CN111967034A - RBAC role fault tolerance auxiliary construction method based on attribute exploration - Google Patents
RBAC role fault tolerance auxiliary construction method based on attribute exploration Download PDFInfo
- Publication number
- CN111967034A CN111967034A CN202010891207.8A CN202010891207A CN111967034A CN 111967034 A CN111967034 A CN 111967034A CN 202010891207 A CN202010891207 A CN 202010891207A CN 111967034 A CN111967034 A CN 111967034A
- Authority
- CN
- China
- Prior art keywords
- implication
- access control
- verified
- relation
- relational expression
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Safety Devices In Control Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an RBAC role fault tolerance auxiliary construction method based on attribute exploration, which comprises the following steps: a: obtaining an initial set and all authority sets of an access control instance of a certain department from an information system of the department; b: and searching for an incorrect access control instance by using an implication equivalent expression, then calculating implication relational expressions to be deleted and added in an implication relational expression set to be verified by combining set correct answers, correcting the implication relational expression set to be verified, finally obtaining a non-redundant set of the determined access control instance of the department and the implication relational expression set after verification, and determining a role set. The invention can accurately realize role construction, provides basic data support for safe and scientific setting of operation roles and operation authorities in modern industry and information industry production, and avoids potential safety hazards.
Description
Technical Field
The invention relates to the technical field of role-based access control (RBAC), in particular to an RBAC role fault-tolerant auxiliary construction method based on attribute exploration.
Background
Information security management is always in the middle of development of modern industry and information industry, and the information security management directly influences the size of potential safety hazards in production of the modern industry and the information industry. For example, in large-scale industrial production, how to scientifically set operation roles and operation authorities in production procedures according to operation requirements of each production link in the actual production process can avoid potential role misoperation hazards in various key operations in the production process, and directly determine whether an enterprise can realize safe production. And if the current frequently-occurring information security leakage event, such as a Zhongxing leakage event, the information of the confidential document is leaked due to the error of authority management, thereby causing huge loss. Therefore, in modern industry and development of information industry, information security management work is increasingly focused and researched.
The role-based access control (RBAC) is proved by practice to effectively guarantee the data security of a user system. However, the conventional RBAC system is not only a time-consuming and labor-consuming process, but also is prone to character missing during the process of establishing characters. With the increasing bulkiness of information systems, the defects of the existing role construction method become more and more obvious. The attribute exploration algorithm is widely used for role discovery of the RBAC system in a mode of actively acquiring knowledge, but the traditional role auxiliary construction method based on the attribute exploration algorithm is based on the premise that an initial set of access control instances is absolutely correct in the role construction process. In actual work, the system may be down and go wrong, which causes irreversible errors in the subsequent role construction process. This problem restricts the application of the role-assisted construction method based on attribute exploration.
Disclosure of Invention
The invention aims to provide an attribute exploration-based RBAC role fault-tolerant auxiliary construction method, which can find and correct errors caused by system downtime when the traditional attribute exploration-based RBAC role construction method is used for constructing the roles of an access control system, accurately realize role construction, provide basic data support for the setting of operation roles and operation permissions in modern industry and information industry production, and avoid potential safety hazards.
The invention adopts the following technical scheme:
an RBAC role fault tolerance auxiliary construction method based on attribute exploration comprises the following steps:
a: obtaining access control log records of a certain department from an information system of the department, and performing data preprocessing on the access log records to obtain an initial set K of access control instances of the departmentOAnd all sets of permissions M;
b: searching the wrong access control example obtained in the step A caused by the downtime of the access control system by using the implication equivalent expression, and then calculating the implication relational expression set J to be verified by combining the set correct answer according to the wrong access control exampleaAnd treating the verified implication relational expression set J according to the implication relational expressions to be deleted and added obtained by calculationaMaking correction to obtain the non-redundant set K of the access control instance determined by the department in step ASAnd verified implication relational expression set JaAnd simultaneously determining a role set R.
The step A comprises the following specific steps:
a1: obtaining an access control log record of a certain department from an information system of the department, and recording the successful access record in the access control log as the authority of the user to access the resource under the department;
a2: recording the access failure record in the access control log as the authority of the user not accessing the resource under the department;
a3: obtaining the authority of each user in the department and the authority which does not exist through data processing;
a4: get the initial set of access control instances K for the departmentOAnd all sets of permissions M.
