Resource Access Control Scheme Based on User Credit in SDN

doi:10.3969/j.issn.1671-1122.2021.10.005

Abstract

Abstract:

Existing resource access control schemes have problems such as the inability to dynamically change user access permissions, and the security risks in the formulation of access control policies. In view of these problems, this paper proposes a resource access control scheme based on user credit in SDN. This scheme introduces the concept of user credit and uses the characteristics of SDN that management and control separation and flow-driven to design a resource access control system based on user credit. The controller evaluates the user’s credit based on the user’s attributes, and classifies users accordingly. By issuing flow tables, different types of users are granted different permissions. When the user’s trust level changes, their access permissions will also change, realizing the function of dynamically granting permissions. And the program is simulated through Mininet and compares it with ordinary SDN networks and traditional networks, the results show that the program has a certain degree of dynamics and security in resource access control.

Key words: SDN, access control, user credit, dynamic authorization

CLC Number:

TP309

WEI Zhanzhen, PENG Xingyuan, ZHAO Hong. Resource Access Control Scheme Based on User Credit in SDN[J]. Netinfo Security, 2021, 21(10): 33-40.

Figures/Tables 15

References 20

[1]	WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software Defined Networking: Security Model, Threats and Mechanism[J]. Journal of Software, 2016, 27(4):969-992.
	王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016, 27(4):969-992.
[2]	WANG Tao, CHEN Hongchang, CHENG Guozhen. Research on Software-defined Network and the Security Defense Technology[J]. Journal on Communications, 2017, 38(11):133-160.
	王涛, 陈鸿昶, 程国振. 软件定义网络及安全防御技术研究[J]. 通信学报, 2017, 38(11):133-160.
[3]	LIU Zhigang, XIAO Qinghui, DING Xuefei, et al. Software Defined Network User Dynamic Access Control Model Simulation[J]. Computer Simulation, 2019, 36(1):308-311, 396.
	刘治纲, 肖庆汇, 丁雪非, 等. 软件定义网络用户动态访问控制模型仿真[J]. 计算机仿真, 2019, 36(1):308-311,396.
[4]	KATAOKA K, GANGWAR S, PODILI P. Trust List: Internet-wide and Distributed IoT Traffic Management Using Blockchain and SDN[EB/OL]. https://ieeexplore.ieee.org/document/8355139, 2018-02-22.
[5]	PAILLISSE J, SUBIRA J, LOPEZ A, et al. Distributed Access Control with Blockchain[EB/OL]. https://arxiv.org/pdf/1901.03568.pdf, 2019-07-16.
[6]	NOVO O. Blockchain Meets IoT: An Architecture for Scalable Access Management in IoT[J]. IEEE Internet of Things Journal, 2018, 5(2):1184-1195. doi: 10.1109/JIOT.2018.2812239 URL
[7]	ZHANG Jiale, ZHANG Guiling, ZHANG Xiufang. Network Access Control Model Based on Real-Time Behavior Trusted Measurement[J]. Computer Applications and Software, 2017, 34(7):32-38.
	张佳乐, 张桂玲, 张秀芳. 基于实时行为可信度量的网络访问控制模型[J]. 计算机应用与软件, 2017, 34(7):32-38.
[8]	OUADDAH A, ELKALAM A A, OUAHMAN A A. FairAccess: A New Blockchain-based Access Control Framework for the Internet of Things[J]. Security & Communication Networks, 2016, 9(18):5943-5964.
