Search

CN-121997344-A - Access control vulnerability detection method based on RBAC mode Web application security

CN121997344ACN 121997344 ACN121997344 ACN 121997344ACN-121997344-A

Abstract

The invention discloses an access control vulnerability detection method based on RBAC mode Web application security, which particularly relates to the technical field of authority management and Web security, and comprises the steps of obtaining access control log data during the running period of the Web application, constructing a cross-session time sequence RBAC role inheritance map and dynamically labeling resource access sets of roles, verifying the time sequence consistency of inheritance graph paths, extracting ghost path subgraphs with authority conduction but lacking authorization records, constructing an access behavior context graph model by combining resource call stack information, identifying semantic deviation abnormal node pairs by utilizing graph attention mechanisms, performing behavior replay test on the abnormal path node pairs, judging whether unauthorized access success events exist or not, and generating vulnerability reports.

Inventors

  • ZHANG CHAO
  • FAN XIN
  • WANG KE
  • XU WEIFENG
  • LIU YING
  • HUANG XINGJIE
  • YANG QILONG
  • CAO ZHERUI

Assignees

  • 国网陕西省电力有限公司信息通信公司

Dates

Publication Date
20260508
Application Date
20260130

Claims (7)

  1. 1. The access control vulnerability detection method based on RBAC mode Web application security is characterized by comprising the following steps: acquiring access control log data generated by a Web application during a running period; based on the access control log data, constructing an inheritance map of cross-session time sequence RBAC roles, wherein the inheritance map takes role nodes as vertexes, inheritance relations among roles as edges, and dynamically labeling actual resource access sets of all the role nodes in combination with a user request sequence; verifying the time sequence consistency of paths among nodes in the inheritance map, extracting potential ghost path subgraphs with authority conduction and lacking definite authority records, and forming an abnormal access path feature set; The abnormal access path feature set is taken as input, an access behavior context graph is constructed by combining resource call stack information, and an abnormal path node pair with high semantic deviation is identified by utilizing a graph attention mechanism; Performing behavior replay test on the identified abnormal path node pair, simulating cross-role access resource scene in a real Web environment, judging whether an unauthorized access success event exists, and if yes, recording an abnormal path and related role nodes; And generating an access control vulnerability report based on the user identity corresponding to the abnormal path and the resource access success event.
  2. 2. The RBAC mode Web application security-based access control vulnerability detection method of claim 1, wherein constructing an inheritance map of cross-session sequential RBAC roles comprises: Clustering the access control log data according to user identity, extracting role allocation information and request target resource sequences of the same user in multiple sessions to form a cross-session access behavior track, generating inheritance edges between role nodes based on the time sequence of role transition in the cross-session access behavior track and resource access context, and constructing a directed graph structure with the role nodes as vertexes and inheritance relations between roles as edges.
  3. 3. The RBAC mode Web application security-based access control vulnerability detection method of claim 1, wherein the step of timing consistency verification of paths between nodes in the inheritance graph comprises: Based on all reachable paths in the role inheritance graph, constructing a time sequence set of each role node on each path, and extracting the earliest authorized time and the latest active time of the node access behavior; executing time window constraint check on each path, judging whether the access time of each role node in the path is continuous or not and does not violate the time increment rule, and eliminating paths with time sequence faults; The paths passing the time sequence verification are further compared with the access control log, and if the authorization behavior of the end node of the path has no definite authorization record in the log, the paths are marked as potential ghost paths; And extracting all character sequences marked as potential ghost paths and connection relations thereof into subgraphs to form potential ghost path subgraphs.
  4. 4. The RBAC mode Web application security-based access control vulnerability detection method of claim 1, wherein constructing an access behavior context graph comprises: and constructing a heterogeneous graph structure based on the role nodes and the resource nodes in the abnormal access path feature set, wherein an access edge is established between the role nodes and the resource nodes, an inheritance edge is established between the role nodes, and call depth, execution sequence and time stamp are added to the edge by combining call stack information to form a context graph containing semantic behavior information.
  5. 5. The RBAC mode Web application security-based access control vulnerability detection method of claim 1, wherein identifying abnormal path node pairs utilizing a graph attention mechanism comprises: And constructing a multidimensional feature vector for each role node and each resource node in the context graph, inputting a graph attention network model, calculating an edge weight attention coefficient between nodes, embedding a semantic deviation metric value representing between output node pairs, adopting cosine similarity as an evaluation index, and identifying abnormal path node pairs with deviation exceeding a preset range based on a semantic deviation threshold.
  6. 6. The RBAC mode Web application security-based access control vulnerability detection method of claim 1, wherein performing a behavioral replay test on the identified abnormal path node pair comprises: constructing a simulated access request set based on the abnormal role node and the resource node; in a controlled Web test environment of isolated deployment, scheduling and executing the request set piece by piece according to the access time sequence, and recording a response state code, response body content and a resource access result; If the access response status code belongs to the access success class, the returned content of the resource is consistent with the authorized access result, and the formal authorization record of the role is absent in the access control log, the access response status code is identified as an unauthorized access success event and recorded as an abnormal path.
  7. 7. The method for detecting access control vulnerabilities based on RBAC mode Web application security of claim 1, wherein the access control log data comprises user identification, role assignment information, request target resources, request time stamp and authorization result.

