Research On Key Technologies Of Access Control For Cross-domain Data Exchange

With the rapid development and widespread popularization of the information technology,computer technology and communication technology,the complex network environment with many characteristics such as openness,heterogeneity and multiple security domains has been formed.The coordinated operation of various information systems in the complex network environment makes data access and exchange cross multiple systems/domains frequently.In the cross-system and cross-domain data access and exchange,various security issues(e.g.,illegal data leakage and invalid data tracking)are caused,which seriously affects the promotion and use of new service models.To address the above security issues caused by cross-domain data access and exchange in the complex network environment,we propose a new access control model/policy and design a traceability mechanism of abnormal access.In terms of access control model/policy,to control the data exchange and operation after the exchange,an access control model and its implementation mechanism are proposed to improve control efficiency.To trace abnormal access,the blockchain and smart contract theory are used to trustily record access log and real-time trace malicious tampering.Our main contributions are as follows.1)To control the sharing process of data and the operation after being exchanged,an access model is proposed to realize propagation control and extension control.In this propagation control,the propagation operation of subjects of multiply domains are divided into sending,receiving,forwarding,etc.,and their security rules are defined to control unauthorized propagation.In the extension control,a series of atomic operations(including reading,writing,saving,deleting,and user action)and their operation rules are proposed to control the unauthorized use of data after leaving the management domain.Both provenance attribute and propagation chain are proposed and reduce the leakage risk of data.To improve the efficiency of access control,a tree structure is proposed to record the logical relationship between data and its original data.Then the original data with low relevance are removed from the provenance attribute,thus reducing provenance attribute.We also implement our control mechanism in the environment of publish/subscribe communication,the experimental result shows its effectiveness.2)To reduce the complexity and quantity of policies and improve evaluation efficiency,a suite of atomic rules of access control is proposed to generate Algebraic Expression Based Access Control Policy(AECP).To improve the efficiency of policy evaluation and detection,by considering set logic relation and algebraic composition,we propose a set of algorithms to evaluate and detect redundancy/conflict of AECP.The analysis result shows the low time/space complexity of our approach.To decrease the detection complexity of a complex policy,a logic-based policy translation algorithm is proposed to translate complex policies into AECP and then the redundancy/conflict detection algorithms for AECP is used to improve efficiency3)To address the problem of the traceability of abnormal access in the cross-domain data exchange(e.g.,centralized traceability information collection and low traceability efficiency),we design a traceability mechanism of abnormal access.To improve the transparency of the access control process,the access authorization evaluation is realized by executing the smart contract deployed on the blockchain;To prevent the access logs from being tampered,a blockchain-based log generation algorithm is proposed to record the propagation operation and the extension operation.To trace abnormal access in time,algorithms for on-demand generating traceability information and judging real-time abnormal access are proposed to find abnormal access in time,and the abnormal behavior traceability algorithm is designed to generate the evidence chain of abnormal access.We also implement our traceability mechanism in Hyperledger Fabric,The experimental result shows the transparency of access control,the authenticity of traceability information and the real-time traceability abnormal access,the low storage space.