The step B comprises the following specific steps:
b1: according to the permission set M obtained in the step A ═ (a)1,a2,a3,…,an-1,an) All the authority sets M are arranged in a dictionary sequence to obtain a set Initializing a determined redundancy-free set of access control instancesImplication relational set to be verifiedFrom the set MqSet of permissions that are lexicographically ordered firstValidating a set of questionsn is a positive integer;
b2: verifying the set of permissions Q and obtaining an initial answer, i.e. a non-redundant set K at the determined access control instanceSIn calculating fKs(gKs(Q)), ifStep B3 is entered; otherwise, go to step B4;
wherein, gKs(Q) is a non-redundant set K at a determined access control instanceSIn which all users having the set of permissions Q are found, fKs(gKs(Q)) is a non-redundant set K at a determined access control instanceSFinding out all the authority sets, g, owned by all the users having the authority set QKo(fKs(gKs(Q)) -Q) is an initial set K at the access control instanceOFind out all the ownership rights fKs(gKs(Q)) -Q; the permission set Q is the currently verified permission set;
B3: will imply the relation Q- > fKs(gKs(Q)) -Q, i.e., a user has a set of rights Q and then has a certain right fKs(gKs(Q)) -Q added to the set of implication relationships JaIn, discrete mathematics implication relation Q- > fKs(gKs(Q)) -Q has the equivalent formula And initial answerAdding the verification problem into the verification problem set D, and then entering the step B5;
wherein, the implication relation Q- > fKs(gKs(Q)) -Q is the initial answer obtained after the permission set Q is verified in the step B2, and the implication relation Q- > fKs(gKs(Q)) -Q wherein Q is the antecedent of the implication relation, fKs(gKs(Q)) -Q is the back-piece of the implication relation,in, V represents the logical operator "OR";represents the logical operator "not";
b4: from an initial set of access control instances KOTaking out a right assignment not conforming to implication relation Q- > fKs(gKs(Q)) -instance o of Q, i.e. instance o owns the set of rights Q but not the right fKs(gKs(Q)) -Q, adding this instance to the determined non-redundant set K of access control instancesSTaking the authority owned by the user o as an initial answer, and adding the implication relation Q- > f in discrete mathematicsKs(gKs(Q)) -Q has the equivalent formula And adding the initial answer to the verification question set D, and then entering the step B8;
b5: randomly taking out a question from the verification question set D, verifying the permission set Q again and obtaining a comparison answer; if the comparison answer obtained by verification is consistent with the initial answer in the verification question set D, the step B6 is executed, otherwise, the step B7 is executed;
b6: according to the theorem of relevance between set and implication set in formal concept analysis, in set MqFinding out the next implication relation set J to be verifiedaThe related permission set Q 'is set to Q', and then the step B8 is entered;
b7: let the correct answer be Or, the initial answer with error in the verification question set D obtained in step B5 be Oe, and the permission set for finding error be BiSet of currently verified permissions as BjLess than B in the dictionary orderiThe set of sub-implication relational expressions to be verified is U, and the lexical order is greater than BiIs less than BjThe sub-implication relational expression set to be verified is P, and a permission set B for finding errors is usediThe correct answer Or, the incorrect initial answer Oe and the intrinsic logic relation of the implication relational expression set are calculated to obtain the correct implication relational expression set JrLet Ja=JrThen, go to step B8;
b8: if Q is equal to M, entering the step B9, otherwise, returning to the step B2;
b9: collecting the calculated implication relation J to be verifiedaThe middle implication relation type back-part isAdd the implication relation of (c) to the role set R and obtain the redundancy-free set K of the determined access control instance of the departmentsAnd verified implication relational expression set Ja。
The step B7 comprises the following specific steps:
b71: according to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in the step B5 and the right set B for finding the mistakeiCurrently verified set of permissions BjLess than B in the dictionary orderiThe sub-implication relational expression set to be verified has a lexicographic order greater than BiA sub-implication relational expression set P to be verified, which is smaller than Bj; make the correct implication relational expression set JrGo to step B72;
b72: calculate B in the dictionary orderiIs associated with the correct implication relation set JrAssociated sets of permissions T, order BiT; if the implication relation taking T as the front piece belongs to the sub-implication relation set P to be verified, entering the step B73, otherwise, entering the step B75;
b73: if it is notAnd isAdding the implication relation with the front piece of T in the sub implication relation set P to be verified into the correct implication relation set JrThen to step B76; otherwise, entering B74;
b74: if T ^ Oe ═ c Or T ^ Or ═ c, and c ∈ P, then add the implication relation whose predecessor is T in the sub-implication relation set P to be verified to the correct implication relation set JrThen to step B76; otherwise, go to step B75;
wherein, the set c is the intersection of the permission set T and the correct answer Or the intersection of the permission set T and the wrong answer Oe;
b75: at an initial set of access control instances KOIn calculating fKO(gKO(T)) and adding T- > fKO(gKO(T)) adding the correct implication relation set JrThen to step B76;
b76: if T < BjStep B72 is entered, otherwise step B72 is enteredStep B77;
b77: make the implication relation set J to be verifiedaEqual to the correct implication relation set JrLet Q be BjThen, the process proceeds to step B8.
The invention can find and correct errors caused by system downtime when the traditional attribute exploration-based RBAC role construction method is used for constructing the roles of the access control system, accurately realize role construction, provide basic data support for the safe and scientific setting of operation roles and operation authorities in the production of modern industry and information industry, and avoid potential safety hazards.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
The invention is described in detail below with reference to the following figures and examples:
as shown in fig. 1, the method for constructing an RBAC role fault tolerance auxiliary based on attribute exploration sequentially includes the following steps:
a: obtaining access control log records of a certain department from an information system of the department, and performing data preprocessing on the access log records to obtain an initial set K of access control instances of the departmentOAnd all sets of permissions M;
the step A comprises the following specific steps:
a1: obtaining an access control log record of a certain department from an information system of the department, and recording the successful access record in the access control log as the authority of the user to access the resource under the department; for example, in a large-scale steel-making enterprise, if the temperature of the steel-making furnace is successfully changed in the production link of the employee A in 6 months and 21 days, the employee A records that the employee A has the authority of changing the temperature of the steel-making furnace;
a2: recording the access failure record in the access control log as the authority of the user not accessing the resource under the department; for example, if the employee A fails to change the oxygen adding amount in the operation production link within 21 days in 6 months, the record A does not have the authority of changing the oxygen adding amount in the operation production link;
a3: and obtaining the authority which each user in the department has and the authority which the user does not have through data processing.
For example, in this embodiment, the authority that the user a has and the authority that the user a does not have are obtained through data processing, as shown in table 1.
a | b | c | d | e | f | g | h | 1 | |
First of all | 1 | 0 | 0 | 1 | 0 | 1 | 0 | 1 | 1 |
TABLE 1
Wherein, the user A has (adfhi) authority and does not have (bceg) authority;
a4: get the initial set of access control instances K for the departmentOAnd all sets of permissions M.
B: searching the wrong access control example obtained in the step A caused by the downtime of the access control system by using the implication equivalent expression, and then calculating the implication relational expression set J to be verified by combining the set correct answer according to the wrong access control exampleaAnd treating the verified implication relational expression set J according to the implication relational expressions to be deleted and added obtained by calculationaMaking correction to obtain the non-redundant set K of the access control instance determined by the department in step ASAnd verified implication relational expression set JaSimultaneously determining a role set R; a is the acronym for all;
the step B comprises the following specific steps:
b1: according to the permission set M obtained in the step A ═ (a)1,a2,a3,…,an-1,an) All the authority sets M are arranged in a dictionary sequence to obtain a set Initializing a determined redundancy-free set of access control instancesImplication relational set to be verifiedFrom the set MqGet the dictionary in the order ofSet of permissions of oneValidating a set of questionsn is a positive integer;
the lexicographic order is a sort rule in formal concept analysis, the verification problem set D comprises an equivalent expression of an implication relation induced by taking an authority set as a precursor, and an initial answer obtained by verifying the authority set.
B2: verifying the set of permissions Q and obtaining an initial answer, i.e. a non-redundant set K at the determined access control instanceSIn calculating fKs(gKs(Q)), ifStep B3 is entered; otherwise, go to step B4;
wherein, gKs(Q) is a non-redundant set K at a determined access control instanceSIn which all users having the set of permissions Q are found, fKs(gKs(Q)) is a non-redundant set K at a determined access control instanceSFinding out all the authority sets, g, owned by all the users having the authority set QKo(fKs(gKs(Q)) -Q) is an initial set K at the access control instanceOFind out all the ownership rights fKs(gKs(Q)) -Q; the permission set Q is a currently verified permission set;
b3: will imply the relation Q- > fKs(gKs(Q)) -Q, i.e., a user has a set of rights Q and then has a certain right fKs(gKs(Q)) -Q added to the set of implication relationships JaIn, discrete mathematics implication relation Q- > fKs(gKs(Q)) -Q has the equivalent formula And initial answerAdding the verification problem into the verification problem set D, and then entering the step B5;
wherein, the implication relation Q- > fKs(gKs(Q)) -Q is the initial answer obtained after the permission set Q is verified in the step B2, and the implication relation Q- > fKs(gKs(Q)) -Q wherein Q is the antecedent of the implication relation, fKs(gKs(Q)) -Q is the back-piece of the implication relation,in, V represents the logical operator "OR";represents the logical operator "not";
b4: from an initial set of access control instances KOTaking out a right assignment not conforming to implication relation Q- > fKs(gKs(Q)) -instance o of Q, i.e. instance o owns the set of rights Q but not the right fKs(gKs(Q)) -Q, adding this instance to the determined non-redundant set K of access control instancesSTaking the authority owned by the user o as an initial answer, and adding the implication relation Q- > f in discrete mathematicsKs(gKs(Q)) -Q has the equivalent formula And adding the initial answer to the verification question set D, and then entering the step B8;
b5: randomly taking out a question from the verification question set D, verifying the permission set Q again and obtaining a comparison answer; if the comparison answer obtained by verification is consistent with the initial answer in the verification question set D, the step B6 is executed, otherwise, the step B7 is executed;
b6: according to the theorem of relevance between set and implication set in formal concept analysis, in set MqFinding out the next implication relation set J to be verifiedaThe related permission set Q 'is set to Q', and then the step B8 is entered;
b7: let the correct answer be Or, the initial answer with error in the verification question set D obtained in step B5 be Oe, and the permission set for finding error be BiSet of currently verified permissions as BjLess than B in the dictionary orderiThe set of sub-implication relational expressions to be verified is U, and the lexical order is greater than BiIs less than BjThe sub-implication relational expression set to be verified is P, and a permission set B for finding errors is usediThe correct answer Or, the incorrect initial answer Oe and the intrinsic logic relation of the implication relational expression set are calculated to obtain the correct implication relational expression set JrLet Ja=JrThen, go to step B8; r is the acronym right;
wherein e is an acronym for error; the subscripts i and j are positive integers; the sub-implication relational expression set U to be verified and the sub-implication relational expression set P to be verified are both an implication relational expression set J to be verifiedaA subset of (c); finding a faulty set of permissions BiIn order to verify the authority set corresponding to the wrong answer Oe in the question set D, the correct answer Or is the authority set owned by the correct access control instance; the wrong initial answer Oe is the set of permissions owned by the wrong access control instance;
the step B7 comprises the following specific steps:
b71: according to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in the step B5 and the right set B for finding the mistakeiCurrently verified set of permissions BjLess than B in the dictionary orderiThe sub-implication relational expression set to be verified has a lexicographic order greater than BiIs less than BjThe sub-implication relational expression set P to be verified; make the correct implication relational expression set JrGo to step B72;
wherein the wrong set of permissions B is foundiWith the currently verified set of permissions BjAll belong to the set Mq;
B72: calculate B in the dictionary orderiIs associated with the correct implication relation set JrAssociated sets of permissions T, order BiT; if the implication relation taking T as the front piece belongs to the sub-implication relation set P to be verified, entering the step B73, otherwise, entering the step B75;
b73: if it is notAnd isAdding the implication relation with the front piece of T in the sub implication relation set P to be verified into the correct implication relation set JrThen to step B76; otherwise, entering B74;
b74: if T ^ Oe ═ c Or T ^ Or ═ c, and c ∈ P, then add the implication relation whose predecessor is T in the sub-implication relation set P to be verified to the correct implication relation set JrThen to step B76; otherwise, go to step B75;
wherein the set c is the intersection of the permission set T and the correct answer Or the intersection of the permission set T and the wrong answer Oe;
b75: at an initial set of access control instances KOIn calculating fKO(gKO(T)) and adding T- > fKO(gKO(T)) adding the correct implication relation set JrThen to step B76;
b76: if T < BjStep B72 is entered, otherwise step B77 is entered;
in step B76, increasing the number of the word sequences, and calculating the next and correct implication relation set J in sequencerAssociated sets of rights T until T ═ Bj。
B77: make the implication relation set J to be verifiedaEqual to the correct implication relation set JrLet Q be equal toBjThen, go to step B8;
b8: if Q is equal to M, entering the step B9, otherwise, returning to the step B2;
in step B8, increasing the number of the word sequences, and calculating the next and implication relation set J in sequenceaThe associated set of permissions Q until Q ═ M.