Description

Access control vulnerability detection method based on RBAC mode Web application security Technical Field The invention relates to the technical field of authority management and Web security, in particular to an access control vulnerability detection method based on RBAC mode Web application security. Background With the increasing complexity of Web-based application systems, access control is becoming an important mechanism for ensuring system security. Among them, role-based access control (RBAC) is widely used in sensitive fields such as government affairs, finance, medical treatment, etc. due to its flexible rights allocation, easy management, etc. However, the traditional RBAC model is mainly oriented to static organization structures and well-defined role authority boundaries, and is difficult to effectively cope with the characteristics of authority dynamic inheritance, polymorphic resource binding, temporary identity authorization and the like in a dynamic Web application environment, so that the 'role-authority' mapping is deviated in actual operation. Especially under multi-tenant or micro-service architecture, different service modules often rapidly authorize Access rights through Token (Token) or Session based mechanisms, and when abnormal states such as "role inheritance chain error configuration", "cross-context role residual binding" exist in the RBAC model, a problem of "ghost Access" (Phantom Access) may be caused, namely, an originally unauthorized Session entity obtains indirect Access rights through a legacy or propagation path, so as to form an Access control vulnerability with high concealment and high harmfulness. Most of the current access control detection methods are mainly based on static configuration file analysis, cannot cover a dynamic mapping process of the runtime character authority, but part of the dynamic analysis methods depend on an attack sample library or a known vulnerability template, lack the perception capability of inheritance chain pollution type zero-day vulnerabilities, and are difficult to realize fine-grained behavior modeling and abnormal path identification of an RBAC system in a real Web running environment. Disclosure of Invention The invention aims to provide an access control vulnerability detection method based on RBAC mode Web application security, which aims to solve the defects in the background technology. In order to achieve the above purpose, the invention provides the following technical scheme that the access control vulnerability detection method based on RBAC mode Web application security comprises the following steps: acquiring access control log data generated by a Web application during a running period; based on the access control log data, constructing an inheritance map of cross-session time sequence RBAC roles, wherein the inheritance map takes role nodes as vertexes, inheritance relations among roles as edges, and dynamically labeling actual resource access sets of all the role nodes in combination with a user request sequence; verifying the time sequence consistency of paths among nodes in the inheritance map, extracting potential ghost path subgraphs with authority conduction and lacking definite authority records, and forming an abnormal access path feature set; The abnormal access path feature set is taken as input, an access behavior context graph is constructed by combining resource call stack information, and an abnormal path node pair with high semantic deviation is identified by utilizing a graph attention mechanism; Performing behavior replay test on the identified abnormal path node pair, simulating cross-role access resource scene in a real Web environment, judging whether an unauthorized access success event exists, and if yes, recording an abnormal path and related role nodes; And generating an access control vulnerability report based on the user identity corresponding to the abnormal path and the resource access success event. Preferably, constructing an inheritance graph of cross-session sequential RBAC roles includes: Clustering the access control log data according to user identity, extracting role allocation information and request target resource sequences of the same user in multiple sessions to form a cross-session access behavior track, generating inheritance edges between role nodes based on the time sequence of role transition in the cross-session access behavior track and resource access context, and constructing a directed graph structure with the role nodes as vertexes and inheritance relations between roles as edges. Preferably, the step of verifying the time sequence consistency of the paths between the nodes in the inheritance graph includes: Based on all reachable paths in the role inheritance graph, constructing a time sequence set of each role node on each path, and extracting the earliest authorized time and the latest active time of the node access behavior; executing time window constraint check