学术论文DOl:10.12379/j.issn.2096-1057.2024.03.07ResearchPapers基于角色和属性的零信任访问控制模型研究许盛伟田宇”邓烨”刘昌赫”1(北京电子科技学院信息安全研究所北京100070)2(北京电子科技学院网络空间安全系北京100070)3(北京电子科技学院密码科学与技术系北京100070)(18510529691@163.com)ResearchonZeroTrustAccessControlModelBasedonRoleandAttribute刘家兴”XuShengwei',TianYu²,DengYe’,LiuChanghe',andLiuJiaxing?I(InstituteofInformationSecurity,BeijingElectronicScienceandTechnologyInstitute,Beijing100070)2(DepartmentofCyberspaceSecurity,BeijingElectronicScienceandTechnologyInstitute,Beijing100070)3(DepartmentofCryptologicScienceandTechnology,BeijingElectronicScienceandTechnologyInstitute,Beijing100070)AbstractInthefaceofmanysecuritythreatsinthenetwork,thetraditionalaccesscontrolmodelisincreasinglyexposedtotheproblemsofpoordynamicsofpermissionallocation,lowsensitivitytonewthreats,andhighcomplexityofresourceallocation.Thispaperproposedazerotrustaccesscontrolmodelbasedonroleandattributetoaddresstheaboveproblems.Themodelusedalogisticregressionapproachtotrustassessmentofaccesssubjectstoachieveaccesscontrolwithhighsensitivitytoaccesssubjectattribute,andadoptedanewresourcedecisiontree,whichreducedthetimecomplexityofresourcepermissionassignmentwhileachievingfiner-grainedsecurityforaccesscontrol.Finally,verifyingthemodelinthispaperundertypicalapplicationscenariosshowedthatthemodelwassignificantlybetterthanthetraditionalaccesscontrolmodelintermsofdynamicassignmentofpermissions.Keywordszerotrust;role;attribute;accesscontrol;resourcedecisiontree摘要面对网络中大量涌现的安全威胁,传统访问控制模型暴露出权限分配动态性差、面对新威胁敏感度低以及资源分配复杂度高的问题.针对上述问题,提出一种基于角色和属性的零信任访问控制模型,模型使用逻辑回归的方法对访问主体进行信任评估,实现对访问主体属性高敏感度的访问控制,并采用一种全新的资源决策树,在实现访问控制更细粒度安全性的同时,降低了对资源权限分配的时间复杂度.最后,通过在典型应用场景下对模型进行验证,表明该模型在权限动态分配方面明显优于传统访问控制...
