Cloud Multidomain Access Control Model Based on Role and Trust-Degree

. In order to solve the problem of access control among different security domains in cloud networks, this paper presents an access control model based on role and trust-degree. The model combines role-based access control and trust-based access control. The role assessment weights are defined based on the user’s role classes, and the trust-degree is calculated according to the role assessment weights and the role’s behavior. In order to increase the accuracy of access control, the model gives the concept and calculation methods of feedback trust-degree. To achieve fine-grained access control, the model introduces direct trust-degree, recommendation trust-degree, and feedback trust-degree, all of which participate in comprehensive trust-degree by adjusting their weights. A simulation experiment was conducted in the LAN environment, and a web system was used to construct an access control model with multisecurity domains in the experiment. The experimental results demonstrate that our model has higher security, expansibility, and flexibility.


Introduction
With the rapid development of network technology and cloud computing, attacks and interactions are becoming more and more frequent; complex network security situation will be more serious.By controlling the access permission of the key resources, access control achieves the protection of system resources, ensuring that all of the main direct entrances to the object are authorized and preventing legitimate users from using illegal access to system resources at the same time.Access control policy is one of the main strategies of network security and the main method to realize data confidentiality and integrity [1]; it has become the important subject in the area of network security.
At present the commonly used access control policy includes discretionary access control, mandatory access control, and role-based access control [1].Due to the arbitrariness in users' privileges transfer, discretionary access control is unable to ensure the security of the system, and it is not conducive to achieving a unified global access control.In addition, it is easy for the protected information to leak, and it can not resist the Trojan horse attacks in this access control policy [2].However, the mandatory access control is no interference access control.Due to its reinforcement in access restrictions, the system flexibility declines, and the application is limited.At present, this policy is mainly used in military and the field which has obvious hierarchies and the high security requirement.Role-based access control is different from the above two kinds of access control policy and develops rapidly.It combined with existing security technologies.A variety of access control models emerged.Reference [3] proposed a C/S structure of trust decentralized access control (TDAC) framework: through the client's temporary monitors and server-side assessment of the primary monitor application access request in the subject contextaware access control to protect private data.The defects of this method are increasing the burden to clients and servers.When error occurs in the clients, the servers will not easily detect and repair it.Reference [4] proposed a flexible access control strategy, and the strategy ensures that when users are offline, independent user groups still have the right to perform critical tasks, but the performance of this strategy should be improved.Reference [5] proposed a comprehensive encryption-based access control framework for the content centric network; it was also extensible and flexible.The design of the framework mostly relied on secure content objects' concept.It also implemented two access control schemes, group-based access control and broadcast access control, to demonstrate the flexibility.Reference [5] proposed a hybrid access control model.It combined the advantage of both type enforcement model and role-based access control.It enabled unified access control and authorization for IaaS clouds and the permission transition framework was also provided to dynamically assign permission to virtual machines.This paper puts forward the access control that is based on roles and trust method, the concept of feedback credibility, and the role of trust evaluation weight.It also combined with direct trust and recommended trust to evaluate the user's access behaviors [6].It realizes the dynamic fine-grained access control.

Model Framework
The framework which is based on role and trust entity access control is shown in Figure 1.It describes the relationship of each component.The framework mainly includes the entity recognition and trust management.The following paragraphs will give instructions about the two parts.

Entity Recognition.
The framework of the entity recognition [6] is mainly used to identify the login entity components (user) level, so as to obtain the trust evaluation weights used in the subsequent fine-grained trust evaluation.Entity recognition features include the foreign entity visit and entity mapping, in the process, if the entity for anonymous entity will not affect the interaction with other entities.
If the anonymous entity has the identity of the lowest level, conforming to the resource access trust threshold can  also be carried out in accordance with the established process interaction.The anonymous entity in the process of the session by the trust through the above framework participates in the trust evaluation; in order to avoid malicious slander, anonymous users' trust evaluation will not be involved.Entity recognition process is shown in Figure 2.

Trust Management.
Trust management include computing, collecting, and updating the trust.Trust management model structure is shown in Figure 3. Trust computation can be divided into three parts: interactive entity directly trusted computing, feedback trust computation, and other entities in the recommendation trust computing network.In the process of the above calculation, it gives three kinds of calculation results of different weight coefficient.If interactive entities are new members of the network, we give an initial trust value and assign certain access permissions through a third-party authority.The entities that are out of the system also can use anonymous entity.The system automatically assigned a smaller trust value and the role of a minimal operation.
At present the commonly used access control models mainly include discretionary access control, mandatory access control, and role-based access control.Due to discretionary access control permissions to users with the transfer of the arbitrariness result in the decrease of the safety of the system.This is not conducive to achieving a unified global access control.The information leaks easily.It can not resist the Trojan horse attacks in the access control model.However the mandatory access control has no interference of access control, due to its access restrictions for the reinforcement, thus affecting the flexibility of the system.Role-based access control is different from the above two kinds of model.It obtained a rapid development and combined with some existing security technologies derived from a variety of access control model.