[9]	OUADDAH A, MOUSANNIF H, ELKALAM A A, et al. Access Control in the Internet of Things: Big Challenges and New Opportunities[EB/OL]. https://linkinghub.elsevier.com/retrieve/pii/S1389128616303735, 2017-01-20.
[10]	OUADDAH A, ELKALAM A A, OUAHMAN A A. Towards a Novel Privacy-preserving Access Control Model Based on Blockchain Technology in IoT[EB/OL]. https://doi.org/10.1007/978-3-319-46568-5_53, 2016-09-12.
[11]	DU Ruizhong, LIU Yan, TIAN Junfeng. An Access Control Method Using Smart Contract for Internet of Things[J]. Journal of Computer Research and Development, 2019, 56(10):2287-2298.
	杜瑞忠, 刘妍, 田俊峰. 物联网中基于智能合约的访问控制方法[J]. 计算机研究与发展, 2019, 56(10):2287-2298.
[12]	PUTRA G D, DEDEOGLU V, KANHERE S S, et al. Trust Management in Decentralized IoT Access Control System[EB/OL]. https://export.arxiv.org/pdf/1912.10247, 2020-12-20.
[13]	LIU Aodi, DU Xuehui, WANG Na, et al. Blockchain-based Access Control Mechanism for Big Data[J]. Journal of Software, 2019, 30(9):2636-2654.
	刘敖迪, 杜学绘, 王娜, 等. 基于区块链的大数据访问控制机制[J]. 软件学报, 2019, 30(9):2636-2654.
[14]	MA Mingxin, SHI Guozhen, LI Fenghua. Privacy-oriented Blockchain-based Distributed Key Management Architecture for Hierarchical Access Control in the IoT Scenario[EB/OL]. https://ieeexplore.ieee.org/document/8664491, 2020-12-20.
[15]	SHI Jinshan, LI Ru, SONG Tingting. Blockchain-based Access Control Framework for Internet of Things[J]. Journal of Computer Applications, 2020, 40(4):931-941.
	史锦山, 李茹, 松婷婷. 基于区块链的物联网访问控制框架[J]. 计算机应用, 2020, 40(4):931-941.
[16]	WANG Xiuli, JIANG Xiaozhou, LI Yang. Model for Data Access Control and Sharing Based on Blockchain[J]. Journal of Software, 2019, 30(6):1661-1669.
	王秀利, 江晓舟, 李洋. 应用区块链的数据访问控制与共享模型[J]. 软件学报, 2019, 30(6):1661-1669.
[17]	YANG Bo, ZHANG Yun, WANG Xin. A Network Access Control Method Based on Cloud Computing[J]. Software Engineering, 2017, 20(2):50-53.
	杨波, 张云, 王欣. 一种基于云计算的网络访问控制方法[J]. 软件工程, 2017, 20(2):50-53.
[18]	BAO Yulong, ZHU Xueyang, ZHANG Wenhui, et al. Formal Verification of Smart Contract for Access Control in IoT Applications[J]. Chinese Journal of Computers, 2021, 41(4):930-938.
	包玉龙, 朱雪阳, 张文辉, 等. 物联网应用中访问控制智能合约的形式化验证[J]. 计算机应用, 2021, 41(4):930-938.
[19]	AKIMICHI, NAOKI M, ATSUSHI I. Mastering TCP/IP OpenFlow[M]. LI Zhanjun, XUE Wenling. Beijing: Posts & Telecom Press, 2016.
	晃通, 宫永直树, 岩田淳. 图解OpenFlow[M]. 李战军, 薛文玲,译.北京:人民邮电出版社, 2016.
[20]	XU Ke, LING Sitong, LI Qi, et al. Research Progress of Network Security Architecture and Key Technologies Based on Blockchain[J]. Chinese Journal of Computers, 2021, 44(1):55-83.
	徐恪, 凌思通, 李琦, 等. 基于区块链的网络安全体系结构与关键技术研究进展[J]. 计算机学报, 2021, 44(1):55-83.

信任度区间	用户类别	处理方式
$[{{T}_{h}},1)$	可信用户	允许访问
$({{T}_{l}},{{T}_{h}})$	普通用户	根据属性进一步判决是否满足访问条件
$(\text{0},{{T}_{l}}]$	恶意用户	拒绝访问

参数	意义	取值
$\gamma $	老化因子	0.9
${{\delta }_{pos}}$	奖励因子	8
${{\delta }_{neg}}$	惩罚因子	-10
a	X轴位移参数	0.7
b	增长率	0.03
${{T}_{h}}$	可信用户信任度阈值	0.8
${{T}_{l}}$	普通用户信任度阈值	0.2

用户	信任度	用户分类	能否访问	流表有效时长
A（教师）	0.8366	可信用户	√	100 s
A（教师）	0.6416	普通用户	√	40 s
B（教师）	0.1403	恶意用户	×	-
C（学生）	0.4966	普通用户	×	60 s