B9: the calculated implication relation back-piece in the implication relation set Ja to be verified isAdd the implication relation of (c) to the role set R and obtain the redundancy-free set K of the determined access control instance of the departmentSAnd verified implication relational expression set Ja。
If no error occurs, the implication relation set J to be verified in step 9aThe set of implication relations is correct. If an error occurs, the correct implication relation set J is collected after each correction in step B77rAssigning to the implication relation set J to be verifiedaAfter the cycle is finished, the verified implication relation set JaThe modified set of implication relations is the correct set of implication relations.
The RBAC role is constructed in a certain large-scale steel-making enterprise as an example:
the method comprises the following steps:
a: acquiring an access control log record of a department from an information system of the department in a large steelmaking enterprise, and performing data preprocessing on the access log record; an example of access control is shown in table 2:
table 2 access control example KO
All rights M are (a, b, c, d, e, f, g, h, i).
B: searching the wrong access control example obtained in the step A caused by the downtime of the access control system by using the implication equivalent expression, and then calculating the implication relational expression set J to be verified by combining the set correct answer according to the wrong access control exampleaAnd treating the verified implication relational expression set J according to the implication relational expressions to be deleted and added obtained by calculationaMaking correction to obtain the non-redundant set K of the access control instance determined by the department in step ASAnd verified implication relational expression set JaSimultaneously determining a role set R; a is the acronym for all;
b1: the lexical ordering in the set of permissions M should be Initializing a determined redundancy-free set of access control instancesImplication relational setFrom the set MqSet of taking dictionary first in orderValidating a set of questionsGo to step B2; n is a positive integer;
b2: verifying the set of permissions Q and obtaining an initial answer, i.e. a non-redundant set K at the determined access control instanceSF (g) (q)) K (abcdefghi) is calculatedS(q) is (a, b, c, d), KOInNot satisfying KSInAt KOThe condition of g (f (g (Q)) -Q), step B4 is entered;
b4: from an initial set of access control instances KOAn instance A (cdefg) is taken out of the access control instance, the right assignment of which does not conform to the implication rule, and this instance is added to the determined non-redundant set K of access control instancesSIn the method, the authority cdefg owned by the user o is taken as an initial answer, and the implication relation Q- > f in discrete mathematics is usedKs(gKs(Q)) -Q has the equivalent formula And adding the initial answer to the verification question set D, and then entering the step B8;
b8: because Q ≠ M, return to step B2;
this document focuses on the process when an error is found, starting with step B5 where an error is found.
B5: randomly taking out a question from the verification question set D, verifying the permission set Q again and obtaining a comparison answer; if the obtained comparison answer is not consistent with the initial answer in the verification question set D, entering the step B7;
b7: according to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in the step B5 and the right set B for finding the mistakeiCurrently verified set of permissions BjLess than B in the dictionary orderiThe sub-implication relational expression set U to be verified and the lexical order are greater than BiIs less than BjThe sub-implication relational expression set P to be verified is set according to the error authority set BiThe correct answer Or, the wrong initial answer Oe and the intrinsic logic relation of the implication relational expression set are calculated to obtain the correct implication relational expression set JrLet Ja=JrThen, go to step B8;
b71: and according to the set correct answer Or, cdeg, the incorrect initial answer Oe in the verification question set D obtained in the step B5. Finding a faulty set of permissions BiE, currently verified set of permissions BjB, less than B in the lexical orderiThe set of sub-implication relational expressions to be verified is U-i- > g, h- > abcd, f- > cdeg, e- > cdg, and the lexicographic order is larger than BiIs less than BjTo-be-verified sub-implication relational expression set Make the correct implication relational expression set JrGo to step B72;
b72: calculate B in the dictionary orderiIs associated with the correct implication relation set JrD, the implication relation taking d as the front piece belongs to a sub implication relation set P to be verified, and the step B74 is entered;
b74: d n Or Oe d, adding the relation d- > c of the previous piece T in the sub-relation set P to be verified into the relation set JrGo to step B76;
b76: if d < B, go to step B71;
……;
due to limited space, the repetition process is not described in detail herein.
The role set R of the department is obtained as follows:
set of implication relational expressions J between authoritiesaComprises the following steps:
Ja={i->g,h->abcd,f->cdeg,e->cdg,d->c,c->d,cdg->e,cdefgi->abfh,b->acdh,a->bcdh,abcdeh->fgi};
obtaining a non-redundant set K of access control instances determined by the departmentSComprises the following steps:
a | b | c | d | e | f | g | h | i | |
first of all | 0 | 0 | 1 | 1 | 1 | 1 | 1 | 0 | 0 |
Second step | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 1 |
C3 | 0 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
T-shirt | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 1 | 0 |
That is, the department system should set a set of all rights in the role that should include the R, and simultaneously obtain the implication relation set of the department as JaThe implication relation among the authorities is more convenient for a system administrator to manage the role system. For example, the relationship of authority implication i- > g, system management isIt will be known that an employee must have g privileges if the employee has i privileges.
Claims (4)
1. An RBAC role fault tolerance auxiliary construction method based on attribute exploration is characterized by comprising the following steps:
a: obtaining access control log records of a certain department from an information system of the department, and performing data preprocessing on the access log records to obtain an initial set K of access control instances of the departmentOAnd all sets of permissions M;
b: searching the wrong access control example obtained in the step A caused by the downtime of the access control system by using the implication equivalent expression, and then calculating the implication relational expression set J to be verified by combining the set correct answer according to the wrong access control exampleaAnd treating the verified implication relational expression set J according to the implication relational expressions to be deleted and added obtained by calculationaMaking correction to obtain the non-redundant set K of the access control instance determined by the department in step ASAnd verified implication relational expression set JaAnd simultaneously determining a role set R.
2. The attribute exploration-based RBAC role fault-tolerant auxiliary construction method according to claim 1, wherein said step A comprises the following specific steps:
a1: obtaining an access control log record of a certain department from an information system of the department, and recording the successful access record in the access control log as the authority of the user to access the resource under the department;
a2: recording the access failure record in the access control log as the authority of the user not accessing the resource under the department;
a3: obtaining the authority of each user in the department and the authority which does not exist through data processing;
a4: get the initial set of access control instances K for the departmentOAnd all sets of permissions M.
3. The attribute exploration-based RBAC role fault-tolerant auxiliary construction method according to claim 1, wherein said step B comprises the following specific steps:
b1: according to the permission set M obtained in the step A ═ (a)1,a2,a3,…,an-1,an) All the authority sets M are arranged in a dictionary sequence to obtain a set Initializing a determined redundancy-free set of access control instancesImplication relational set to be verifiedFrom the set MqSet of permissions that are lexicographically ordered firstValidating a set of questionsn is a positive integer;
b2: verifying the set of permissions Q and obtaining an initial answer, i.e. a non-redundant set K at the determined access control instanceSIn calculating fKs(gKs(Q)), ifStep B3 is entered; otherwise, go to step B4;
wherein, gKs(Q) is a non-redundant set K at a determined access control instanceSFind out all the use of the set of owned permissions QFamily, fKs(gKs(Q)) is a non-redundant set K at a determined access control instanceSFinding out all the authority sets, g, owned by all the users having the authority set QKo(fKs(gKs(Q)) -Q) is an initial set K at the access control instanceOFind out all the ownership rights fKs(gKs(Q)) -Q; the permission set Q is a currently verified permission set;
b3: will imply the relation Q- > fKs(gKs(Q)) -Q, i.e., a user has a set of rights Q and then has a certain right fKs(gKs(Q)) -Q added to the set of implication relationships JaIn, discrete mathematics implication relation Q- > fKs(gKs(Q)) -Q has the equivalent formula And initial answerAdding the verification problem into the verification problem set D, and then entering the step B5;
wherein, the implication relation Q- > fKs(gKs(Q)) -Q is the initial answer obtained after the permission set Q is verified in the step B2, and the implication relation Q- > fKs(gKs(Q)) -Q wherein Q is the antecedent of the implication relation, fKs(gKs(Q)) -Q is the back-piece of the implication relation,in, V represents the logical operator "OR";represents the logical operator "not";
