,为实现对个人健康信息(PHR)数据安全共享以及细粒度访问控制,本文提出了一种高效、安全的基于移动健康云的多权限大属性PHR访问控制方案。该方案在素数阶群上构造,支持密文在LSSS访问结构下加密并与属性相关联,与此同时,将权限泄露给未授权实体的恶意用户放入身份信息表中并精确追踪。在q-DPBDHE2假设下,该方案在随机预言模型中被证明具有静态安全性。仿真实验在Charm密码框架中实现,与其他方案相比,本文方案具有更好的性能优势以及更高的计算效率。     

PingPangRoll:一种基于乒乓映射的P2P资源发现方法

资源发现方法严重影响着P2P系统的性能.提出了一个基于概率的称为PingPangRoll的穷举搜索算法,它结合了结构化和非结构化两者的优点.系统拓扑采用松散的随机多图结构,具有十分强的可缩放性.搜索的时候首先基于生日悖论理论计算出满足用户可靠性要求需要的数据、查询复制份数,然后通过乒乓映射将查询和数据复制精确地映射到网络节点中,以实现几乎穷举的搜索,从而克服非结构化P2P网络搜索覆盖范围有限,有资源查找不到的缺点.     

基于隐含格结构 ABE 算法的移动存储介质情境访问控制

摘 要：研究了如何增强可信终端对移动存储介质的访问控制能力,以有效避免通过移动存储介质的敏感信息泄露。首先在隐含密文策略的属性加密方法的基础上,提出了基于格结构的属性策略描述方法。将每个属性构成线性格或子集格,属性集构造成一个乘积格,并利用基于格的多级信息流控制模型制定访问策略。证明了新方法的正确性和安全性。新方法在保持已有隐藏访问策略属性加密算法优点的同时,还能有效简化访问策略的表达,更符合多级安全中敏感信息的共享,能够实现细粒度的访问控制。进一步地,通过将移动存储设备和用户的使用情境作为属性构建访问策略,实现了动态的、细粒度的情境访问控制。最终设计了对移动存储介质进行接入认证、情境访问控制的分层安全管理方案。分析了方案的安全性和灵活性,并通过比较实验说明了应用情境访问控制的方案仍具有较好的处理效率。该方案同样适用于泛在环境下敏感信息的安全管理。     

基于角色的跨域使用控制模型及其应用研究

针对网络环境下多自治域之间互操作安全需求,提出了一个基于角色和映射规则的跨域使用控制模型CD_UCON(Cross-Domain UCON)。该模型结合了基于角色的访问控制(RBAC)模型的权限机制和使用控制模型(UCON)的框架。为实现属性易变性和访问控制连续性,CD_UCON对UCON模型中的属性和授权规则进行扩展;通过映射规则实现跨域交互。以CD_UCON模型在物资采购管理系统中的应用分析说明了该模型的可行性。     

基于型号装备-角色的IETM访问控制研究

针对交互式电子技术手册应用中的管理和安全保密需求,在分析传统访问控制模型的基础上,提出基于型号装备-角色的访问控制模型。该模型包括用户、型号装备、装备用户、角色、权限、操作访问控制规则、数据访问控制规则等,支持功能操作权限和数据权限分离,支持以型号装备结构为基础的细粒度数据访问控制以及以角色、装备用户为基础的功能操作访问控制定义和管理,给出了权限定义和权限计算方法。根据IETM的功能及数据访问控制需求,对交互式电子技术手册访问控制进行软件功能、控制流程及数据模型设计。采用J2EE及Web Service技术开发模块组件,实现交互式电子技术手册层级式、细粒度访问控制。     

A Security Model Based on Relational Model for Semantic Sensor Networks

This paper proposes a novel security model for secure query processing in semantic sensor networks. A semantic sensor network (SSN) is a sensor network including semantics of sensory data and context information, and relationships between the semantics by using Semantic Web technologies. Even though much research has been activated on SSN, there is little activity on how to securely access data in semantic sensor networks. Most of storages have been developed based on relational database model and the relational database model provides a secure and robust security support. Therefore, we need to devise a security model considering such a real environment. This paper proposes a new access control model for secure query processing in semantic sensor networks. The proposed security model is based on relational database security model. This paper shows the overall framework and definitions of the proposal, and the experiment and evaluation is described to show validity of our proposal. With the experiment and evaluation, it is clear that the proposed model provides a secure access control support for SSNs.     