Role and Trust
Principal component analysis (PCA) is a mathematical transformation method [3], and it is used to reduce data dimension.It can switch the multidimensional data into several major dimensional data.The main problems that need to be solved in the role management include the role mapping, the strategy of role adding and deleting, and role conflict resolution strategy.Set up the weight of participation trust-degree evaluation according to the level and this is role evaluation weight: (1) Role mapping: when two equivalent security domains visit each other's resources, each should map the role in this domain to target resources domain's role.
In access control model system proposed in this paper, the distrust security domain and trust security domain take different role mapping strategies.
(2) Adding the role: upon adding new roles, new role mapping's strategy is automatically generated according to the model's mapping strategy.
(3) Deleting the role: upon deleting a domain role, the mapping will be replaced until mapping this role to its subrole.
(4) Role conflict resolution: in this paper, the solution of role conflict of access control is to allow the outland role to have the right of the highest conversion role mapping.
(5) The role of trust evaluation: set up different roles according to the user in the access control security domain model and the role of the various security domains, each role assigned different weights of evaluation, and the higher weights reflect the higher user level permissions.
Table 1 is a sample which is set in the simulation experiments depending on the set role rank and role evaluation weight values, in a real environment, according to the need to set more user levels and evaluation weights which are fit for the level.
According to literature [4], the time  node   direct trust-degree is defined as (  ,   , ).A direct trust table is distributed to the network nodes.Each cell in the table is the node for direct interaction.According to the direct trust table of all nodes to build a two-dimensional direct trust where  −(−  ) is time decay function.It describes the case that direct trust declines with time passing by.
If nodes   and nodes   have had interactions many times at time , the direct trust is shown by mean value where ∑ () =1 (  ,   ,   ) −(−  ) is interaction evaluation expectations of nodes   and   after every interaction evaluation, () represents the times when nodes   and   have interactions frequency in time .Based on literature [5], define recommendation trust (  ,   , ) at time  of node   to node   :  (  ,   , ) =   ×  (  ,   , ) . ( Recommendation trust of node   is given by recommended node   's evaluation of   .Trust evaluation weight is represented by   , defined as follows: On the basis of direct trust, this paper puts forward the concept of feedback trust and gives the calculation method of feedback credibility.Different from direct trust and recommendation trust, feedback trust is the evaluation which represents the feedback of their own behaviors.The feedback helps users adjust trust behavior quickly.Definition 1. Feedback trust is a kind of excitation mechanism that users are responsible for their access behavior [6].According to regulations, users can use information resources in the system safely and reliably; this will improve their trust and have permissions of enjoying more safe and reliable services.
In the access control model proposed in this paper, for every node   establish a two-dimensional feedback trust matrix.It records all the feedback trust between all nodes.
The feedback trust of node   to node   is represented by  2 (  ,   ).
At time , the feedback trust of node   to node   is defined as (  ,   , ): where  −(−  ) is time decay function.Formula ( 5) is considering that the interaction time is only once.If nodes   and   interact many times, the users' operations feedback trust computing takes interaction average: (  ,   ,   ) represent moment   and node   feedback operation evaluation to   , taking value interval as [0, 1].

Experiments
The experiments are done in the laboratory's LAN environment.A server is the general access control center, two PC represent two different domain management centers, and the other three PC represent the security components of different domains.Simulation model structure is shown as in Figure 4.In Figure 4, A 1 is model access control center which is responsible for user management and providing safe trust policy, dynamic access control, interactive assessment, and trust evaluation.B 1 and B 2 are the domain management centers which manage their security domain.B 11 , B 12 , and B 21 belong to the security domain security components of security domains B 1 and B 2 .
Simulation model is using B/S structure, so the B 11 , B 12 , and B 21 do not need to deploy any function module, simply by IE login and connecting to the corresponding access control center module and interacting with other security components.
In the process of simulation experiment, by different user login access control system and other security components interaction access and access control center do corresponding actions in the process of access control.In order to achieve the legitimate users access to legal resources, illegal user cannot access resources, and the legal user cannot access illegal resources.

