[go: up one dir, main page]

CN111967034A - RBAC role fault tolerance auxiliary construction method based on attribute exploration - Google Patents

RBAC role fault tolerance auxiliary construction method based on attribute exploration Download PDF

Info

Publication number
CN111967034A
CN111967034A CN202010891207.8A CN202010891207A CN111967034A CN 111967034 A CN111967034 A CN 111967034A CN 202010891207 A CN202010891207 A CN 202010891207A CN 111967034 A CN111967034 A CN 111967034A
Authority
CN
China
Prior art keywords
implication
access control
verified
permission
answer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010891207.8A
Other languages
Chinese (zh)
Other versions
CN111967034B (en
Inventor
张磊
杨继勇
沈夏炯
韩道军
葛强
史先进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University
Original Assignee
Henan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University filed Critical Henan University
Priority to CN202010891207.8A priority Critical patent/CN111967034B/en
Publication of CN111967034A publication Critical patent/CN111967034A/en
Application granted granted Critical
Publication of CN111967034B publication Critical patent/CN111967034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于属性探索的RBAC角色容错辅助构建方法,包含步骤:A:从某个部门的信息系统中得到该部门的访问控制实例的初始集合和所有权限集合;B:利用蕴涵等值式查找错误的访问控制实例,然后结合设定的正确答案,计算出待验证的蕴涵关系式集合中需要删除和需要添加的蕴涵关系式,对待验证的蕴涵关系式集合进行修正,最终得到该部门的确定的访问控制实例的无冗余集合和验证后的蕴涵关系式集合,同时确定角色集合。本发明能够准确实现角色构建,为现代工业和信息产业生产中操作角色及操作权限的安全科学的设定提供基础数据支撑,杜绝安全隐患。

Figure 202010891207

The invention discloses an RBAC role fault-tolerant auxiliary construction method based on attribute exploration. Find the wrong access control instance by value, and then combine the set correct answers to calculate the implication expressions that need to be deleted and added in the set of implication expressions to be verified, and then revise the set of implication expressions to be verified, and finally get the A non-redundant set of definite access control instances of a department and a set of verified entailment relations, and a set of roles are also determined. The invention can accurately realize role construction, provide basic data support for the safe and scientific setting of operation roles and operation authority in modern industrial and information industry production, and eliminate potential safety hazards.

Figure 202010891207

Description

一种基于属性探索的RBAC角色容错辅助构建方法A fault-tolerant auxiliary construction method for RBAC roles based on attribute exploration

技术领域technical field

本发明涉及一种基于角色的访问控制(RBAC)技术领域,尤其涉及一种基于属性探索的RBAC角色容错辅助构建方法。The invention relates to the technical field of role-based access control (RBAC), in particular to a fault-tolerant auxiliary construction method for RBAC roles based on attribute exploration.

背景技术Background technique

信息安全管理一直是现代工业及信息产业发展的重中之中,信息安全管理直接影响着现代工业产业和信息产业生产中安全隐患大小。如大型工业生产中,如何根据实际生产过程中各个生产环节的操作需求,科学地设置生产工序中的操作角色及操作权限,杜绝生产过程中各种关键操作中的角色误操作隐患,直接决定企业能否实现安全生产。再如目前频发的信息安全泄露事件,如中兴泄密事件,因权限管理失误,导致机密文件信息泄露,从而造成巨大损失。因此,在现代工业及信息产业发展中,信息安全管理工作得到了越来越多的重视及研究。Information security management has always been the top priority in the development of modern industry and information industry, and information security management directly affects the size of hidden dangers in the production of modern industrial industry and information industry. For example, in large-scale industrial production, how to scientifically set the operating roles and operating permissions in the production process according to the operational needs of each production link in the actual production process, to eliminate the hidden dangers of misoperation of roles in various key operations in the production process, and directly determine the enterprise. Can achieve safe production. Another example is the current frequent information security leakage incidents, such as the ZTE leaking incident, due to rights management errors, resulting in the leakage of confidential file information, resulting in huge losses. Therefore, in the development of modern industry and information industry, information security management has been paid more and more attention and research.

基于角色的访问控制(RBAC)通过实践证明,可以有效的保障用户系统数据安全。但传统的RBAC系统的构建不仅是一个十分耗时、耗力的过程,而且在确立角色过程中很容易出现角色遗漏的现象。随着信息系统的日益庞大,现有的角色构建方法弊端越来越明显。属性探索算法以主动获取知识的方式被广泛用于RBAC系统角色发现,但是传统基于属性探索算法的角色辅助构建方法,在构建角色过程中是以访问控制实例的初始集合绝对正确为前提。而在实际工作中,系统可能会宕机出错,造成后续角色构建过程中出现不可逆的错误。这一问题制约了基于属性探索的角色辅助构建方法的应用。Role-Based Access Control (RBAC) has been proved by practice that it can effectively ensure the security of user system data. However, the construction of the traditional RBAC system is not only a very time-consuming and labor-intensive process, but also the phenomenon of role omission is easy to occur in the process of establishing roles. With the increasing size of the information system, the disadvantages of the existing role-building methods are becoming more and more obvious. The attribute exploration algorithm is widely used in RBAC system role discovery by actively acquiring knowledge, but the traditional role-assisted construction method based on attribute exploration algorithm is based on the premise that the initial set of access control instances is absolutely correct in the process of role construction. In actual work, the system may crash and make mistakes, resulting in irreversible errors in the subsequent role construction process. This problem restricts the application of character-assisted construction methods based on attribute exploration.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种基于属性探索的RBAC角色容错辅助构建方法,能够发现并修正由于系统宕机而导致使用传统基于属性探索的RBAC角色构建方法构建访问控制系统角色时的错误,准确实现角色构建,为现代工业和信息产业生产中操作角色及操作权限的安全科学的设定提供基础数据支撑,杜绝安全隐患。The purpose of the present invention is to provide a fault-tolerant auxiliary construction method for RBAC roles based on attribute exploration, which can find and correct errors caused by using the traditional RBAC role construction method based on attribute exploration to construct access control system roles due to system downtime, and accurately realize Role construction provides basic data support for the safe and scientific setting of operating roles and operating permissions in modern industrial and information industry production, and eliminates potential safety hazards.

本发明采用下述技术方案:The present invention adopts following technical scheme:

一种基于属性探索的RBAC角色容错辅助构建方法,包括以下步骤:A fault-tolerant auxiliary construction method for RBAC roles based on attribute exploration, including the following steps:

A:从某个部门的信息系统中,获取该部门的访问控制日志记录,并对访问日志记录进行数据预处理,得到该部门的访问控制实例的初始集合KO和所有权限集合M;A: From the information system of a certain department, obtain the access control log records of the department, and perform data preprocessing on the access log records to obtain the initial set K O and all permission sets M of the access control instances of the department;

B:利用蕴涵等值式,查找由于访问控制系统宕机导致A步骤中得到的错误的访问控制实例,然后根据错误的访问控制实例,结合设定的正确答案,计算出待验证的蕴涵关系式集合Ja中需要删除和需要添加的蕴涵关系式,并根据计算得到的需要删除和需要添加的蕴涵关系式对待验证的蕴涵关系式集合Ja进行修正,最终得到步骤A中该部门的确定的访问控制实例的无冗余集合KS和验证后的蕴涵关系式集合Ja,同时确定角色集合R。B: Use the implication equivalence formula to find the wrong access control instance obtained in step A due to the downtime of the access control system, and then calculate the implication formula to be verified according to the wrong access control instance and the correct answer set The implication formulas that need to be deleted and added in the set Ja are revised according to the implication formulas that need to be deleted and need to be added. Access the non-redundant set K S of control instances and the verified implication set Ja , and determine the role set R at the same time.

所述的步骤A包括以下具体步骤:Described step A includes the following specific steps:

A1:从某个部门的信息系统中,获取该部门的访问控制日志记录,将访问控制日志中访问成功的记录,记为该部门下该用户拥有访问该资源的权限;A1: Obtain the access control log record of a department from the information system of a department, and record the successful access record in the access control log as the user under the department has the right to access the resource;

A2:将访问控制日志中访问失败的记录,记为该部门下该用户不拥有访问该资源的权限;A2: Record the access failure record in the access control log as the user under the department does not have the right to access the resource;

A3:经数据处理,得到该部门下各个用户所具有的权限和不具有的权限;A3: After data processing, obtain the authority and authority that each user under the department has and does not have;

A4:得到该部门的访问控制实例的初始集合KO和所有权限集合M。A4: Obtain the initial set K O of access control instances of the department and the set M of all permissions.

所述的步骤B包括以下具体步骤:Described step B includes the following specific steps:

B1:根据步骤A中得到的权限集合M=(a1,a2,a3,…,an-1,an),将所有权限集合M进行字典序排列后得到集合

Figure BDA0002657052570000031
Figure BDA0002657052570000032
初始化确定的访问控制实例的无冗余集合
Figure BDA0002657052570000033
待验证的蕴涵关系式集合
Figure BDA0002657052570000034
从集合Mq中取字典序排第一的权限集合
Figure BDA0002657052570000035
验证问题集合
Figure BDA0002657052570000036
n为正整数;B1: According to the permission set M=(a 1 , a 2 , a 3 , ..., a n-1 , a n ) obtained in step A, lexicographically arrange all permission sets M to obtain a set
Figure BDA0002657052570000031
Figure BDA0002657052570000032
Initializes a non-redundant set of identified access control instances
Figure BDA0002657052570000033
The set of implication relations to be verified
Figure BDA0002657052570000034
Take the lexicographically ranked first permission set from the set M q
Figure BDA0002657052570000035
set of validation questions
Figure BDA0002657052570000036
n is a positive integer;

B2:对权限集合Q进行验证并得到初始答案,即在确定的访问控制实例的无冗余集合KS中计算fKs(gKs(Q)),若

Figure BDA0002657052570000037
则进入步骤B3;否则进入步骤B4;B2: Verify the permission set Q and get the initial answer, that is, calculate f Ks (g Ks (Q)) in the non-redundant set K S of the determined access control instance, if
Figure BDA0002657052570000037
Then go to step B3; otherwise go to step B4;

其中,gKs(Q)为在确定的访问控制实例的无冗余集合KS中找出所有拥有权限集合Q的用户,fKs(gKs(Q))为在确定的访问控制实例的无冗余集合KS中找出所有拥有权限集合Q的用户所共同拥有的权限集合,gKo(fKs(gKs(Q))-Q)为在访问控制实例的初始集合KO中找出所有拥有权限fKs(gKs(Q))-Q的用户;权限集合Q为当前验证的权限集合;Among them, g Ks (Q) is to find all users who have the permission set Q in the non-redundant set K S of the determined access control instance, and f Ks (g Ks (Q)) is the non-redundant set of access control instances in the determined access control instance. Find out the permission set shared by all users who have permission set Q in the redundant set K S , g Ko (f Ks (g Ks (Q))-Q) is found in the initial set K O of the access control instance All users with permission f Ks (g Ks (Q))-Q; permission set Q is the currently verified permission set;

B3:将蕴涵关系式Q->fKs(gKs(Q))-Q,即某个用户拥有权限集合Q那么该用户一定拥有权限fKs(gKs(Q))-Q,添加到蕴涵关系式集合Ja中,将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式

Figure BDA0002657052570000038
Figure BDA0002657052570000039
和初始答案
Figure BDA00026570525700000310
加入验证问题集合D中,然后进入步骤B5;B3: Add the implication relation Q->f Ks (g Ks (Q))-Q, that is, if a user has the permission set Q, then the user must have the permission f Ks (g Ks (Q))-Q, to the implication In the relational set J a , the equivalent expression of the implication relation Q->f Ks (g Ks (Q))-Q in discrete mathematics is
Figure BDA0002657052570000038
Figure BDA0002657052570000039
and initial answer
Figure BDA00026570525700000310
Add to the verification question set D, and then enter step B5;

其中,对蕴涵关系式Q->fKs(gKs(Q))-Q的验证结果即为步骤B2中对权限集合Q进行验证后得到的初始答案,蕴涵关系式Q->fKs(gKs(Q))-Q中Q是该蕴涵关系式的前件,fKs(gKs(Q))-Q是该蕴涵关系式的后件,

Figure BDA0002657052570000041
中,V表示逻辑运算符“或”;
Figure BDA0002657052570000042
表示逻辑运算符“非”;Among them, the verification result of the implication relation Q->f Ks (g Ks (Q))-Q is the initial answer obtained after verifying the authority set Q in step B2, and the implication relation Q->f Ks (g In Ks (Q))-Q, Q is the antecedent of the implication, and f Ks (g Ks (Q))-Q is the consequent of the implication,
Figure BDA0002657052570000041
, V represents the logical operator "or";
Figure BDA0002657052570000042
Represents the logical operator "NOT";

B4:从访问控制实例的初始集合KO中取出一个权限分配不符合蕴涵关系式Q->fKs(gKs(Q))-Q的实例o,即实例o拥有权限集合Q但是不拥有权限fKs(gKs(Q))-Q,将这个实例添加到确定的访问控制实例的无冗余集合KS中,将用户o所拥有的权限作为初始答案,并将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式

Figure BDA0002657052570000043
Figure BDA0002657052570000044
和初始答案加入验证问题集合D中,然后进入步骤B8;B4: Take out an instance o whose permission assignment does not conform to the implication formula Q->f Ks (g Ks (Q))-Q from the initial set K O of access control instances, that is, the instance o has the permission set Q but does not have the permission f Ks (g Ks (Q))-Q, add this instance to the non-redundant set K S of certain access control instances, take the authority possessed by user o as the initial answer, and use the implication formula in discrete mathematics Q->f Ks (g Ks (Q))-Q equivalent formula
Figure BDA0002657052570000043
Figure BDA0002657052570000044
Add the initial answer to the verification question set D, and then enter step B8;

B5:从验证问题集合D中随机取出一个问题,重新对权限集合Q进行验证并得到对比答案;若验证得到的对比答案与验证问题集合D中的初始答案一致,则进入步骤B6,否则进入步骤B7;B5: Randomly take a question from the verification question set D, re-verify the authority set Q and get a comparison answer; if the comparison answer obtained by verification is consistent with the initial answer in the verification question set D, then go to step B6, otherwise go to step B5 B7;

B6:根据形式概念分析中集合与蕴含集合相关性定理,在集合Mq中找出下一个与待验证的蕴含关系集合Ja相关的权限集合Q′,令Q=Q′,然后进入步骤B8;B6: According to the set and implication set correlation theorem in the formal concept analysis, find out the next permission set Q' related to the implication set Ja to be verified in the set M q , let Q = Q', and then go to step B8 ;

B7:令设定的正确答案为Or、步骤B5中得到的验证问题集合D中有误的初始答案为Oe、发现出错的权限集合为Bi、当前验证的权限集合为Bj、字典序中小于Bi的待验证的子蕴涵关系式集合为U、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合为P,根据发现出错的权限集合Bi、正确答案Or、有误的初始答案Oe和蕴涵关系式集合内在逻辑关系,通过计算得到正确的蕴涵关系式集合Jr,令Ja=Jr,然后进入步骤B8;B7: Let the set correct answer be Or, the wrong initial answer in the verification question set D obtained in step B5 is Oe, the set of permissions found to be wrong is B i , the set of permissions currently verified is B j , and the smallest in the lexicographical order The set of sub-implications to be verified in B i is U, and the set of sub-implications to be verified whose lexicographical order is greater than B i and less than B j is P, according to the set of permissions found to be wrong B i , correct answer Or, wrong The initial answer Oe of , and the inherent logical relationship of the implication relation set, the correct implication relation set J r is obtained through calculation, let Ja = J r , and then enter step B8;

B8:若Q=M,进入步骤B9,否则返回步骤B2;B8: If Q=M, go to step B9, otherwise return to step B2;

B9:将计算后的待验证的蕴含关系集合Ja中蕴涵关系式后件为

Figure BDA0002657052570000053
的蕴涵关系式加入到角色集合R中,并得到该部门的确定的访问控制实例的无冗余集合Ks和验证后的蕴涵关系式集合Ja。B9: The consequent expression of the implication relation in the implication relation set to be verified after the calculation is set as
Figure BDA0002657052570000053
The implication formula of , is added to the role set R, and the non-redundant set K s of the determined access control instance of the department and the verified implication formula set Ja are obtained.

