摘要
业务流程、信息基础设施等的变化会造成当前角色定义出现偏差,使得组织易遭受内部威胁。基于定时、合理改变组织内部角色集合的防御思路,提出了一种角色动态调整算法(Role Dynamic Ajusting,RDA)。该算法定义了带有调整参数的目标函数,以平衡考虑用户权限实际使用数据以及系统管理员专家知识;基于启发式搜索策略和子集结对操作得到一组候选角色;使用启发式函数计算角色分值,按照角色分值的高低对候选角色集进行删选,得到符合角色质量要求的调整角色集;以降低角色冗余度为目标,使用调整角色集为系统用户重新分配角色,得到新的系统角色配置。基于某医院管理系统日志的实验结果表明,RDA算法可有效调节目标组织系统的角色集,为抵御内部威胁打下良好基础。
Due to derivations in current role definition from the changes of the bossiness process and information infrastructure,organizations are vulnerable to internal threat.A role dynamic adjustment algorithm is proposed based on the defensive idea of changing the set of roles within the organization regularly and reasonably.The algorithm defines an objective function with adjusting parameters to balance the two elements,which are the user privilege actual use data and the system administrator expert knowledge.Based on heuristic search strategy and sub-set pairing technique,a group of candidate roles are obtained.From these roles,a set of adjusting roles which can achieve a predefined score are obtained,by using a certain heuristic function.Finally,in order to reduce role redundancy,the users of the organization are reassign the roles from the adjusting roles,so getting a new Role-Based Access Control(RBAC)configuration.By using the audit logs from a hospital management system,the performance of the RDA is analyzed.The experimental results show that the proposed algorithm can efficiently adjust the RBAC configuration for the special organization,so it can provide concrete base for resisting the insider threats.
作者
潘恒
李景峰
马君虎
PAN Heng;LI Jing-feng;MA Jun-hu(Research Institute of Advanced Information Technology,Zhongyuan University of Technology,Zhengzhou 450007,China;PLA Information Engineering University,Zhengzhou 450001,China;PLA Air Force 93010 Unit,Shenyang 110016,China)
出处
《计算机科学》
CSCD
北大核心
2020年第5期313-318,共6页
Computer Science
基金
河南省高等学校重点基础研究计划项目(19A520047)
中原工学院自主创新应用研究项目(K2018YY017)。
关键词
内部威胁
基于角色的访问控制
启发式搜索策略
一类支持向量机
动态调整
Insider threats
Role-based access control
Heuristic search strategy
One-class support vector machine
Dynamic adjustment