Experimental Process and Results
In the simulation model, userb 12 and userb 11 were two security components in security domain B 1 .In the process of creating security component of model, users were given 0.7 as initial recommendation trust.
Different user roles grading to ascertain the weight of character evaluation values is according to Table 1 and, in the initial stages, defined on the relationship between the credibility and trust, as shown in Table 2.
At this time the direct trust and feedback trust were 0. In the model the user creates immediate access to the test, Table 2: Definition of trust status.
Trust value  Trust situation 0 ≤  < 0.5 Do not trust 0.5 ≤  < 1 Relative trust  = 1 Total trust so at this time of attenuation it is negligible (the results approximately equal 0.7), so the first degree of trust visits is where  +  +  = 1,  ≥ 0,  ≥ 0,  ≥ 0. Calculated by formula (1)-( 11) (userb 11 , userb 12 ,  0 ) = (userb 12 , userb 11 ,  0 ) ≈ 0.7; that is, at time  0 , component userb 11 access to components userb 12 trust is 0.7; at the same time userb 12 access to userb 11 trust was 0.7.Based on the model set userb 11 resources "document 1" literacy reading and writing trust-degree threshold were 0.5 and 0.7.userb 12 have the read and write permissions to "document 1." Userb 11 is used for designing experiment of userb 12 access control policy as shown in Figure 5. Ordinate Action represents access Action, including two operations which are write and read.Abscissa represents the Target resources.userb 11 , for resources "document 2" after the read operation, calculated userb 12 providing services for direct trust evaluation of 0.9, according to type (12) to calculate the trust at this time (userb 11 , userb 12 ,  1 ) = 0.788.According to "document 1" userb 11 setting threshold, userb 12 still have permissions to read and write.If userb 12 provides the unsafe service, on a visit to "document 2" again, after access to direct trust evaluation is set to 0.5, according to type (10) one gets (userb 11 , userb 12 ,  2 ) = 0.644.At this point, according to userb 11 access to resources "document 1" trust threshold setting, userb 12 has only permissions to read and lost permissions to write, and it is through this mechanism that users are motivated to provide more safe and reliable service.If userb 12 has access components provided by certain standard judged to be extremely dangerous, relevant access components or the administrator can delimit userb 12 directly into the blacklist, causing its loss of the appropriate minimum component resources access.userb 11 to userb 12 resources for access to the direct trust evaluation are calculated; at the same time, userb 12 feedback on userb 11 for trust evaluation is calculated by formula (9) trust and synchronous update in the database.Through this mechanism they can exercise the power of their own incentive component, safer permissions to read and write, and so forth.
The detailed testing results of all kinds of trust weight value are shown in Table 3.For different access requirements of the system, the setting of the weight of all kinds of trusts is also different.It reflects the flexibility of the model.Based on the definition of various types of trust, the following conclusion can be drawn.
The test results can be seen from Table 3; when evaluating trust gradually reduced, the trust declined.On the contrary, when a user provided good service and safe and reliable resources or used their legal rights, it had the higher credibility evaluation.Thus the total trust increased.The experimental results showed the feasibility and effectiveness of the proposed access control mode.
Experiments of all kinds of trust weight value settings are shown in Table 3.For different access requirements of the system, the setting of the weight of all kinds of trust also is different; it also reflects the flexibility of the model.Based on the definition of various types of trust one can draw the following conclusion.When direct trust weight value is bigger, the user's comprehensive trust continued volatility may occur; for example, for some security component trust evaluation is more matching and for other components trust is completely opposite.When the recommendation trust weight value is bigger, the user's comprehensive trust value is relatively stable.When feedback trust weight value is larger, comprehensive trust users access to the current user behavior is more sensitive and can quickly reflect the current access behavior trust situation.In general according to the different requirements of different systems all kinds of trust weight value can be set.This also can make all kinds of trust weight values roughly equal.The weights of three kinds of trust assignment are shown in Table 3.
In Table 3, the first line says three types of trust are the weights of evaluation.The second line indicates only direct trust and recommendation trust weights.The third line showed only recommendation trust and feedback trust weights.In the fourth row only recommendation trust weights are shown.Recommendation trust in the building of a role is given, so it is inevitable.
Detailed test results are shown in Table 4. Initial conditions are as follows: system building role given recommended trust being 0.7, the name of documents 1 and 2, and speaking, reading, and writing trust threshold being 0.5 and 0.7.Detailed test of read and write operations alternates, initial interaction evaluation value is 0.9; read and write interactive evaluation is reduced to 0.05.

Conclusions
This paper puts forward a kind of access control method based on the character and credibility.It also puts forward the concept of feedback credibility and the role of trust evaluation weight, combined with direct trust and recommendation trust.Direct trust and recommendation trust all evaluate the user's access comprehensive action.The effectiveness of the proposed model is verified by simulation.
The test results can be seen from Table 4; when evaluating trust gradually reduced, the trust will drop.On the other hand, when a user provides good service and safe and reliable resources or exercises their GeFaQuan period, it will get higher credibility evaluation; thus the total trust will be increased.
Design of access control model in this paper is through such mechanism incentive component users with better service and more safe and reliable resources and more effective exercise of their rights and increase of their trust, so as to enjoy a higher authority.Based on user roles we set different weights of evaluation and give the weight of different trust to achieve fine-grained trust evaluation and credibility in order to achieve the fair and reasonable evaluation purpose.The test results of Table 4 show that the access control model proposed in this paper is feasible and effective.

Figure 1 :
Figure 1: Framework of role and trust-based access control.

Table 1 :
Example of rolegrade and role weight evaluation., defining it as  1 , nodes   to node   direct trust is represented by  1 (  ,   ).At time , if nodes   and   have an interaction, the direct trust (  ,   , ) is

Table 3 :
Weights of the three trust degrees.