SDN中基于用户信任度的资源访问控制方案

doi:10.3969/j.issn.1671-1122.2021.10.005

摘要/Abstract

摘要：

现有的资源访问控制方案用户访问权限不能动态变化、访问控制策略制定存在安全隐患,针对这些问题,文章提出SDN中基于用户信任度的资源访问控制方案。该方案引入用户信任度概念,利用SDN管控分离和流驱动特性,设计了基于用户信任度的资源访问控制系统。控制器根据用户属性评估用户信任度,据此对用户进行分类,通过下发流表的方式为不同类型的用户授予不同权限,用户信任度区间发生变化时,其访问权限也随之变化,实现了动态授予权限的功能。同时,文章通过Mininet对方案进行仿真,与普通SDN网络和传统网络进行对比,结果表明,该方案在资源的访问控制上具有一定的动态性和安全性。

关键词: SDN, 访问控制, 用户信任度, 动态授权

Abstract:

Existing resource access control schemes have problems such as the inability to dynamically change user access permissions, and the security risks in the formulation of access control policies. In view of these problems, this paper proposes a resource access control scheme based on user credit in SDN. This scheme introduces the concept of user credit and uses the characteristics of SDN that management and control separation and flow-driven to design a resource access control system based on user credit. The controller evaluates the user’s credit based on the user’s attributes, and classifies users accordingly. By issuing flow tables, different types of users are granted different permissions. When the user’s trust level changes, their access permissions will also change, realizing the function of dynamically granting permissions. And the program is simulated through Mininet and compares it with ordinary SDN networks and traditional networks, the results show that the program has a certain degree of dynamics and security in resource access control.

Key words: SDN, access control, user credit, dynamic authorization

中图分类号:

TP309

魏占祯, 彭星源, 赵洪. SDN中基于用户信任度的资源访问控制方案[J]. 信息网络安全, 2021, 21(10): 33-40.

WEI Zhanzhen, PENG Xingyuan, ZHAO Hong. Resource Access Control Scheme Based on User Credit in SDN[J]. Netinfo Security, 2021, 21(10): 33-40.

图/表 15

图1

图2

表1

图3

表2

表3

图4

图5

图6

图7

图8

图9

图10

图11

图12

参考文献 20

[1]	WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software Defined Networking: Security Model, Threats and Mechanism[J]. Journal of Software, 2016, 27(4):969-992.
	王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016, 27(4):969-992.
[2]	WANG Tao, CHEN Hongchang, CHENG Guozhen. Research on Software-defined Network and the Security Defense Technology[J]. Journal on Communications, 2017, 38(11):133-160.
	王涛, 陈鸿昶, 程国振. 软件定义网络及安全防御技术研究[J]. 通信学报, 2017, 38(11):133-160.
[3]	LIU Zhigang, XIAO Qinghui, DING Xuefei, et al. Software Defined Network User Dynamic Access Control Model Simulation[J]. Computer Simulation, 2019, 36(1):308-311, 396.
	刘治纲, 肖庆汇, 丁雪非, 等. 软件定义网络用户动态访问控制模型仿真[J]. 计算机仿真, 2019, 36(1):308-311,396.
[4]	KATAOKA K, GANGWAR S, PODILI P. Trust List: Internet-wide and Distributed IoT Traffic Management Using Blockchain and SDN[EB/OL]. https://ieeexplore.ieee.org/document/8355139, 2018-02-22.
[5]	PAILLISSE J, SUBIRA J, LOPEZ A, et al. Distributed Access Control with Blockchain[EB/OL]. https://arxiv.org/pdf/1901.03568.pdf, 2019-07-16.
[6]	NOVO O. Blockchain Meets IoT: An Architecture for Scalable Access Management in IoT[J]. IEEE Internet of Things Journal, 2018, 5(2):1184-1195. doi: 10.1109/JIOT.2018.2812239 URL
[7]	ZHANG Jiale, ZHANG Guiling, ZHANG Xiufang. Network Access Control Model Based on Real-Time Behavior Trusted Measurement[J]. Computer Applications and Software, 2017, 34(7):32-38.
	张佳乐, 张桂玲, 张秀芳. 基于实时行为可信度量的网络访问控制模型[J]. 计算机应用与软件, 2017, 34(7):32-38.
[8]	OUADDAH A, ELKALAM A A, OUAHMAN A A. FairAccess: A New Blockchain-based Access Control Framework for the Internet of Things[J]. Security & Communication Networks, 2016, 9(18):5943-5964.
[9]	OUADDAH A, MOUSANNIF H, ELKALAM A A, et al. Access Control in the Internet of Things: Big Challenges and New Opportunities[EB/OL]. https://linkinghub.elsevier.com/retrieve/pii/S1389128616303735, 2017-01-20.
[10]	OUADDAH A, ELKALAM A A, OUAHMAN A A. Towards a Novel Privacy-preserving Access Control Model Based on Blockchain Technology in IoT[EB/OL]. https://doi.org/10.1007/978-3-319-46568-5_53, 2016-09-12.
[11]	DU Ruizhong, LIU Yan, TIAN Junfeng. An Access Control Method Using Smart Contract for Internet of Things[J]. Journal of Computer Research and Development, 2019, 56(10):2287-2298.
	杜瑞忠, 刘妍, 田俊峰. 物联网中基于智能合约的访问控制方法[J]. 计算机研究与发展, 2019, 56(10):2287-2298.
[12]	PUTRA G D, DEDEOGLU V, KANHERE S S, et al. Trust Management in Decentralized IoT Access Control System[EB/OL]. https://export.arxiv.org/pdf/1912.10247, 2020-12-20.
[13]	LIU Aodi, DU Xuehui, WANG Na, et al. Blockchain-based Access Control Mechanism for Big Data[J]. Journal of Software, 2019, 30(9):2636-2654.
	刘敖迪, 杜学绘, 王娜, 等. 基于区块链的大数据访问控制机制[J]. 软件学报, 2019, 30(9):2636-2654.
[14]	MA Mingxin, SHI Guozhen, LI Fenghua. Privacy-oriented Blockchain-based Distributed Key Management Architecture for Hierarchical Access Control in the IoT Scenario[EB/OL]. https://ieeexplore.ieee.org/document/8664491, 2020-12-20.
[15]	SHI Jinshan, LI Ru, SONG Tingting. Blockchain-based Access Control Framework for Internet of Things[J]. Journal of Computer Applications, 2020, 40(4):931-941.
	史锦山, 李茹, 松婷婷. 基于区块链的物联网访问控制框架[J]. 计算机应用, 2020, 40(4):931-941.
[16]	WANG Xiuli, JIANG Xiaozhou, LI Yang. Model for Data Access Control and Sharing Based on Blockchain[J]. Journal of Software, 2019, 30(6):1661-1669.
	王秀利, 江晓舟, 李洋. 应用区块链的数据访问控制与共享模型[J]. 软件学报, 2019, 30(6):1661-1669.
[17]	YANG Bo, ZHANG Yun, WANG Xin. A Network Access Control Method Based on Cloud Computing[J]. Software Engineering, 2017, 20(2):50-53.
	杨波, 张云, 王欣. 一种基于云计算的网络访问控制方法[J]. 软件工程, 2017, 20(2):50-53.
[18]	BAO Yulong, ZHU Xueyang, ZHANG Wenhui, et al. Formal Verification of Smart Contract for Access Control in IoT Applications[J]. Chinese Journal of Computers, 2021, 41(4):930-938.
	包玉龙, 朱雪阳, 张文辉, 等. 物联网应用中访问控制智能合约的形式化验证[J]. 计算机应用, 2021, 41(4):930-938.
[19]	AKIMICHI, NAOKI M, ATSUSHI I. Mastering TCP/IP OpenFlow[M]. LI Zhanjun, XUE Wenling. Beijing: Posts & Telecom Press, 2016.
	晃通, 宫永直树, 岩田淳. 图解OpenFlow[M]. 李战军, 薛文玲,译.北京:人民邮电出版社, 2016.
[20]	XU Ke, LING Sitong, LI Qi, et al. Research Progress of Network Security Architecture and Key Technologies Based on Blockchain[J]. Chinese Journal of Computers, 2021, 44(1):55-83.
	徐恪, 凌思通, 李琦, 等. 基于区块链的网络安全体系结构与关键技术研究进展[J]. 计算机学报, 2021, 44(1):55-83.

信任度区间	用户类别	处理方式
$[{{T}_{h}},1)$	可信用户	允许访问
$({{T}_{l}},{{T}_{h}})$	普通用户	根据属性进一步判决是否满足访问条件
$(\text{0},{{T}_{l}}]$	恶意用户	拒绝访问

参数	意义	取值
$\gamma $	老化因子	0.9
${{\delta }_{pos}}$	奖励因子	8
${{\delta }_{neg}}$	惩罚因子	-10
a	X轴位移参数	0.7
b	增长率	0.03
${{T}_{h}}$	可信用户信任度阈值	0.8
${{T}_{l}}$	普通用户信任度阈值	0.2

用户	信任度	用户分类	能否访问	流表有效时长
A（教师）	0.8366	可信用户	√	100 s
A（教师）	0.6416	普通用户	√	40 s
B（教师）	0.1403	恶意用户	×	-
C（学生）	0.4966	普通用户	×	60 s