所述的步骤B7包含以下具体步骤:The described step B7 includes the following specific steps:

B71:根据设定的正确答案Or、步骤B5中得到的验证问题集合D中有误的初始答案Oe、发现出错的权限集合Bi、当前验证的权限集合Bj、字典序中小于Bi的待验证的子蕴涵关系式集合U、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合P;令正确的蕴涵关系式集合Jr=U,进入步骤B72;B71: According to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in step B5, the wrong authority set B i , the currently verified authority set B j , and the lexicographically smaller than B i Set U of sub-implications to be verified, set P of sub-implications to be verified whose lexicographic order is greater than B i and less than Bj; set the correct set of implication J r =U, and enter step B72;

B72:计算出字典序中Bi的下一个与正确的蕴涵关系式集合Jr相关的权限集合T,令Bi=T;如果以T为前件的蕴涵关系式属于待验证的子蕴涵关系式集合P,进入步骤B73,否则进入步骤B75;B72: Calculate the next permission set T related to the correct implication set J r of B i in lexicographical order, let B i =T; if the implication with T as the antecedent belongs to the sub-implication to be verified formula set P, go to step B73, otherwise go to step B75;

B73:如果

Figure BDA0002657052570000051
并且
Figure BDA0002657052570000052
则将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式加入正确的蕴涵关系式集合Jr中,然后进入步骤B76;否则进入B74;B73: If
Figure BDA0002657052570000051
and
Figure BDA0002657052570000052
Then add the implication relation whose antecedent is T in the sub-implication relation set P to be verified into the correct implication relation set J r , and then go to step B76; otherwise, go to B74;

B74:如果T∩Oe=c或者T∩Or=c,且c∈P,则将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式加入到正确的蕴涵关系式集合Jr中,然后进入步骤B76;否则进入步骤B75;B74: If T∩Oe=c or T∩Or=c, and c∈P, then add the implication relation whose antecedent is T in the sub-implication relation set P to be verified to the correct implication relation set J r , then go to step B76; otherwise, go to step B75;

其中,集合c是权限集合T与正确答案Or的交集或者是权限集合T与有误的答案Oe的交集;Wherein, the set c is the intersection of the authority set T and the correct answer Or or the intersection of the authority set T and the wrong answer Oe;

B75:在访问控制实例的初始集合KO中计算fKO(gKO(T))并将T->fKO(gKO(T))加入正确的蕴涵关系式集合Jr中,然后进入步骤B76; B75 : Calculate f KO (g KO (T)) in the initial set KO of access control instances and add T->f KO (g KO (T)) to the correct set of implication relations J r , and then enter the step B76;

B76:如果T<Bj,则进入步骤B72,否则进入步骤B77;B76: If T<B j , go to step B72, otherwise go to step B77;

B77:令待验证的蕴含关系集合Ja等于正确的蕴涵关系式集合Jr,令Q=Bj,然后进入步骤B8。B77: Let the implication relation set Ja to be verified equal to the correct implication relation expression set J r , let Q = B j , and then go to step B8.

本发明能够发现并修正由于系统宕机而导致使用传统基于属性探索的RBAC角色构建方法构建访问控制系统角色时的错误,准确实现角色构建,为现代工业和信息产业生产中操作角色及操作权限的安全科学的设定提供基础数据支撑,杜绝安全隐患。The present invention can discover and correct errors when using the traditional RBAC role construction method based on attribute exploration to construct the role of the access control system due to system downtime, accurately realize the construction of the role, and improve the operation role and operation authority in the production of modern industry and information industry. The setting of safety science provides basic data support to eliminate potential safety hazards.

附图说明Description of drawings

图1为本发明的流程示意图。FIG. 1 is a schematic flow chart of the present invention.

具体实施方式Detailed ways

以下结合附图和实施例对本发明作以详细的描述:Below in conjunction with accompanying drawing and embodiment, the present invention is described in detail:

如图1所示,本发明所述的一种基于属性探索的RBAC角色容错辅助构建方法,依次包括以下步骤:As shown in FIG. 1 , a fault-tolerant auxiliary construction method for RBAC roles based on attribute exploration according to the present invention includes the following steps in turn:

A:从某个部门的信息系统中,获取该部门的访问控制日志记录,并对访问日志记录进行数据预处理,得到该部门的访问控制实例的初始集合KO和所有权限集合M;A: From the information system of a certain department, obtain the access control log records of the department, and perform data preprocessing on the access log records to obtain the initial set K O and all permission sets M of the access control instances of the department;

所述的步骤A包含以下具体步骤:The described step A includes the following specific steps:

A1:从某个部门的信息系统中,获取该部门的访问控制日志记录,将访问控制日志中访问成功的记录,记为该部门下该用户拥有访问该资源的权限;例如在大型炼钢企业中,员工甲在6月21日操作生产环节中炼钢炉温度更改成功,则记录甲具有操作炼钢炉温度更改的权限;A1: Obtain the access control log records of a department from the information system of a department, and record the successful access records in the access control log as the user under the department has access to the resource; for example, in a large steel-making enterprise , employee A successfully changed the temperature of the steelmaking furnace during the operation and production process on June 21, then record that A has the authority to operate the temperature change of the steelmaking furnace;

A2:将访问控制日志中访问失败的记录,记为该部门下该用户不拥有访问该资源的权限;例如员工甲在6月21日操作生产环节中加氧量更改失败,则记录甲不具有操作生产环节中加氧量更改的权限;A2: Record the access failure record in the access control log as that the user under the department does not have permission to access the resource; for example, if employee A fails to change the oxygen supply during the operation and production process on June 21, then record A does not have the right to access the resource. The authority to change the amount of oxygen added in the production process;

A3:经数据处理,得到该部门下各个用户所具有的权限和不具有的权限。A3: After data processing, the authority and authority that each user under the department has and does not have are obtained.

例如本实施例中,经数据处理,得到用户甲所具有的权限和不具有的权限,如表1所示。For example, in this embodiment, through data processing, the permissions that User A has and permissions that User A does not have are obtained, as shown in Table 1.

aa bb cc dd ee ff gg hh 11 First 11 00 00 11 00 11 00 11 11

表1Table 1

其中,用户甲具有(adfhi)权限,不具有(bceg)权限;Among them, user A has (adfhi) authority and does not have (bceg) authority;

A4:得到该部门的访问控制实例的初始集合KO和所有权限集合M。A4: Obtain the initial set K O of access control instances of the department and the set M of all permissions.

B:利用蕴涵等值式,查找由于访问控制系统宕机导致A步骤中得到的错误的访问控制实例,然后根据错误的访问控制实例,结合设定的正确答案,计算出待验证的蕴涵关系式集合Ja中需要删除和需要添加的蕴涵关系式,并根据计算得到的需要删除和需要添加的蕴涵关系式对待验证的蕴涵关系式集合Ja进行修正,最终得到步骤A中该部门的确定的访问控制实例的无冗余集合KS和验证后的蕴涵关系式集合Ja,同时确定角色集合R;a为all的首字母缩写;B: Use the implication equivalence formula to find the wrong access control instance obtained in step A due to the downtime of the access control system, and then calculate the implication formula to be verified according to the wrong access control instance and the set correct answer The implication formulas that need to be deleted and added in the set Ja are revised according to the implication formulas that need to be deleted and need to be added. The non-redundant set K S of the access control instance and the verified implication relation set Ja , and the role set R is determined at the same time; a is the acronym of all;

所述的步骤B包括以下具体步骤:Described step B includes the following specific steps:

B1:根据步骤A中得到的权限集合M=(a1,a2,a3,…,an-1,an),将所有权限集合M进行字典序排列后得到集合

Figure BDA0002657052570000081
Figure BDA0002657052570000082
初始化确定的访问控制实例的无冗余集合
Figure BDA0002657052570000083
待验证的蕴涵关系式集合
Figure BDA0002657052570000084
从集合Mq中取字典序排第一的权限集合
Figure BDA0002657052570000085
验证问题集合
Figure BDA0002657052570000086
n为正整数;B1: According to the permission set M=(a 1 , a 2 , a 3 , ..., a n-1 , a n ) obtained in step A, lexicographically arrange all permission sets M to obtain a set
Figure BDA0002657052570000081
Figure BDA0002657052570000082
Initializes a non-redundant set of identified access control instances
Figure BDA0002657052570000083
The set of implication relations to be verified
Figure BDA0002657052570000084
Take the lexicographically ranked first permission set from the set M q
Figure BDA0002657052570000085
set of validation questions
Figure BDA0002657052570000086
n is a positive integer;

其中,字典序为形式概念分析中一种排序规则,验证问题集合D中包含以权限集合为前件诱导的蕴涵关系式的等值表达式,以及对权限集合进行验证得到的初始答案。Among them, lexicographical order is a sorting rule in formal concept analysis. The verification question set D contains the equivalent expression of the implication relation induced by the permission set as an antecedent, and the initial answer obtained by verifying the permission set.

