设计一种安全的访问控制模型,完善现有的访问控制方法的缺陷。
Project description
Traditionally, access control policies were described as a set of fixed rules
governing access by users on sensitive resources. Over time, policies have
become more dynamic, both in their ability to utilise dynamic information from
the domain environment and in the sense that different policies can be
employed, depending on environmental factors. Recently, there has been
advancement in the area of intelligent access control, where the rules of the
policy learn and adapt depending on knowledge gleaned from the environment
over time. This project will focus on the creation of a system with an
intelligent access control policy. The student will be able to create both
their own intelligent access control policy and a scenario in which to enforce
the policy.
Requirement
You would need to look into access control models and access control policy
languages to identify a way to express rules that contain the elements you
want to include in your rules. At a basic level, an access control rule is a
triple (subject, object, action), where the subject (i.e. user) is permitted
or not permitted to perform the action on the object. This basic structure
would not be suitable for you, since such rules do not take into account
dynamic data. This is needed for your rules because you want to specify things
like users being allowed to access data if it is daytime or nighttime, for
example. So the time would be an example of dynamic data.
A model that would be useful to look at is the Attribute-based Access Control
model.
A popular language for expressive access control specifications is XACML. This
allows you to use any kind of data in your rules.
Make sure to focus on the key aspect of your project, which is the ability for
the access control rules to automatically change and adapt to the environment.
You need to design an access control system which can do this. An example of
this is in the following paper:
http://www.informatica.si/index.php/informatica/article/view/170
In this work, the system learns various things about the users and raises an
alarm if it detects abnormal behaviour. For example, for each user, it learns
how long it takes for the main entrance door of their workplace to close when
they enter it. If, one day, the door takes longer to close than the amount of
time learnt by the system, it will raise an alarm. This could mean that it is
not them entering, or that another person has entered the building who may not
be authorised to enter.
Your system should be able to monitor and learn from the environment and based
on that, build or adjust rules. The elements required for the rules is up to
you. Also, the number of rules is not important. What is important is the
capability of the system to learn and build/adjust rules - this is the
“intelligent” aspect of the project. You may be able to show that this aspect
is good with just a few rules.
