Information Technology Reference
In-Depth Information
A Conflict-Related Rules Detection Tool
for Access Control Policy
Xiaoyan Liang, Liangshuang Lv, Chunhe Xia, Yang Luo, and Yazhuo Li
Key Laboratory of Beijing Network Technology
School of Computer Science and Engineering, Beihang University, Beijing, China
lxy@cse.buaa.edu.cn, {lls,xch}@buaa.edu.cn,
veotax@sae.buaa.edu.cn, lyzalexandra@126.com
Abstract.
Conflict detection is an important issue of the Access Control Policy.
Most conflict detection tools mainly focus on the two rules that have contrary ac-
tions, but there are also other rules which are necessary to the conflict situation,
which is not considered in these tools. This paper defines all these rules related to
the conflict situation as the concept “conflict-related rules”, and gives a con-
flict-related rules detection tool for Access Control Policy which can report the
conflict situation more comprehensively. By giving the semantics model of the
access control policy and the definition of conflict, we prove the necessary and
sufficient condition of conflict, and then give the concept of “conflict-related rules”
and deduce its extension. We implement conflict-related rules detection tool based
on the description logic, and the experiment results validate the tool's correctness
and effectiveness. The results of the correctness experiment showed that instead of
detecting the two rules with opposite actions only, it detected all the conflict-related
rules for access control policy; the results of the effectiveness experiment showed
that our tool's response performance is better than VPN based tools.
Keywords:
Access control policy, conflict detect, conflict-related rules,
description logic.
1
Introduction
Policy based access control is an important part of network information security [1,12].
An access control policy is a list of access control rules. The rules may conflict when
they declared opposite access control behaviors. Conflicts in a policy can cause hole in
security or block legal access. Conflict detection is an important issue for access control
policy. Tools for conflict detection give many conflict detection algorithms under
various scenarios, and they can report the two rules which have opposite actions.
However, reporting the two rules only can't help security administrator fully un-
derstand the situation of conflict. Take the AC (access control) policy of an enterprise
information management system as an example, the enterprise has two kinds of users:
server and marketer, and three kinds of accessible resources: user-information, con-
tact-information and privacy-information.
