Research On Role Mining And Updateing Mechanisms For RBAC Systems

Role-based access control(RBAC)is widely used in information systems because of its flexibility and extensibility.With the expansion of system services and organization scale,authorization management becomes more and more complex,forcing more and more organizations and enterprises to migrate traditional access control(MAC,DAC)systems to RBAC systems.To ensure system security,it is necessary to generate correct roles during RBAC system migration,and effectively maintain and update them.In the aspect of role generation,role mining has become an effective way to build RBAC system because of its high degree of automation and strong goal.However,the current role mining schemes don’t detect the abnormal permission configuration in the original system,so that the result of role mining may contain the wrong role permission configuration,which brings security risks to the system;In terms of role maintenance and update,the common ways of role update are adding a role and role mining again.The former increases the redundancy of roles in the system,and the latter generates a large gap between the role set and the original role set,so users need to adapt to the new role set.In view of the above problems,this thesis proposes a role mining scheme tolerating abnormal permission configuration to ensure that correct roles are generated during access control system migration and secure RBAC system is constructed.On this basis,a role update scheme for RBAC system maintenance is proposed to solve the security problems caused by the change of system access control policy.The main contributions of this thesis are as follows:(1)A role mining scheme tolerating abnormal permission configuration is proposed.The scheme consists of three parts: user clustering,abnormal permission configuration detection and role mining.In its user clustering stage,due to the high computational complexity of spectral clustering and the effect of clustering greatly affected by the initial value,Canopy preclustering is introduced to extract the overlapping data of subsets by the preclustering process,reduce the computational amount of spectral clustering,and optimize the selection of the initial value of spectral clustering by combining the results of preclustering to improve the user clustering effect.In view of the characteristic that access control data is represented by Boolean value,the distance measurement method of Canopy preclustering and spectral clustering is changed from Euclidean distance to the combination of Jackard distance and Hamming distance to improve the user clustering effect.In the abnormal permission configuration detection stage,the scheme designs a set of abnormal permission configuration detection rules by analyzing the characteristics and causes of abnormal permission configuration,and that scheme uses the rules to detect and correct abnormal permission configuration through multiple iterations,taking the results of user clustering as input.In the role mining stage,the modified user clustering results are used for role mining.In the role mining stage,the modified user clustering results are used for role mining.Experimental results show that this scheme can effectively detect abnormal permission configuration and improve the efficiency of role mining.(2)A role update scheme for RBAC system maintenance is proposed.From the perspective of authorization management,two algorithms are designed: one is for the role update algorithm in the case of permission grant,and the other one is for the role update algorithm in the case of permission revoke.Through the classified discussion of different situations,the strategy of reducing the introduction of new roles as much as possible is proposed.When specific conditions are met,the scheme can be realized by modifying the current role or its assignment information.The experimental results show that this scheme can effectively reduce the role redundancy and improve the role update efficiency on the premise of ensuring the system security.(3)The above schemes are applied to the service integration framework independently developed by my laboratory,and the RBAC subsystem is designed and implemented.Finally,the function and performance of the RBAC subsystem are tested.The test results show that the scheme proposed in this thesis can effectively improve the authorization management efficiency of service integration framework.