关系数据库中字符数据的保序加密方法

对数值型数据保持顺序加密方法进行了分析,在此基础上提出了一种在关系数据库中针对字符数据的保序加密方法。详细阐述了其加密原理和密文索引结构,对重复性数据的加密处理和算法抗攻击性进行了分析。最后分别从时间开销、空间开销两个方面对算法进行了实验验证,实验结果表明该方法既保证了数据库安全性,又解决了加密数据库的查询性能问题。     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。     

Towards Fault-Tolerant Fine-Grained Data Access Control for Smart Grid

Data access control within smart grids is a challenging issue because of the environmental noise and interferences. On one hand side, fine-grained data access control is essential because illegal access to the sensitive data may cause disastrous implications and/or be prohibited by the law. On the other hand, fault tolerance of the access control is very important, because of the potential impacts (implied by the errors) which could be significantly more serious than the ones regarding general data. In particular, control bits corruption could invalidate the security operation. To address the above challenges, this paper proposes a dedicated data access control scheme that is able to enforce fine-grained access control and resist against the corruptions implied by the noisy channels and the environmental interferences. The proposed scheme exploits a state-of-the-art cryptographic primitive called Fuzzy identity-based encryption with the lattice based access control and dedicated error-correction coding. We evaluate our proposed scheme by extensive simulations in terms of error correcting capability and energy consumption and results show the efficiency and feasibility of the proposed scheme. To our best knowledge, this paper is the first which addresses fault tolerant fine-grained data access control for smart grid.     

结合RDF实现对XML文档的RBAC

文章提出了一种面向XML文档的基于XMLschema并结合RDF的访问控制模型,它实现了对XML文档的细粒度的安全访问控制,同时提供了对XML文档中associationsecurityobject的安全访问控制。     

SDN control and forwarding method based on identity attribute

Due to the lack of effective data source authentication mechanism and the limited matching fields in software defined networking (SDN),an SDN security control and forwarding method based on identity attribute was proposed.Attribute identification and attribute signature were generated by device attributes and encapsulated in the group header.When the data flow left the network,the data was verified by the forwarding device to ensure the validity of the data flow.At the same time,attribute identification was defined as a match field of flow by the framework,and the network forwarding behavior was defined based on attributeidentification.A fine-grained access control was implemented by the proposed mechanism and attribute-based signature.The proposed mechanism and attribute-based signature implemented a fine-grained access control.Experimental results demonstrate that the method can effectively implement fine-grained forwarding and flow authentication,and the forwarding granularity is higher than that of similar schemes.     

TATS: an Efficient Technique for Computing Temporal Aggregates for Data Warehousing

An important use of data warehousing is to provide temporal views over the history of source data. It is significant that nearly all data warehouses are dependent on relational database technology, yet relational databases provide little or no real support for temporal data. Therefore, it is difficult to obtain accurate information for time‐varying data. In this paper, we are going to design a temporal data warehouse to support time‐varying data efficiently. For this purpose, we present a method to support temporal query by combining a temporal query process layer with the relational database which is used as a source database in an existing data warehouse. We introduce the Temporal Aggregate Tree Strategy (TATS), and suggest its algorithm for the way to aggregate the time‐varying data that is changed by the time when the temporal view is created. In addition, The TATS and the materialized view creation method of the existing data warehouse have been evaluated. As a result, the TATS reduces the size of the fact table and it shows a good performance for the comparison factor in case of processing the query for time‐varying data.     

跨域访问控制策略合成的可视化框架

The rapid increase in resource sharing across domains in the cloud computing environment makes the task of managing inter-domain access control policy integration difficult for the security administrators. Although a number of policy integration and security analysis mechanisms have been developed, few focus on enabling the average ad-ministrator by providing an intuitive cognitive sense about the integrated policies, which considerably undermines the usability factor. In this paper we propose a visualization framework for inter-domain access control policy integration, which integrates Role Based Access Control (RBAC) policies on the basis of role-mapping and then visualizes the integrated result. The role mapping algorithm in the framework considers the hybrid role hierarchy. It can not only satisfy the security constraints of non-cyclic inheritance and separation of duty but also make visualization easier. The framework uses role-permission trees and semantic substrates to visualize the integrated policies. Through the interactive policy query visualization, the average administrator can gain an intuitive understanding of the policy integration result.     

MACPABE: Multi-Authority-based CP-ABE with efficient attribute revocation for IoT-enabled healthcare infrastructure

The Internet of Things (IoT) technology along with cloud computing has gained much attention in recent years for its potential to upgrade conventional healthcare systems. Outsourcing healthcare data to a cloud environment from IoT devices is very essential as IoT devices are lightweight. To maintain confidentiality and to achieve fine-grained access control, the ciphertext policy attribute-based encryption (CP-ABE) technique is utilized very often in an IoT-based healthcare system for encrypting patients' healthcare data. However, an attribute revocation may affect the other users with the same attribute set, as well as the entire system due to its security concerns. This paper proposes a novel CP-ABE-based fine-grained access control scheme to solve the attribute revocation problem. The proposed technique includes multiple attribute authorities to reduce the work overhead of having a single authority in the traditional CP-ABE systems. In addition, the proposed scheme outsources the decryption process to a decryption assistant entity to reduce the decryption overhead of the end-users. To prove the efficiency of the proposed scheme, both formal security analysis and performance comparisons are presented in this paper. Results and discussion prove the effectiveness of the proposed scheme over some well-known schemes.