B2:对权限集合Q进行验证并得到初始答案,即在确定的访问控制实例的无冗余集合KS中计算fKs(gKs(Q)),若

Figure BDA0002657052570000087
则进入步骤B3;否则进入步骤B4;B2: Verify the permission set Q and get the initial answer, that is, calculate f Ks (g Ks (Q)) in the non-redundant set K S of the determined access control instance, if
Figure BDA0002657052570000087
Then go to step B3; otherwise go to step B4;

其中,gKs(Q)为在确定的访问控制实例的无冗余集合KS中找出所有拥有权限集合Q的用户,fKs(gKs(Q))为在确定的访问控制实例的无冗余集合KS中找出所有拥有权限集合Q的用户所共同拥有的权限集合,gKo(fKs(gKs(Q))-Q)为在访问控制实例的初始集合KO中找出所有拥有权限fKs(gKs(Q))-Q的用户;权限集合Q为当前验证的权限集合;Among them, g Ks (Q) is to find all users who have the permission set Q in the non-redundant set K S of the determined access control instance, and f Ks (g Ks (Q)) is the non-redundant set of access control instances in the determined access control instance. Find out the permission set shared by all users who have permission set Q in the redundant set K S , g Ko (f Ks (g Ks (Q))-Q) is found in the initial set K O of the access control instance All users with permission f Ks (g Ks (Q))-Q; permission set Q is the currently verified permission set;

B3:将蕴涵关系式Q->fKs(gKs(Q))-Q,即某个用户拥有权限集合Q那么该用户一定拥有权限fKs(gKs(Q))-Q,添加到蕴涵关系式集合Ja中,将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式

Figure BDA0002657052570000088
Figure BDA0002657052570000089
和初始答案
Figure BDA00026570525700000810
加入验证问题集合D中,然后进入步骤B5;B3: Add the implication relation Q->f Ks (g Ks (Q))-Q, that is, if a user has the permission set Q, then the user must have the permission f Ks (g Ks (Q))-Q, to the implication In the relational set J a , the equivalent expression of the implication relation Q->f Ks (g Ks (Q))-Q in discrete mathematics is
Figure BDA0002657052570000088
Figure BDA0002657052570000089
and initial answer
Figure BDA00026570525700000810
Add to the verification question set D, and then enter step B5;

其中,对蕴涵关系式Q->fKs(gKs(Q))-Q的验证结果即为步骤B2中对权限集合Q进行验证后得到的初始答案,蕴涵关系式Q->fKs(gKs(Q))-Q中Q是该蕴涵关系式的前件,fKs(gKs(Q))-Q是该蕴涵关系式的后件,

Figure BDA0002657052570000091
中,V表示逻辑运算符“或”;
Figure BDA0002657052570000092
表示逻辑运算符“非”;Among them, the verification result of the implication relation Q->f Ks (g Ks (Q))-Q is the initial answer obtained after verifying the authority set Q in step B2, and the implication relation Q->f Ks (g In Ks (Q))-Q, Q is the antecedent of the implication, and f Ks (g Ks (Q))-Q is the consequent of the implication,
Figure BDA0002657052570000091
, V represents the logical operator "or";
Figure BDA0002657052570000092
Represents the logical operator "NOT";

B4:从访问控制实例的初始集合KO中取出一个权限分配不符合蕴涵关系式Q->fKs(gKs(Q))-Q的实例o,即实例o拥有权限集合Q但是不拥有权限fKs(gKs(Q))-Q,将这个实例添加到确定的访问控制实例的无冗余集合KS中,将用户o所拥有的权限作为初始答案,并将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式

Figure BDA0002657052570000093
Figure BDA0002657052570000094
和初始答案加入验证问题集合D中,然后进入步骤B8;B4: Take out an instance o whose permission assignment does not conform to the implication formula Q->f Ks (g Ks (Q))-Q from the initial set K O of access control instances, that is, the instance o has the permission set Q but does not have the permission f Ks (g Ks (Q))-Q, add this instance to the non-redundant set K S of certain access control instances, take the authority possessed by user o as the initial answer, and use the implication formula in discrete mathematics Q->f Ks (g Ks (Q))-Q equivalent formula
Figure BDA0002657052570000093
Figure BDA0002657052570000094
Add the initial answer to the verification question set D, and then enter step B8;

B5:从验证问题集合D中随机取出一个问题,重新对权限集合Q进行验证并得到对比答案;若验证得到的对比答案与验证问题集合D中的初始答案一致,则进入步骤B6,否则进入步骤B7;B5: Randomly take a question from the verification question set D, re-verify the authority set Q and get a comparison answer; if the comparison answer obtained by verification is consistent with the initial answer in the verification question set D, then go to step B6, otherwise go to step B5 B7;

B6:根据形式概念分析中集合与蕴含集合相关性定理,在集合Mq中找出下一个与待验证的蕴含关系集合Ja相关的权限集合Q′,令Q=Q′,然后进入步骤B8;B6: According to the set and implication set correlation theorem in the formal concept analysis, find out the next permission set Q' related to the implication set Ja to be verified in the set M q , let Q = Q', and then go to step B8 ;

B7:令设定的正确答案为Or、步骤B5中得到的验证问题集合D中有误的初始答案为Oe、发现出错的权限集合为Bi、当前验证的权限集合为Bj、字典序中小于Bi的待验证的子蕴涵关系式集合为U、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合为P,根据发现出错的权限集合Bi、正确答案Or、有误的初始答案Oe和蕴涵关系式集合内在逻辑关系,通过计算得到正确的蕴涵关系式集合Jr,令Ja=Jr,然后进入步骤B8;r为right的首字母缩写;B7: Let the set correct answer be Or, the wrong initial answer in the verification question set D obtained in step B5 is Oe, the set of permissions found to be wrong is B i , the set of permissions currently verified is B j , and the smallest in the lexicographical order The set of sub-implications to be verified in B i is U, and the set of sub-implications to be verified whose lexicographical order is greater than B i and less than B j is P, according to the set of permissions found to be wrong B i , correct answer Or, wrong The initial answer Oe and the inherent logical relationship of the implication relation set, the correct implication relation set J r is obtained by calculation, let J a =J r , and then enter step B8; r is the acronym of right;

其中,e是error的首字母缩写;下角标i和j均为正整数;待验证的子蕴涵关系式集合U和待验证的子蕴涵关系式集合P均为待验证的蕴涵关系式集合Ja的子集合;发现出错的权限集合Bi为验证问题集合D中有误的答案Oe所对应的权限集合,正确答案Or为正确的访问控制实例所拥有的权限集合;有误的初始答案Oe为错误的访问控制实例所拥有的权限集合;Among them, e is the acronym of error; the subscripts i and j are positive integers; the sub-implication relation set U to be verified and the sub-implication relation set P to be verified are both the implication relation set to be verified J a The sub-set of ; the permission set B i that found the error is the permission set corresponding to the wrong answer Oe in the verification question set D, the correct answer Or is the permission set owned by the correct access control instance; the wrong initial answer Oe is The set of permissions owned by the wrong access control instance;

所述步骤B7包括以下具体步骤:The step B7 includes the following specific steps:

B71:根据设定的正确答案Or、步骤B5中得到的验证问题集合D中有误的初始答案Oe、发现出错的权限集合Bi、当前验证的权限集合Bj、字典序中小于Bi的待验证的子蕴涵关系式集合U、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合P;令正确的蕴涵关系式集合Jr=U,进入步骤B72;B71: According to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in step B5, the wrong authority set B i , the currently verified authority set B j , and the lexicographically smaller than B i Set U of sub-implications to be verified, set P of sub-implications to be verified whose lexicographical order is greater than B i and less than B j ; set the correct set of implication J r =U, and enter step B72;

其中,发现出错的权限集合Bi与当前验证的权限集合Bj均属于集合MqWherein, it is found that the wrong permission set B i and the currently verified permission set B j both belong to the set M q ;

B72:计算出字典序中Bi的下一个与正确的蕴涵关系式集合Jr相关的权限集合T,令Bi=T;如果以T为前件的蕴涵关系式属于待验证的子蕴涵关系式集合P,进入步骤B73,否则进入步骤B75;B72: Calculate the next permission set T related to the correct implication set J r of B i in lexicographical order, let B i =T; if the implication with T as the antecedent belongs to the sub-implication to be verified formula set P, go to step B73, otherwise go to step B75;

B73:如果

Figure BDA0002657052570000101
并且
Figure BDA0002657052570000102
则将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式加入正确的蕴涵关系式集合Jr中,然后进入步骤B76;否则进入B74;B73: If
Figure BDA0002657052570000101
and
Figure BDA0002657052570000102
Then add the implication relation whose antecedent is T in the sub-implication relation set P to be verified into the correct implication relation set J r , and then go to step B76; otherwise, go to B74;

B74:如果T∩Oe=c或者T∩Or=c,且c∈P,则将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式加入到正确的蕴涵关系式集合Jr中,然后进入步骤B76;否则进入步骤B75;B74: If T∩Oe=c or T∩Or=c, and c∈P, then add the implication relation whose antecedent is T in the sub-implication relation set P to be verified to the correct implication relation set J r , then go to step B76; otherwise, go to step B75;

其中集合c是权限集合T与正确答案Or的交集或者是权限集合T与有误的答案Oe的交集;The set c is the intersection of the permission set T and the correct answer Or or the intersection of the permission set T and the wrong answer Oe;

B75:在访问控制实例的初始集合KO中计算fKO(gKO(T))并将T->fKO(gKO(T))加入正确的蕴涵关系式集合Jr中,然后进入步骤B76; B75 : Calculate f KO (g KO (T)) in the initial set KO of access control instances and add T->f KO (g KO (T)) to the correct set of implication relations J r , and then enter the step B76;

B76:如果T<Bj,则进入步骤B72,否则进入步骤B77;B76: If T<B j , go to step B72, otherwise go to step B77;

步骤B76中,在字典序中递增,依次计算下一个与正确的蕴涵关系式集合Jr相关的权限集合T,直至T=BjIn step B76, increasing in the lexicographical order, calculating the next permission set T related to the correct implication set J r in turn, until T=B j .

B77:令待验证的蕴含关系集合Ja等于正确的蕴涵关系式集合Jr,令Q=Bj,然后进入步骤B8;B77: Make the implication relation set to be verified Ja equal to the correct implication relation set J r , let Q = B j , and then go to step B8;

B8:若Q=M,进入步骤B9,否则返回步骤B2;B8: If Q=M, go to step B9, otherwise return to step B2;

步骤B8中,在字典序中递增,依次计算下一个与蕴涵关系式集合Ja相关的权限集合Q,直至Q=M。In step B8, increment in the lexicographical order, and sequentially calculate the next permission set Q related to the implication set Ja, until Q = M.

B9:将计算后的待验证的蕴含关系集合Ja中蕴涵关系式后件为

Figure BDA0002657052570000111
的蕴涵关系式加入到角色集合R中,并得到该部门的确定的访问控制实例的无冗余集合KS和验证后的蕴涵关系式集合Ja。B9: Set the consequent expression of implication relation in the implication relation set Ja to be verified as
Figure BDA0002657052570000111
The implication formula of , is added to the role set R, and the non-redundant set K S of the determined access control instance of the department and the verified implication formula set Ja are obtained.

如果不出现错误,步骤9中待验证的蕴含关系集合Ja,就是正确的蕴涵关系式集合。如果出现错误,在步骤B77中将每次修正后正确的蕴涵关系式集合Jr赋值给待验证的蕴含关系集合Ja,在循环结束后,验证后的蕴含关系集合Ja,就是已修改后正确的蕴涵关系式集合。If no error occurs, the implication relation set Ja to be verified in step 9 is the correct implication relation expression set. If there is an error, in step B77, assign the correct implication relation set J r after each revision to the implication relation set to be verified Ja , and after the loop ends, the verified implication relation set Ja is the modified implication relation set J a . The correct set of implication relations.

下面以某大型炼钢企业中构建RBAC角色为例:The following is an example of building an RBAC role in a large steelmaking enterprise:

步骤如下:Proceed as follows:

A:从某大型炼钢企业中部门的信息系统中获取该部门的访问控制日志记录,并对访问日志记录进行数据预处理;得到访问控制实例如表2所示:A: Obtain the access control log records of the department from the information system of a large steel-making enterprise, and perform data preprocessing on the access log records; the access control examples are shown in Table 2:

表2访问控制实例KO Table 2 Access control example K O

Figure BDA0002657052570000112
Figure BDA0002657052570000112

Figure BDA0002657052570000121
Figure BDA0002657052570000121

所有权限M=(a,b,c,d,e,f,g,h,i)。All rights M=(a, b, c, d, e, f, g, h, i).

B:利用蕴涵等值式,查找由于访问控制系统宕机导致A步骤中得到的错误的访问控制实例,然后根据错误的访问控制实例,结合设定的正确答案,计算出待验证的蕴涵关系式集合Ja中需要删除和需要添加的蕴涵关系式,并根据计算得到的需要删除和需要添加的蕴涵关系式对待验证的蕴涵关系式集合Ja进行修正,最终得到步骤A中该部门的确定的访问控制实例的无冗余集合KS和验证后的蕴涵关系式集合Ja,同时确定角色集合R;a为all的首字母缩写;B: Use the implication equivalence formula to find the wrong access control instance obtained in step A due to the downtime of the access control system, and then calculate the implication formula to be verified according to the wrong access control instance and the set correct answer The implication formulas that need to be deleted and added in the set Ja are revised according to the implication formulas that need to be deleted and need to be added. The non-redundant set K S of the access control instance and the verified implication relation set Ja , and the role set R is determined at the same time; a is the acronym of all;

B1:权限集合M中的字典序排列应该为

Figure BDA0002657052570000122
Figure BDA0002657052570000123
初始化确定的访问控制实例的无冗余集合
Figure BDA0002657052570000124
蕴涵关系式集合
Figure BDA0002657052570000125
从集合Mq中取字典序排第一的集合
Figure BDA0002657052570000126
验证问题集合
Figure BDA0002657052570000127
进入步骤B2;n为正整数;B1: The lexicographic order in the permission set M should be
Figure BDA0002657052570000122
Figure BDA0002657052570000123
Initializes a non-redundant set of identified access control instances
Figure BDA0002657052570000124
set of implication relations
Figure BDA0002657052570000125
Take the lexicographically first set from the set M q
Figure BDA0002657052570000126
set of validation questions
Figure BDA0002657052570000127
Enter step B2; n is a positive integer;

B2:对权限集合Q进行验证并得到初始答案,即在确定的访问控制实例的无冗余集合KS中计算f(g(Q))=(abcdefghi),KS中g(Q)=(甲,乙,丙,丁),KO

Figure BDA0002657052570000128
不满足KS
Figure BDA0002657052570000129
在KO中g(f(g(Q))-Q)的条件,进入步骤B4;B2: Verify the permission set Q and get the initial answer, that is, calculate f(g(Q))=(abcdefghi ) in the non-redundant set K S of the determined access control instance, and g(Q)=( A, B, C, D), K O
Figure BDA0002657052570000128
Not satisfied with K S
Figure BDA0002657052570000129
Under the condition of g(f(g(Q))-Q) in KO , go to step B4;

B4:从访问控制实例的初始集合KO中取出一个权限分配不符合这条蕴涵规则的实例甲(cdefg),并将这个实例添加到确定的访问控制实例的无冗余集合KS中,将用户o所拥有的权限cdefg作为初始答案,并将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式

Figure BDA0002657052570000131
Figure BDA0002657052570000132
和初始答案加入验证问题集合D中,然后进入步骤B8;B4: Take out an instance A (cdefg) whose permission assignment does not conform to this implication rule from the initial set K O of access control instances, and add this instance to the determined non-redundant set K S of access control instances, The authority cdefg owned by user o is used as the initial answer, and the equivalent formula of the implication relation Q->f Ks (g Ks (Q))-Q in discrete mathematics
Figure BDA0002657052570000131
Figure BDA0002657052570000132
Add the initial answer to the verification question set D, and then enter step B8;

B8:因为Q≠M,返回步骤B2;B8: Because Q≠M, go back to step B2;

本文着重描述在发现错误时的过程,下面从步骤B5发现错误开始。This article focuses on the process of finding errors, starting with step B5 to find errors.

B5:从验证问题集合D中随机取出一个问题,重新对权限集合Q进行验证并得到对比答案;得到的对比答案与验证问题集合D中的初始答案不一致,进入步骤B7;B5: randomly select a question from the verification question set D, re-verify the authority set Q and obtain a comparison answer; the obtained comparison answer is inconsistent with the initial answer in the verification question set D, and then go to step B7;

B7:根据设定的正确答案Or、步骤B5中得到的验证问题集合D中有误的初始答案Oe、发现出错的权限集合Bi、当前验证的权限集合Bj、字典序中小于Bi的待验证的子蕴涵关系式集合U和字典序大于Bi小于Bj的待验证的子蕴涵关系式集合P,根据出错的权限集合Bi、正确答案Or、有误的初始答案Oe和蕴涵关系式集合内在逻辑关系,计算得到正确的蕴涵关系式集合Jr,令Ja=Jr,然后进入步骤B8;B7: According to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in step B5, the wrong authority set B i , the currently verified authority set B j , and the lexicographically smaller than B i The set U of sub-implications to be verified and the set of sub-implications P to be verified whose lexicographical order is greater than B i and less than B j , according to the set of wrong permissions B i , the correct answer Or, the wrong initial answer Oe and the implication relation The internal logical relationship of the formula set is calculated, and the correct implication formula set J r is obtained by calculation, let J a =J r , and then enter step B8;

B71:根据设定的正确答案Or=cdeg、步骤B5中得到的验证问题集合D中有误的初始答案Oe=cde。发现出错的权限集合Bi=e、当前验证的权限集合Bj=b、字典序中小于Bi的待验证的子蕴涵关系式集合U={i->g,h->abcd,f->cdeg,e->cdg}、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合

Figure BDA0002657052570000133
Figure BDA0002657052570000134
令正确的蕴涵关系式集合Jr=U,进入步骤B72;B71: According to the set correct answer Or=cdeg, the incorrect initial answer Oe=cde in the verification question set D obtained in step B5. Found wrong permission set B i =e, currently verified permission set B j =b, lexicographically less than B i to be verified sub-implication set U={i->g, h->abcd, f- >cdeg, e->cdg}, the set of sub-implication relations to be verified whose lexicographical order is greater than B i and less than B j
Figure BDA0002657052570000133
Figure BDA0002657052570000134
Let the correct set of implication relations J r =U, go to step B72;

B72:计算出字典序中Bi的下一个与正确的蕴涵关系式集合Jr相关的权限集合T=d,以d为前件的蕴涵关系式属于待验证的子蕴涵关系式集合P,进入步骤B74;B72: Calculate the next permission set T=d related to the correct implication set J r of B i in the lexicographical order, and the implication with d as the antecedent belongs to the sub-implication set P to be verified, enter the Step B74;

B74:d∩Or=d,d∩Oe=d,将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式d->c加入蕴涵关系式集合Jr中,进入步骤B76;B74: d∩Or=d, d∩Oe=d, add the implication relation d->c whose antecedent is T in the sub-implication relation set P to be verified into the implication relation set J r , and go to step B76;

B76:如果d<b,则进入步骤B71;B76: If d<b, go to step B71;

……;...;

由于篇幅有限,重复过程本文不再赘述。Due to the limited space, the repeated process is not repeated in this paper.

得到该部门的角色集合R为:Get the role set R of the department as:

Figure BDA0002657052570000141
Figure BDA0002657052570000141

权限间蕴涵关系式集合Ja为:The set of implication relations between permissions Ja is:

Ja={i->g,h->abcd,f->cdeg,e->cdg,d->c,c->d,cdg->e,cdefgi->abfh,b->acdh,a->bcdh,abcdeh->fgi};J a = {i->g, h->abcd, f->cdeg, e->cdg, d->c, c->d, cdg->e, cdefgi->abfh, b->acdh, a ->bcdh,abcdeh->fgi};

得到该部门确定的访问控制实例的无冗余集合KS为:The non-redundant set K S of the access control instances determined by the department is obtained as:

aa bb cc dd ee ff gg hh ii First 00 00 11 11 11 11 11 00 00 Second 00 00 00 00 00 00 11 00 11 C 00 00 11 11 11 00 11 00 00 Ding 11 11 11 11 00 00 00 11 00

即该部门系统中应该设置角色应包含R中所有权限的集合,同时得到了该部门的蕴涵关系式集合为Ja,这些权限间蕴涵关系式更加地方便系统管理员管理角色系统。例如权限蕴涵关系式i->g,系统管理就会知晓如果某员工具有i权限那么该员工必定拥有g权限。That is, the role should be set in the department system, which should include the set of all permissions in R, and the set of implication relations of the department is Ja , which is more convenient for system administrators to manage the role system. For example, the authority implication relationship i->g, the system management will know that if an employee has the i authority, then the employee must have the g authority.

Claims (4)

1.一种基于属性探索的RBAC角色容错辅助构建方法,其特征在于,包括以下步骤:1. an RBAC role fault-tolerant auxiliary construction method based on attribute exploration, is characterized in that, comprises the following steps: A:从某个部门的信息系统中,获取该部门的访问控制日志记录,并对访问日志记录进行数据预处理,得到该部门的访问控制实例的初始集合KO和所有权限集合M;A: From the information system of a certain department, obtain the access control log records of the department, and perform data preprocessing on the access log records to obtain the initial set K O and all permission sets M of the access control instances of the department; B:利用蕴涵等值式,查找由于访问控制系统宕机导致A步骤中得到的错误的访问控制实例,然后根据错误的访问控制实例,结合设定的正确答案,计算出待验证的蕴涵关系式集合Ja中需要删除和需要添加的蕴涵关系式,并根据计算得到的需要删除和需要添加的蕴涵关系式对待验证的蕴涵关系式集合Ja进行修正,最终得到步骤A中该部门的确定的访问控制实例的无冗余集合KS和验证后的蕴涵关系式集合Ja,同时确定角色集合R。B: Use the implication equivalence formula to find the wrong access control instance obtained in step A due to the downtime of the access control system, and then calculate the implication formula to be verified according to the wrong access control instance and the set correct answer The implication formulas that need to be deleted and added in the set Ja are revised according to the implication formulas that need to be deleted and need to be added. Access the non-redundant set K S of control instances and the verified implication set Ja , and determine the role set R at the same time. 2.根据权利要求1所述的基于属性探索的RBAC角色容错辅助构建方法,其特征在于,所述的步骤A包括以下具体步骤:2. the RBAC role fault-tolerant auxiliary construction method based on attribute exploration according to claim 1, is characterized in that, described step A comprises following concrete steps: A1:从某个部门的信息系统中,获取该部门的访问控制日志记录,将访问控制日志中访问成功的记录,记为该部门下该用户拥有访问该资源的权限;A1: Obtain the access control log record of a department from the information system of a department, and record the successful access record in the access control log as the user under the department has the right to access the resource; A2:将访问控制日志中访问失败的记录,记为该部门下该用户不拥有访问该资源的权限;A2: Record the access failure record in the access control log as the user under the department does not have the right to access the resource; A3:经数据处理,得到该部门下各个用户所具有的权限和不具有的权限;A3: After data processing, obtain the authority and authority that each user under the department has and does not have; A4:得到该部门的访问控制实例的初始集合KO和所有权限集合M。A4: Obtain the initial set K O of access control instances of the department and the set M of all permissions. 3.根据权利要求1所述的基于属性探索的RBAC角色容错辅助构建方法,其特征在于,所述的步骤B包括以下具体步骤:3. the RBAC role fault-tolerant auxiliary construction method based on attribute exploration according to claim 1, is characterized in that, described step B comprises following concrete steps: B1:根据步骤A中得到的权限集合M=(a1,a2,a3,…,an-1,an),将所有权限集合M进行字典序排列后得到集合
Figure FDA0002657052560000021
Figure FDA0002657052560000022
初始化确定的访问控制实例的无冗余集合
Figure FDA0002657052560000023
待验证的蕴涵关系式集合
Figure FDA0002657052560000024
从集合Mq中取字典序排第一的权限集合
Figure FDA0002657052560000025
验证问题集合
Figure FDA0002657052560000026
n为正整数;
B1: According to the permission set M=(a 1 , a 2 , a 3 , ..., a n-1 , a n ) obtained in step A, lexicographically arrange all permission sets M to obtain a set
Figure FDA0002657052560000021
Figure FDA0002657052560000022
Initializes a non-redundant set of identified access control instances
Figure FDA0002657052560000023
The set of implication relations to be verified
Figure FDA0002657052560000024
Take the lexicographically ranked first permission set from the set M q
Figure FDA0002657052560000025
set of validation questions
Figure FDA0002657052560000026
n is a positive integer;
B2:对权限集合Q进行验证并得到初始答案,即在确定的访问控制实例的无冗余集合KS中计算fKs(gKs(Q)),若
Figure FDA0002657052560000027
则进入步骤B3;否则进入步骤B4;
B2: Verify the permission set Q and get the initial answer, that is, calculate f Ks (g Ks (Q)) in the non-redundant set K S of the determined access control instance, if
Figure FDA0002657052560000027
Then go to step B3; otherwise go to step B4;
其中,gKs(Q)为在确定的访问控制实例的无冗余集合KS中找出所有拥有权限集合Q的用户,fKs(gKs(Q))为在确定的访问控制实例的无冗余集合KS中找出所有拥有权限集合Q的用户所共同拥有的权限集合,gKo(fKs(gKs(Q))-Q)为在访问控制实例的初始集合KO中找出所有拥有权限fKs(gKs(Q))-Q的用户;权限集合Q为当前验证的权限集合;Among them, g Ks (Q) is to find all users who have the permission set Q in the non-redundant set K S of the determined access control instance, and f Ks (g Ks (Q)) is the non-redundant set of access control instances in the determined access control instance. Find out the permission set shared by all users who have permission set Q in the redundant set K S , g Ko (f Ks (g Ks (Q))-Q) is found in the initial set K O of the access control instance All users with permission f Ks (g Ks (Q))-Q; permission set Q is the currently verified permission set; B3:将蕴涵关系式Q->fKs(gKs(Q))-Q,即某个用户拥有权限集合Q那么该用户一定拥有权限fKs(gKs(Q))-Q,添加到蕴涵关系式集合Ja中,将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式
Figure FDA0002657052560000028
Figure FDA0002657052560000029
和初始答案
Figure FDA00026570525600000210
加入验证问题集合D中,然后进入步骤B5;
B3: Add the implication relation Q->f Ks (g Ks (Q))-Q, that is, if a user has the permission set Q, then the user must have the permission f Ks (g Ks (Q))-Q, to the implication In the relational set J a , the equivalent expression of the implication relation Q->f Ks (g Ks (Q))-Q in discrete mathematics is
Figure FDA0002657052560000028
Figure FDA0002657052560000029
and initial answer
Figure FDA00026570525600000210
Add to the verification question set D, and then enter step B5;
其中,对蕴涵关系式Q->fKs(gKs(Q))-Q的验证结果即为步骤B2中对权限集合Q进行验证后得到的初始答案,蕴涵关系式Q->fKs(gKs(Q))-Q中Q是该蕴涵关系式的前件,fKs(gKs(Q))-Q是该蕴涵关系式的后件,
Figure FDA0002657052560000031
中,V表示逻辑运算符“或”;
Figure FDA0002657052560000032
表示逻辑运算符“非”;
Among them, the verification result of the implication relation Q->f Ks (g Ks (Q))-Q is the initial answer obtained after verifying the authority set Q in step B2, and the implication relation Q->f Ks (g In Ks (Q))-Q, Q is the antecedent of the implication, and f Ks (g Ks (Q))-Q is the consequent of the implication,
Figure FDA0002657052560000031
, V represents the logical operator "or";
Figure FDA0002657052560000032
Represents the logical operator "NOT";
B4:从访问控制实例的初始集合KO中取出一个权限分配不符合蕴涵关系式Q->fKs(gKs(Q))-Q的实例o,即实例o拥有权限集合Q但是不拥有权限fKs(gKs(Q))-Q,将这个实例添加到确定的访问控制实例的无冗余集合KS中,将用户o所拥有的权限作为初始答案,并将离散数学中蕴涵关系式Q->fKs(gKs(Q))-Q的等值式
Figure FDA0002657052560000033
Figure FDA0002657052560000034
和初始答案加入验证问题集合D中,然后进入步骤B8;
B4: Take out an instance o whose permission assignment does not conform to the implication formula Q->f Ks (g Ks (Q))-Q from the initial set K O of access control instances, that is, the instance o has the permission set Q but does not have the permission f Ks (g Ks (Q))-Q, add this instance to the non-redundant set K S of certain access control instances, take the authority possessed by user o as the initial answer, and use the implication formula in discrete mathematics Q->f Ks (g Ks (Q))-Q equivalent formula
Figure FDA0002657052560000033
Figure FDA0002657052560000034
Add the initial answer to the verification question set D, and then enter step B8;
B5:从验证问题集合D中随机取出一个问题,重新对权限集合Q进行验证并得到对比答案;若验证得到的对比答案与验证问题集合D中的初始答案一致,则进入步骤B6,否则进入步骤B7;B5: Randomly take a question from the verification question set D, re-verify the authority set Q and get a comparison answer; if the comparison answer obtained by verification is consistent with the initial answer in the verification question set D, then go to step B6, otherwise go to step B5 B7; B6:根据形式概念分析中集合与蕴含集合相关性定理,在集合Mq中找出下一个与待验证的蕴含关系集合Ja相关的权限集合Q′,令Q=Q′,然后进入步骤B8;B6: According to the set and implication set correlation theorem in the formal concept analysis, find out the next permission set Q' related to the implication set Ja to be verified in the set M q , let Q = Q', and then go to step B8 ; B7:令设定的正确答案为Or、步骤B5中得到的验证问题集合D中有误的初始答案为Oe、发现出错的权限集合为Bi、当前验证的权限集合为Bj、字典序中小于Bi的待验证的子蕴涵关系式集合为U、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合为P,根据发现出错的权限集合Bi、正确答案Or、有误的初始答案Oe和蕴涵关系式集合内在逻辑关系,通过计算得到正确的蕴涵关系式集合Jr,令Ja=Jr,然后进入步骤B8;B7: Let the set correct answer be Or, the wrong initial answer in the verification question set D obtained in step B5 is Oe, the set of permissions found to be wrong is B i , the set of permissions currently verified is B j , and the smallest in the lexicographical order The set of sub-implications to be verified in B i is U, and the set of sub-implications to be verified whose lexicographical order is greater than B i and less than B j is P, according to the set of permissions found to be wrong B i , correct answer Or, wrong The initial answer Oe of , and the inherent logical relationship of the implication relation set, the correct implication relation set J r is obtained through calculation, let Ja = J r , and then enter step B8; B8:若Q=M,进入步骤B9,否则返回步骤B2;B8: If Q=M, go to step B9, otherwise return to step B2; B9:将计算后的待验证的蕴含关系集合Ja中蕴涵关系式后件为
Figure FDA0002657052560000035
的蕴涵关系式加入到角色集合R中,并得到该部门的确定的访问控制实例的无冗余集合KS和验证后的蕴涵关系式集合Ja
B9: The consequent expression of the implication relation in the implication relation set to be verified after the calculation is set as
Figure FDA0002657052560000035
The implication formula of , is added to the role set R, and the non-redundant set K S of the determined access control instance of the department and the verified implication formula set Ja are obtained.
4.根据权利要求3所述的基于属性探索的RBAC角色容错辅助构建方法,其特征在于,所述的步骤B7包含以下具体步骤:4. the RBAC role fault-tolerant auxiliary construction method based on attribute exploration according to claim 3, is characterized in that, described step B7 comprises following concrete steps: B71:根据设定的正确答案Or、步骤B5中得到的验证问题集合D中有误的初始答案Oe、发现出错的权限集合Bi、当前验证的权限集合Bj、字典序中小于Bi的待验证的子蕴涵关系式集合U、字典序大于Bi小于Bj的待验证的子蕴涵关系式集合P;令正确的蕴涵关系式集合Jr=U,进入步骤B72;B71: According to the set correct answer Or, the wrong initial answer Oe in the verification question set D obtained in step B5, the wrong authority set B i , the currently verified authority set B j , and the lexicographically smaller than B i Set U of sub-implications to be verified, set P of sub-implications to be verified whose lexicographical order is greater than B i and less than B j ; set the correct set of implication J r =U, and enter step B72; B72:计算出字典序中Bi的下一个与正确的蕴涵关系式集合Jr相关的权限集合T,令Bi=T;如果以T为前件的蕴涵关系式属于待验证的子蕴涵关系式集合P,进入步骤B73,否则进入步骤B75;B72: Calculate the next permission set T related to the correct implication set J r of B i in lexicographical order, let B i =T; if the implication with T as the antecedent belongs to the sub-implication to be verified formula set P, go to step B73, otherwise go to step B75; B73:如果
Figure FDA0002657052560000041
并且
Figure FDA0002657052560000042
则将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式加入正确的蕴涵关系式集合Jr中,然后进入步骤B76;否则进入B74;
B73: If
Figure FDA0002657052560000041
and
Figure FDA0002657052560000042
Then add the implication relation whose antecedent is T in the sub-implication relation set P to be verified into the correct implication relation set J r , and then go to step B76; otherwise, go to B74;
B74:如果T∩Oe=c或者T∩Or=c,且c∈P,则将待验证的子蕴涵关系式集合P中前件为T的蕴涵关系式加入到正确的蕴涵关系式集合Jr中,然后进入步骤B76;否则进入步骤B75;B74: If T∩Oe=c or T∩Or=c, and c∈P, then add the implication relation whose antecedent is T in the sub-implication relation set P to be verified to the correct implication relation set J r , then go to step B76; otherwise, go to step B75; 其中,集合c是权限集合T与正确答案Or的交集或者是权限集合T与有误的答案Oe的交集;Wherein, the set c is the intersection of the authority set T and the correct answer Or or the intersection of the authority set T and the wrong answer Oe; B75:在访问控制实例的初始集合KO中计算fK0(gK0(T))并将T->fK0(gK0(T))加入正确的蕴涵关系式集合Jr中,然后进入步骤B76;B75: Calculate f K0 (g K0 (T)) in the initial set K O of the access control instance and add T->f K0 (g K0 (T)) to the correct set of implication expressions J r , and then enter the step B76; B76:如果T<Bj,则进入步骤B72,否则进入步骤B77;B76: If T<B j , go to step B72, otherwise go to step B77; B77:令待验证的蕴含关系集合Ja等于正确的蕴涵关系式集合Jr,令Q=Bj,然后进入步骤B8。B77: Let the implication relation set Ja to be verified equal to the correct implication relation expression set J r , let Q = B j , and then go to step B8.
CN202010891207.8A 2020-08-30 2020-08-30 RBAC role fault tolerance auxiliary construction method based on attribute exploration Active CN111967034B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010891207.8A CN111967034B (en) 2020-08-30 2020-08-30 RBAC role fault tolerance auxiliary construction method based on attribute exploration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010891207.8A CN111967034B (en) 2020-08-30 2020-08-30 RBAC role fault tolerance auxiliary construction method based on attribute exploration

Publications (2)

Publication Number Publication Date
CN111967034A true CN111967034A (en) 2020-11-20
CN111967034B CN111967034B (en) 2022-09-16

Family

ID=73401018

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010891207.8A Active CN111967034B (en) 2020-08-30 2020-08-30 RBAC role fault tolerance auxiliary construction method based on attribute exploration

Country Status (1)

Country Link
CN (1) CN111967034B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114268649A (en) * 2021-12-21 2022-04-01 河南大学 A method for modifying RBAC permissions for the Internet of Things
CN114448659A (en) * 2021-12-16 2022-05-06 河南大学 Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration
CN114528333A (en) * 2022-01-20 2022-05-24 河南大学 Test question implicit knowledge attribute association mining and related test question pushing method and system based on attribute exploration

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060089932A1 (en) * 2004-10-22 2006-04-27 International Business Machines Corporation Role-based access control system, method and computer program product
US20060218394A1 (en) * 2005-03-28 2006-09-28 Yang Dung C Organizational role-based controlled access management system
CN102354357A (en) * 2011-09-28 2012-02-15 上海电力学院 Lattice implication reasoning algorithm of bug in partitioning protection system of smart grid
CN103701801A (en) * 2013-12-26 2014-04-02 四川九洲电器集团有限责任公司 Resource access control method
CN106056270A (en) * 2016-05-13 2016-10-26 西安工程大学 Data safety design method of textile production management system based on improved RBAC

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060089932A1 (en) * 2004-10-22 2006-04-27 International Business Machines Corporation Role-based access control system, method and computer program product
US20060218394A1 (en) * 2005-03-28 2006-09-28 Yang Dung C Organizational role-based controlled access management system
CN102354357A (en) * 2011-09-28 2012-02-15 上海电力学院 Lattice implication reasoning algorithm of bug in partitioning protection system of smart grid
CN103701801A (en) * 2013-12-26 2014-04-02 四川九洲电器集团有限责任公司 Resource access control method
CN106056270A (en) * 2016-05-13 2016-10-26 西安工程大学 Data safety design method of textile production management system based on improved RBAC

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
DAU,F ETC.: "Access Policy Design Supported by FCA Methods", 《17TH INTERNATIONAL CONFERENCE ON CONCEPTUAL STRUCTURES》 *
张劲松等: "形式背景的蕴涵规则提取算法", 《电脑开发与应用》 *
张磊等: "基于概念格的RBAC模型中角色最小化问题的理论与算法", 《电子学报》 *
栾俊清: "基于概念格的大数据访问控制技术研究", 《硕士电子期刊》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114448659A (en) * 2021-12-16 2022-05-06 河南大学 Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration
CN114448659B (en) * 2021-12-16 2022-10-11 河南大学 Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration
CN114268649A (en) * 2021-12-21 2022-04-01 河南大学 A method for modifying RBAC permissions for the Internet of Things
CN114268649B (en) * 2021-12-21 2022-09-13 河南大学 RBAC permission modification method facing to Internet of things
CN114528333A (en) * 2022-01-20 2022-05-24 河南大学 Test question implicit knowledge attribute association mining and related test question pushing method and system based on attribute exploration

Also Published As

Publication number Publication date
CN111967034B (en) 2022-09-16

Similar Documents

Publication Publication Date Title
CN111967034B (en) RBAC role fault tolerance auxiliary construction method based on attribute exploration
CN103150517B (en) Concerning security matters e-file stores archive method, user right and opening of documents permission match method of calibration
CN111950013B (en) RBAC role rapid auxiliary construction method based on attribute exploration
US20180089331A1 (en) Pattern-based searching of log-based representations of graph databases
KR20140097445A (en) Control program management system and method for changing control program
US20200111188A1 (en) Digitized test management center
KR20200029029A (en) How to set authority in the user&#39;s information exchange unit in the system
WO2021169300A1 (en) Method and apparatus for exporting database table structure, and terminal device
KR20200017514A (en) How to Authorize Field Values in Form Fields Through Third-Party Fields
CN111783043B (en) Multi-department collaborative interactive RBAC role construction method based on attribute exploration
CN116579012A (en) Enterprise safety information management system based on big data
CN112464189A (en) Software development management system
CN110427770B (en) A database access control method and system supporting business security marking
Chen et al. System Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System
Odeh et al. Reliability of statistical software
Wurzenberger et al. Discovering insider threats from log data with high-performance bioinformatics tools
CN116956332A (en) BIM data processing method, BIM data processing equipment and computer readable storage medium
CN117933924A (en) Flow management method for equal-protection evaluation
CN117034368A (en) Data integrity protection method, device, equipment and storage medium
CN116225511A (en) Data model management method, system, medium and product
CN111274579B (en) Enterprise document encryption protection system based on computer
CN114238273A (en) Database management method, device, equipment and storage medium
CN114268649B (en) RBAC permission modification method facing to Internet of things
CN115270162A (en) Multi-party calculation-based auditing and auditing pricing heterogeneous data online integration method and system
Geng et al. Ensuring Consistency in Interagency Government Data Exchange: A Blockchain‐based Solution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant