Research On Key Techniques Of Access Control For Internet Of Things Search

The Internet of Things(IoT)establishes the connections between objects and objects,objects and people,and between objects and networks.It helps us to realize the intelligent recognition,tracking,positioning,management and control for many kinds of objects.With the help of the IoT,we can pro-mote the information level of traffic,electric power,medical,social network and other industries.However,with the expansion of the network,the amount of information in the IoT also explodes.The development of Internet of things search(IoT search)can help us to integrate the information generated from the IoT effectively and provide a fast,accurate and appropriate search service.As a basic service,IoT search will be widely used in many areas such as medical,education,environment,social network,national security etc.In order to improve the accuracy of search services,IoT search engines will collect and store information related to personal privacy.Most private information owners are not willing to share this information for all data searchers.So the IoT search must meet the "limited disclosure" principle.However,IoT search is an open environment.In this open environment,iden-tities of the users are unpredictable,and resources are integrated in multiple ways.This makes the "limited disclosure" of private data in the IoT search as a major challenge.The access control system serves as an important check-point for the process control of the interaction between the search user and the search engine.Based on the elements such as "who,when,where,what equipment to use,what network to access,what resources to access,how to operate on the resource",etc.,we can achieve effective monitoring of re-source access and ensure that information can only be accessed by the au-thorized user thus prevent unreasonable flow of information.Although both academia and industry have studied on access control technologies,existing access control technologies cannot be directly applied to the IoT search.It is demonstrated that most current access control technologies are only applica-ble to the closed environments.In a closed environment,the number of sub-jects and objects is limited and does not change frequently.We can directly assign the access rights of the objects to subject(for example,through roles,tasks,etc.).But in open environment such as IoT search,the quantity of sub-jects and objects is dynamically changing in real time.At the same time,ac-cess rights can only be obtained through cooperation between different do-mains.This brings difficulties for applying existing access control to the IoT search.The following is a summary of the research results:First,In order to meet the challenge of access control technology in In-ternet of Things,we first analyze the characteristics of Internet of Things(IoT)search,and then select the attribute-based access control,which takes the subject/object/environment attributes as basic decision factors,as the ac-cess control model for the Internet of Things search.We analysis of the cur-rent ABAC researches and summarize the deficiencies of existing ABAC technology for Internet of Things search.Specifically,we give the detailed descriptions on policy description method,policy synthesis,access control policy conflicts detection and resolution,entity attribute discovery,attrib-ute-permission assignments mining,policy matching,permission updating and revocation,and identity authentication mechanisms in attribute-based access control.A detailed analysis and summary are made to analyze the problems of applying these technologies in the application of Internet of Things search.Second,in order to ensure the security of ABAC systems,it is necessary to generate accurate attribute-permission assignments.Existing assignments generation schemes ignore the abnormal configurations in the original per-mission set,which will result in the generated attribute-permission assign-ments may contain incorrect assignments,thus the user will be given the wrong rights.Theses wrong rights would bring serious security risks.Aiming at the problem of low accuracy of strategy generation caused by abnormal configurations in access control system,this paper proposes abnormal con-figurations hunting framework based on spectral clustering.First of all,ac-cording to the characteristics of the permission representation in the access control system,a mixed distance metric function is designed to achieve the user’s precise distinction.Based on this distance metric function,an adaptive spectral-clustering-based clustering algorithm is proposed.Traditional spec-tral clustering algorithms need to manually set parameters such as the local scaling parameters and the number of clusters,which are more dependent on expert knowledge.To solve this problem,an adaptive parameter calculation method is designed in this paper.It reduces the error of clustering result caused by manually setting parameters.Based on the clustering results,a set of abnormal configuration mining rule is given.Using this rule,we can effec-tively identify and eliminate the abnormal configurations in the access con-trol system.Experimental results show that the proposed scheme can effec-tively implement abnormal configurations hunting and generate the attrib-ute-permission assignments.Third,the IoT search is a typical multi-party environment.In order to achieve unified authorization of access control policies in a multi-party envi-ronment,it is necessary to perform fusion analysis on multiple policies.In the process of policy fusion,the privacy requirements of different resource owners are different,and the authorization result of different access rights to the same resource may be different.This leads to the occurrence of policy conflicts when multi-party policies are merged.If these policy conflicts are not accurately resolved,the resource propagation will be reduced thus leads to a decline in the quality of search services.In order to solve the above problems,we proposed a bargain-based conflict resolution mechanism to achieve the balance between user privacy and information dissemination benefits.Firstly,the concept of virtual payment is introduced,and a conflict resource bidding mechanism is proposed based on message attributes and the virtual payment.When policy conflicts occurred,users with high dissemina-tion needs will compensate users with higher privacy needs through a certain exchange so that to realize the exchange of private information.As the simple bidding mechanism cannot guarantee the reasonableness of the bidding pro-cedure,a penalty mechanism based on Clarke-tax mechanism is proposed to punish malicious users who charge or bid maliciously.Last,the IoT search is a multi-domain cooperation environment.Differ-ent resource owners may set different constraints on resource access.These constraints may be inconsistent or even conflicting.The combination of dif-ferent constraints will produce inconsistent access decision results.The con-straints in a single decision result have no conflict,but there are conflicts between the constraints of different decision results.When different visitors access resources,they need to select the only decision result from the set of decision results as the final decision result.This problem is called the dy-namic decision problem for coexistence conflicts.To solve this problem,we introduced a social-intimacy based decision-making scheme.First,it defines non-co-occurrence relationships between related resources and limits the re-sources that cannot be accessed at the same time.After that,we build a fully connected graph between the resources to be accessed,and remove all the connections between resources which have non-co-occurrence relationships.After obtaining the resource connectivity graph,a graph segmentation algo-rithm is used to find all the largest connected sub-graphs,and each connected sub-graph is defined as a conflict domain.Afterwards,we calculate the rela-tionship strength between the visitor and the policy makers who are involved in the conflict domain.We use the relationship strength to represent the bene-fits of the information dissemination.As the relationship strength is asym-metric,we calculate the relationship strength between the user and the policy makers from both the visitor’s and the policy makers’ view.The policies in the conflict domain with the highest relationship strength are selected as the final access control policies.Experimental results show that the proposed scheme can effectively achieve dynamic decision-making of access results.