计算机工程与应用 ›› 2010, Vol. 46 ›› Issue (13): 82-86.DOI: 10.3778/j.issn.1002-8331.2010.13.025

• 网络、通信、安全 • 上一篇    下一篇

FSP:一种基于风险的安全策略

杨 勇,孙宇清,周 丽   

  1. 山东大学 计算机科学与技术学院,济南 250101
  • 收稿日期:2008-10-22 修回日期:2009-01-12 出版日期:2010-05-01 发布日期:2010-05-01
  • 通讯作者: 杨 勇

FSP:Risk-based security policy

YANG Yong,SUN Yu-qing,ZHOU Li   

  1. Department of Computer Science and Technology,Shandong University,Jinan 250101,China
  • Received:2008-10-22 Revised:2009-01-12 Online:2010-05-01 Published:2010-05-01
  • Contact: YANG Yong

摘要: 针对基于角色的访问控制模型(RBAC)和职责分离(SoD)这一重要的安全原则,提出了一种基于风险的安全策略—Fuzzy Security Policy(FSP),采用资质表达式限定执行敏感任务的用户数量和身份,采用风险度向量方法量化用户角色授权风险,运用模糊综合评估法分析满足资质约束的用户集执行多项任务的聚集风险;进一步讨论了给定系统配置和风险阈值的安全策略的可满足性,并给出了判定用户集是否满足安全策略的算法。这种安全策略可以为组织选择符合安全需求的用户集执行任务。

关键词: 访问控制, 安全策略, 风险

Abstract: Separation of duty is an extremely important and widely used security policy,which requires a sensitive task to be performed by a team of at least k users.However,current literatures do not capture the requirements of detailed qualification analysis on users involved in the task.Here,Role Based Access Control(RBAC) systems are focused on,and a novel risk-based Fuzzy Security Policy(FSP) is introduced based on the authorization risk resulted by user-role assignments.The risk-level vector is adopted to quantify such risk and the method of calculating the risk aggregation for multiple users performing multiple tasks is also presented.By using fuzzy comprehensive evaluation method,the FSP satisfiability problem under a given system configuration and an acceptable risk threshold is discussed.The corresponding algorithm is presented as well.This security policy will help to select suitable users to perform the task for an organization.

Key words: access control, security policy, risk

中图分类号: