Techniques and algorithms for access control list optimization

Access control lists are core features of today’s internetwork routers. They serve several purposes, most notably in filtering network traffic and securing critical networked resources. However, the addition of access control lists increases packet latency due to the overhead of extra computations involved. This paper presents simple techniques and algorithms for optimizing access control lists that can reduce significantly expected packet latencies without sacrificing security requirements. The emphasis throughout the paper is in providing a modular approach that can be implemented either fully or partially, both online and offline, based on the amount of overhead allowed. It also shows empirically and analytically where and why the greatest potential for optimization lies.     

基于DNS Blocklist的反垃圾邮件系统的设计与实现

垃圾邮件浪费网络资源、干扰个人通讯、威胁着网络安全,甚至存在着盗用资源和散布谣言等问题,因此引起了全社会的广泛关注。但针对迅速增长的垃圾邮件,国内还缺乏相应的主动的控制机制。笔者研制了一个基于DNSBlocklist的过滤系统,该系统通过采用DNS技术、Openrelay测试技术以及基于策略的分级过滤规则技术实现了在整个教育网内的垃圾邮件过滤。用户可以根据需要,选择相应的过滤规则,有效地屏蔽已知来源的垃圾邮件。该文介绍了系统的结构和主要实现技术。     

Decentralized data access control over consortium blockchains

Blockchain is an emerging data management technology that enables people in a collaborative network to establish trusted connections with the other participants. Recently consortium blockchains have raised interest in a broader blockchain technology discussion. Instead of a fully public, autonomous network, consortium blockchain supports a network where participants can be limited to a subset of users and data access strictly controlled. Access control policies should be defined by the respective data owner and applied throughout the network without requiring a centralized data administrator. As a result, decentralized data access control (DDAC) emerges as a fundamental challenge for such systems. However, we show from a trust model for consortium collaborative networks that current consortium blockchain systems provide limited support for DDAC. Further, the distributed, replicated nature of blockchain makes it even more challenging to control data access, especially read access, compared with traditional DBMSes. We investigate possible strategies to protect data from being read by unauthorized users in consortium blockchain systems using combinations of ledger partitioning and encryption strategies. A general framework is proposed to help inexperienced users determine appropriate strategies under different application scenarios. The framework was implemented on top of Hyperledger Fabric to evaluate feasibility. Experimental results along with a real-world case study contrasted the performance of different strategies under various conditions and the practicality of the proposed framework.     

探索网络安全中VLAN技术与访问控制的应用与实践

本文从金融系统的内部局域网络安全问题出发,对网络配置中常用的VLAN技术、进行了探讨,并提出了通过VLAN技术、访问控制技术对某金融公司市级公司的内部局域网进行安全控制的方案,通过本方案的实施,确保该公司的网络安全风险降到最低.     

Automated verification of access control policies using a SAT solver

Managing access control policies in modern computer systems can be challenging and error-prone. Combining multiple disparate access policies can introduce unintended consequences. In this paper, we present a formal model for specifying access to resources, a model that encompasses the semantics of the xacml access control language. From this model we define several ordering relations on access control policies that can be used to automatically verify properties of the policies. We present a tool for automatically verifying these properties by translating these ordering relations to Boolean satisfiability problems and then applying a sat solver. Our experimental results demonstrate that automated verification of xacml policies is feasible using this approach. This work is supported by NSF grants CCF-0614002 and CCF-0716095.     

Personal information leakage detection method using the inference-based access control model on the Android platform

The web services used on desktop can be accessed through a smartphone due to the development of smart devices. As the usage of smartphones increases, the importance of personal information security inside the smartphone is emphasized. The openness features of Android platform make a lot easier to develop an application and also deploying malicious codes into application is an easy task for hackers. The security practices are also growing rapidly as the number of malicious code increases exponentially. According to these circumstances, new methods for detecting and protecting the behavior of leaked personal information are needed to manage the personal information within a smartphone.In this paper, we study the permission access category in order to detect the malicious code, which discloses the personal information on Android environment such as equipment and location information, address book and messages, and solve the problem related to Resource access of Random Access Control method in conventional Android file system to detect the new malware or malicious code via the context ontology reasoning of permission access and API resource information which the personal information are leaked through. Then we propose an inference-based access control model, which can be enabled to access the proactive security. There is more improvement accuracy than existing malicious detecting techniques and effectiveness of access control model is verified through the proposal of inference-based access control model.     

利用访问控制列表提高网络安全及实例

本文以cisco路由器为例，结合实际网络结构，详细介绍了如何利用访问控制列表来提高网络安全性能。     

交换式以太网中的ARP与DNS欺骗技术分析

利用TCP/IP协议缺陷进行欺骗攻击是目前网络中常出现的攻击方法,通过与网络监听的结合,攻击者能在不被察觉的情况下实现对被攻击者通信数据的截获并篡改,给当今网络通信安全带来了严重威胁。本文分析了在交换式以太网中利用ARP欺骗突破交换网络对数据监听的限制,成为“中间人”截获DNS报文,进而伪造DNS报文进行DNS欺骗的技术,并给出基于WinPcap的实现。     

Authentication and discretionary access control in computer networks

This paper proposes a new mechanism for authentication and discretionary access control in networks with decentralized control. Girling's strategy for one-time keywords for authentication forwarding is combined with a proxy login mechanism to obtain a reliable method for network authentication that does not depend on the transmission of passwords. The authentication mechanism is used as the basis for a scheme for network-wide access control lists allowing a user to grant access rights to any other user in a network. These proposals are described in the context of the Digital Network Architecture (DNA), but are in fact applicable to any packet switched network.     

智能DNS系统的设计与实现

DNS(Domain Name System)域名解析系统是Internet上的一项基础服务,它为网络应用程序提供域名解析服务,作为网络一项中枢组件有许多功能需要提高和完善,通过优化DNS可以缩短查询时间,减少不必要的网络流量,提高网络的安全性能,对整个互联网的发展起到推动作用。文章主要介绍了一个符合工业标准并能应用于电信级需求的DNS系统的基本架构,系统由权威型DNS服务器、递归型DNS服务器和DNS管理系统组成,支持多种数据存储方式,通过模块化设计能做到各模块自由组合。系统具有领先于市场上同类产品的创新之处：主从数据库的热备份和用虚拟地址池实现绑定客户端IP的功能。这两个功能在不同方面改进了现存DNS系统,前者的数据备份分通用和专用两种,其中通用部分遵照RFC标准采用AXFR和NOTIFY的方式传输备份,而专用部分引进先进的数据库主从备份思想于DNS系统中并根据DNS数据库特点通过保存DML方式完成数据的持久化;后者引入虚拟地址池概念为客户端和域名的IP地址中间引入新的层次,从而可完成双方的配置,这样既可做到负载平衡也对DNS的安全问题提出了一种新的解决方案,因为用这种方法同样能达到硬件防火墙的功能,从而节约了成本并提升了性能。最后通过搭建模拟环境,用软件虚拟大流量访问数据测试系统性能,实验证明系统完全符合电信级需要。     

Reducing inference control to access control for normalized database schemas

Considering relational databases, controlled query evaluation preserves confidentiality even under inferences but at the expense of efficiency. Access control, however, enables efficiently computable access decisions but cannot automatically assure confidentiality because of missing inference control. In this paper we investigate constraints sufficient to eliminate (nontrivial) inferences in relational databases with the objective of replacing controlled query evaluation by access control mechanisms under preservation of confidentiality.     

用访问控制列表打造安全网络

日常网络的管理中,经常会遇到一些进退两难的问题。如既要保障网络点畅通,同时,也必须设法拒绝那些不希望的网络连接。虽然可以通过其他的一些方式,如密码、权限、虚拟局域网等功能实现这些目的,但是,它们只能实现一些单一的管理功能,且缺乏管理的灵活性。而访问控制列表,则给网络管理员提供了一个灵活的网络控制平台。     

PBAC: Provision-based access control model

Over the years a wide variety of access control models and policies have been proposed, and almost all the models have assumed “grant the access request or deny it.” They do not provide any mechanism that enables us to bind authorization rules with required operations such as logging and encryption. We propose the notion of a “provisional action” that tells the user that his request will be authorized provided he (and/or the system) takes certain actions. The major advantage of our approach is that arbitrary actions such as cryptographic operations can all coexist in the access control policy rules. We define a fundamental authorization mechanism and then formalize a provision-based access control model. We also present algorithms and describe their algorithmic complexity. Finally, we illustrate how provisional access control policy rules can be specified effectively in practical usage scenarios. Published online: 22 January 2002     

一种扩展的RBAC访问控制模型的安全性研究

就如何评价访问控制模型,用基于N维安全熵的方法进行量化分析研究。首先,根据信息论中对信息熵的定义和描述,介绍了自主访问控制模型的N维安全熵定义。然后以N维安全熵的方法对RBAC模型的安全性进行量化分析。为了解决管理信息系统中的多类别、多层次角色访问的安全性度量问题,提出了扩展的RBAC访问控制(EXRBAC)模型,并用N维安全熵的方法进行了量化分析。最后对这三种访问控制模型的安全性进行分析和比较,结果显示,在多类别、多层次角色访问前提下,扩展的RBAC模型其安全性有明显提升。     

无线局域网的加密和访问控制安全性分析

无线网络的安全问题越来越受到人们的关注,用户在布置WLAN时如何使用安全技术手段来保护其中传输的数据--特别是敏感的、重要的数据的安全,是至关重要的问题,必须确保数据不外泄和数据的完整性.首先分析了无线局域网面临的安全问题,然后对无线局域网的安全技术及缺陷进行了讨论,提出了多元化的无线局域网安全解决方案.     

The dynamic predicate: integrating access control with query processing in XML databases

Recently, access control on XML data has become an important research topic. Previous research on access control mechanisms for XML data has focused on increasing the efficiency of access control itself, but has not addressed the issue of integrating access control with query processing. In this paper, we propose an efficient access control mechanism tightly integrated with query processing for XML databases. We present the novel concept of the dynamic predicate (DP), which represents a dynamically constructed condition during query execution. A DP is derived from instance-level authorizations and constrains accessibility of the elements. The DP allows us to effectively integrate authorization checking into the query plan so that unauthorized elements are excluded in the process of query execution. Experimental results show that the proposed access control mechanism improves query processing time significantly over the state-of-the-art access control mechanisms. We conclude that the DP is highly effective in efficiently checking instance-level authorizations in databases with hierarchical structures.     

P2P网络中一种可信访问控制模型

信任模型强调成员以及数据的可信性,通过对网络中的不端行为进行通告和限制,为用户能够更加合理地使用网络提供保证。提出了一个基于相似度加权推荐的全局信任模型（GSTrust）。在模型中,信任值的请求者使用推荐者和自己之间的节点评分行为相似度加权推荐意见,以节点评价行为的相似度加权其推荐度计算全局信任值,并提出了基于群组的激励机制作为信任模型的有效补充,仿真实验证明了模型的有效性。     

面向隐私保护的无线传感器网络细粒度访问控制协议

针对无线传感器网络访问控制中的用户身份隐私保护和数据安全问题,提出了一种适用于多用户、隐私保护的访问控制协议。该协议采用属性基加密算法和分布式访问控制模式,使用属性证书、数字签名和门限机制,实现了用户的付费访问、细粒度访问控制和匿名访问,并保证了数据传输机密性和查询命令完整性。协议分析和协议比较表明,传感器节点的计算、存储和通信开销较小,方便实现用户和传感器节点动态加入,能更好地适应付费无线传感器网络的访问控制需求。     

网络门禁控制系统的安全稳定性设计

门禁控制系统作为安防系统的主要子系统,在各种场所的应用非常广泛。作为安全防护的第一道防线,其安全性尤为重要。本文主要从门禁控制系统管理软件安全、硬件设备安全、工程安全、网络安全及数据安全等各方面进行了探讨与设计。     

An efficient key assignment scheme for access control in a large leaf class hierarchy

The employees of an organization are usually divided into different security classes to authorize the information retrieval, and the number of leaf classes is substantially larger than the number of non-leaf classes. Additionally, the alternations in leaf classes are more frequent than in non-leaf classes. We proposed a new key assignment scheme for controlling the access right in a large POSET (partially ordered set) hierarchy to reduce the required computation for key generation and derivation with the storage amount of data decreased.