b4: from an initial set of access control instances KOTake out oneIndividual authority assignment does not conform to implication relation Q- > fKs(gKs(Q)) -instance o of Q, i.e. instance o owns the set of rights Q but not the right fKs(gKs(Q)) -Q, adding this instance to the determined non-redundant set K of access control instancesSTaking the authority owned by the user o as an initial answer, and adding the implication relation Q- > f in discrete mathematicsKs(gKs(Q)) -Q has the equivalent formula And adding the initial answer to the verification question set D, and then entering the step B8;
b5: randomly taking out a question from the verification question set D, verifying the permission set Q again and obtaining a comparison answer; if the comparison answer obtained by verification is consistent with the initial answer in the verification question set D, the step B6 is executed, otherwise, the step B7 is executed;
b6: according to the theorem of relevance between set and implication set in formal concept analysis, in set MqFinding out the next implication relation set J to be verifiedaThe related permission set Q 'is set to Q', and then the step B8 is entered;
b7: let the correct answer be Or, the initial answer with error in the verification question set D obtained in step B5 be Oe, and the permission set for finding error be BiSet of currently verified permissions as BjLess than B in the dictionary orderiThe set of sub-implication relational expressions to be verified is U, and the lexical order is greater than BiIs less than BjThe sub-implication relational expression set to be verified is P, and a permission set B for finding errors is usediThe correct answer Or, the incorrect initial answer Oe and the intrinsic logic relation of the implication relational expression set are calculated to obtain the correct implication relational expression set JrLet Ja=JrThen, go to step B8;
b8: if Q is equal to M, entering the step B9, otherwise, returning to the step B2;
b9: collecting the calculated implication relation J to be verifiedaThe middle implication relation type back-part isAdd the implication relation of (c) to the role set R and obtain the redundancy-free set K of the determined access control instance of the departmentSAnd verified implication relational expression set Ja。
4. The attribute exploration-based RBAC role fault-tolerant auxiliary construction method according to claim 3, wherein said step B7 comprises the following specific steps:
b71: according to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in the step B5 and the right set B for finding the mistakeiCurrently verified set of permissions BjLess than B in the dictionary orderiThe sub-implication relational expression set to be verified has a lexicographic order greater than BiIs less than BjThe sub-implication relational expression set P to be verified; make the correct implication relational expression set JrGo to step B72;
b72: calculate B in the dictionary orderiIs associated with the correct implication relation set JrAssociated sets of permissions T, order BiT; if the implication relation taking T as the front piece belongs to the sub-implication relation set P to be verified, entering the step B73, otherwise, entering the step B75;
b73: if it is notAnd isAdding the implication relation with the front piece of T in the sub implication relation set P to be verified into the correct implication relation set JrThen to step B76; otherwise, entering B74;
b74: if T.andgate Oe.c Or T.andgate Or.c, and c.epsilon.P, then we wait forAdding the implication relational expression with the front piece of T in the verified sub-implication relational expression set P into the correct implication relational expression set JrThen to step B76; otherwise, go to step B75;
wherein, the set c is the intersection of the permission set T and the correct answer Or the intersection of the permission set T and the wrong answer Oe;
b75: at an initial set of access control instances KOIn calculating fK0(gK0(T)) and adding T- > fK0(gK0(T)) adding the correct implication relation set JrThen to step B76;
b76: if T < BjStep B72 is entered, otherwise step B77 is entered;
b77: make the implication relation set J to be verifiedaEqual to the correct implication relation set JrLet Q be BjThen, the process proceeds to step B8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010891207.8A CN111967034B (en) | 2020-08-30 | 2020-08-30 | RBAC role fault tolerance auxiliary construction method based on attribute exploration |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010891207.8A CN111967034B (en) | 2020-08-30 | 2020-08-30 | RBAC role fault tolerance auxiliary construction method based on attribute exploration |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111967034A true CN111967034A (en) | 2020-11-20 |
CN111967034B CN111967034B (en) | 2022-09-16 |
Family
ID=73401018
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010891207.8A Active CN111967034B (en) | 2020-08-30 | 2020-08-30 | RBAC role fault tolerance auxiliary construction method based on attribute exploration |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111967034B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114268649A (en) * | 2021-12-21 | 2022-04-01 | 河南大学 | RBAC permission modification method facing to Internet of things |
CN114448659A (en) * | 2021-12-16 | 2022-05-06 | 河南大学 | Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060089932A1 (en) * | 2004-10-22 | 2006-04-27 | International Business Machines Corporation | Role-based access control system, method and computer program product |
US20060218394A1 (en) * | 2005-03-28 | 2006-09-28 | Yang Dung C | Organizational role-based controlled access management system |
CN102354357A (en) * | 2011-09-28 | 2012-02-15 | 上海电力学院 | Lattice implication reasoning algorithm of bug in partitioning protection system of smart grid |
CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
CN106056270A (en) * | 2016-05-13 | 2016-10-26 | 西安工程大学 | Data safety design method of textile production management system based on improved RBAC |
-
2020
- 2020-08-30 CN CN202010891207.8A patent/CN111967034B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060089932A1 (en) * | 2004-10-22 | 2006-04-27 | International Business Machines Corporation | Role-based access control system, method and computer program product |
US20060218394A1 (en) * | 2005-03-28 | 2006-09-28 | Yang Dung C | Organizational role-based controlled access management system |
CN102354357A (en) * | 2011-09-28 | 2012-02-15 | 上海电力学院 | Lattice implication reasoning algorithm of bug in partitioning protection system of smart grid |
CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
CN106056270A (en) * | 2016-05-13 | 2016-10-26 | 西安工程大学 | Data safety design method of textile production management system based on improved RBAC |
Non-Patent Citations (4)
Title |
---|
DAU,F ETC.: "Access Policy Design Supported by FCA Methods", 《17TH INTERNATIONAL CONFERENCE ON CONCEPTUAL STRUCTURES》 * |
张劲松等: "形式背景的蕴涵规则提取算法", 《电脑开发与应用》 * |
张磊等: "基于概念格的RBAC模型中角色最小化问题的理论与算法", 《电子学报》 * |
栾俊清: "基于概念格的大数据访问控制技术研究", 《硕士电子期刊》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114448659A (en) * | 2021-12-16 | 2022-05-06 | 河南大学 | Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration |
CN114448659B (en) * | 2021-12-16 | 2022-10-11 | 河南大学 | Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration |
CN114268649A (en) * | 2021-12-21 | 2022-04-01 | 河南大学 | RBAC permission modification method facing to Internet of things |
CN114268649B (en) * | 2021-12-21 | 2022-09-13 | 河南大学 | RBAC permission modification method facing to Internet of things |
Also Published As
Publication number | Publication date |
---|---|
CN111967034B (en) | 2022-09-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111967034B (en) | RBAC role fault tolerance auxiliary construction method based on attribute exploration | |
US9081978B1 (en) | Storing tokenized information in untrusted environments | |
US5226158A (en) | Method and apparatus for maintaining referential integrity within a relational database | |
CN111950013B (en) | RBAC role rapid auxiliary construction method based on attribute exploration | |
KR101598738B1 (en) | Control program management system and method for changing control program | |
Choi et al. | Forensic recovery of SQL server database: Practical approach | |
CN112231283B (en) | Generation management method and system based on multi-source heterogeneous data unified entity identification code | |
Parapar et al. | Testing the tests: simulation of rankings to compare statistical significance tests in information retrieval evaluation | |
CN111783043B (en) | Multi-department collaborative interactive RBAC role construction method based on attribute exploration | |
Odeh et al. | Reliability of statistical software | |
CN116542637A (en) | Government platform safety control method based on computer | |
JPH06243016A (en) | File security protection method | |
CN101561714B (en) | Group password input method | |
WO2022225467A1 (en) | System and method for creating multi dimension blockchain | |
CN116186068B (en) | Clinical trial result analysis report auditing method, system and medium | |
Wurzenberger et al. | Discovering insider threats from log data with high-performance bioinformatics tools | |
Pichler et al. | Relaxed notions of schema mapping equivalence revisited | |
CN110427770A (en) | A kind of Access and control strategy of database method and system for supporting service security to mark | |
KR101415528B1 (en) | Apparatus and Method for processing data error for distributed system | |
CN112685277B (en) | Warning information checking method and device, electronic equipment and readable storage medium | |
Li et al. | DPIF: a framework for distinguishing unintentional quality problems from potential shilling attacks | |
KR102182573B1 (en) | Apparatus for Setting Access Permission in Large-Scale Data Environment and Computer-Readable Recording Medium with Program therefor | |
CN113364592A (en) | Engineering system file management system and method based on credit value union chain | |
CN114268649B (en) | RBAC permission modification method facing to Internet of things | |
US11669628B2 (en) | Data management device, data management system, and data management method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |