System wide information management (SWIM) involves civil aviation system control, intelligence, alarm, traffic, and other data. These data are transmitted in various forms, making SWIM system vulnerable to sensitive information leakage, data tampering, denial, and other security threats. In this article, an attribute-based air traffic management (ATM) information access control scheme is proposed to solve the security threat of SWIM. An improved extensible access control markup language (XACML) authorization model is established, combining linear secret sharing scheme (LSSS) matrix structure and monotone span program (MSP); an attribute association algorithm is designed to establish the attribute association relationship between services and users. Experimental results show that the attribute association algorithm improves the time complexity, but the algorithm can support richer policy representation capability, and the proposed ATM information access control scheme is more efficient and can effectively reduce the space cost. This scheme can achieve more fine-grained and flexible access control.

1. Introduction

System wide information management (SWIM) is a distributed system based on service-oriented architecture. It enables data conversion, service integration, and information transformation for civil aviation systems, which facilitates civil aviation to establish a unified and efficient data interaction platform [1]. With the development of SWIM, we realize that the main goal of SWIM is not only to enable seamless integration between geographically distributed and heterogeneous systems in the air transport sector but also to enable seamless information sharing among multiple stakeholders in the ATM domain [2]. In terms of the advantage of SWIM, it not only effectively prevents the “information island” problem caused by heterogeneous systems and reduces the enormous overhead caused by interconnection and maintenance but also enhances the collaborative decision-making and situational awareness capabilities of civil aviation units [3].

SWIM can facilitate the development of civil aviation. However, viruses, network attacks, and other means are easy to find system security vulnerabilities and then threaten the system operation [4]. Increasing data are transmitted and exchanged in the SWIM network, such that the security threat is becoming considerably prominent [5]. For SWIM, the most important threats are data leakage and privacy protection. Considering that SWIM service data involve sensitive information in the airspace of member states and the commercial privacy of airlines, all parties’ concern about information security has become a major obstacle to the development of SWIM. Preventing data leakage and protecting user privacy are the most important issues. The main reason for these problems is the occurrence of illegal access and unauthorized access. To alleviate the impact of the above problems, access control has become one of the key technologies of SWIM security services [6].

In the aspect of information access control, many scholars have carried out a series of research. In view of the characteristics of big data resources and the problems existing in the centralized access control mechanism, Liu et al. [7] proposed a blockchain-based big data access control mechanism based on the ABAC model, which adopts the access control method based on smart contract to achieve transparent, dynamic, and automatic access control over big data resources. Du et al. [8] proposed a hierarchical block chain-based distributed architecture for the Internet of things, which is based on ABAC model and adopts smart contract to realize dynamic and automatic access control for the devices of the Internet of things within and across domains based on attributes. Zhang [9] designed an attribute matching method based on Bloom filter on the original access control scheme, which greatly improved the access control efficiency. Wu [10] proposed a risk-based XACML access control model for fog computing. Based on this model, risk assessment method and privacy policy adaptive method were proposed to ensure the security of private data in fog computing. Han et al. [11] proposed an XACML policy query method based on attribute and or matrix and type analysis to reduce the number of rule matching during the implementation of policy evaluation. Wang et al. [12] improved the original XACML-based access control policy conflict detection method and designed a new one-time resolution algorithm for policy conflict. Luo et al. [13] proposed a metamodel-based access control policy description language (PML) and its implementation mechanism (PML-EM), which reduced the cost for users to write policies and for cloud service providers to develop access control mechanisms. Khaled and Cheng [14] studied the access control problem in the integrated distributed Internet of things environment and proposed an adaptive XACML scheme, which extended the typical XACML by integrating the access code generation and verification scheme in the heterogeneous distributed Internet of things environment.

In terms of security, although the security architecture and technical specifications in SWIM are not perfect, information security has already become a hot issue in the research of various countries. Boeing company of the United States pointed out that the security measures of the current SWIM system are not perfect, especially the protection measures for important private data, and proposed an information protection method based on SAML [15]. FAA and Embry-Red Aeronautic University identified security vulnerabilities related to data exchange between AAtS and NAS information service in SWIM, proposed security threats faced by AAtS, and established appropriate test methods [16]. Chris W. Johnson of the University of Glasgow proposed the potential security threats faced by NextGen and SESAR based on his analysis of them, aiming to promote their cooperation and provide mutual assistance in case of attack [17]. In order to ensure the safe operation of the new ATM system, EUROCONTROL developed a complete set of methods to support the integration of security into the design at the beginning of the development process [18].

Attribute is the core concept of ABAC. Attributes in ABAC can be described by a four-tuple (S, O, P, and E). S represents the subject attribute, that is all entities that the subject initiates access requests have attributes; O represents the object attribute, that is the resources that can be accessed in the system have attributes; P represents the permission attribute, that is all kinds of operations on object resources; E is the environment attribute, that is the environment information when access control occurs; the attributes of the subject and the object are used as the basic decision elements and used the attributes set of the requester to decide whether to grant access to them, which can well isolate policy management and access judgment, and effectively solve the problem of fine-grained access control in dynamic large-scale environment. According to the characteristics of SWIM and the actual business process of civil aviation in China, this article proposes an attribute-based access control (ABAC) scheme.

3. Overview of SWIM Services

SWIM services are mainly divided into core and application services. The core services are the basis of information security sharing within the system and are invisible. They mainly include interface management, security services, information transmission, and enterprise service management. The application services that expose the interface to other systems in accordance with the technical standards specified in SWIM are visible and discoverable. They are used to realize information interaction among systems [19]. SWIM data mainly exist in various application services, such that the services studied in this chapter belong to application services.

Given that ATM data are the core of SWIM service information and that service information belongs to the object resources in ABAC, they are an important part. This chapter mainly deals with the current ATM data as well as the composition, naming, and routing of service information in SWIM.

3.1. Composition of Service Information

As an intermediate layer between the underlying data and high-level applications, SWIM defines a unified data model and service standard for the entire ATM system, avoiding the heterogeneity of various types of information that were originally used only in specific domains. SWIM mainly divides data types in accordance with information usage and performs corresponding standardization work. The relationship between ATM data and SWIM service information is shown in Figure 1.

ATM system is a large socio-technical system, which adds a dimension to the cybersecurity complexity [20]. ATM is divided into three parts, namely airspace management, air traffic flow management, and air traffic service, which involve various types of data, such as regulation, intelligence, alarm, and traffic. In the current civil aviation network, these data are transmitted in various forms, including the Aeronautical Fixed Telecommunication Network, controller-pilot data link communications, and ATS Inter-device Data Communication. [19].

SWIM mainly developed the Flight Information Exchange Model, Weather Information Exchange Model, and Aeronautical Information Exchange Model. [21] These data models are defined as UML and XML schemas. The raw data are converted to XML format based on the schema, and then exchanged between the application and the SWIM service. Moreover, metadata is necessary to obtain relevant information, such as provenance, type, time stamp, and quality. [22] ATM data are classified in accordance with the above models and formatted separately to conform to the standardized format requirements in SWIM. Given that the converted data are no longer heterogeneous, the data among different domains can be arbitrarily combined. The service definition only needs to focus on the data usage without having to pay attention to the source. SWIM services are in the definition stage, and ICAO divides services into four main categories: flight data exchange services, aeronautical data exchange services, weather data exchange services, and other services. The various types of services can be further divided into flight plans, control information, and alarm information in accordance with the specific use of the data provided.

3.2. Naming of Service Information

Attributes are the bases for naming SWIM service information and the core elements of ABAC. Therefore, this section first defines the attributes in SWIM. On the basis of the organizational structure of China’s Air Traffic Control Bureau, airports, and airlines, as well as the current status of China’s ATM network, the three attributes of users, resources, and environment in the civil aviation field are defined and assigned. The definition of the attributes is shown in Table 1.

Each of the users, services, and environments can be elucidated by combining the various attributes in Table 1. In addition, the attributes contained in the civil aviation field are relatively complicated, and some special attributes are not included in the table, such as Globally Unique Flight Identifier and flight number in flight information and airport four-character code in airport information.

As the infrastructure of the new generation of ATM, SWIM connects various aviation systems worldwide, which contain much aviation data. The amount of data is still growing rapidly with the further development of the aviation industry. To deal with the above problems, the typical hierarchical naming method uniform resource locator (URL) is selected. It has high aggregation characteristics to prevent the impact of massive data on the operation of the system. Owing to the wide variety of services in SWIM, only the naming schemes for several typical services are listed in Table 2.

As shown in Table 2, the elements in the naming are derived from the defined SWIM attributes, which enhance the semantics of naming and make it easy for users to find the information they need. SWIM uses the longest prefix matching method to request service information, such that information naming should be defined in order in accordance with the degree of differentiation of attributes. The head of the name is from the type of SWIM information to indicate the purpose. Afterward, the flight information requires the flight number to indicate the aircraft number, the aeronautical information requires the organization name to fix the source of the information, and the weather information needs to fix the area indicated by the information. Different types of information have distinct naming methods due to their differences in use and content.

From the above naming rules, hierarchical naming can achieve information aggregation at different levels, and the requester can directly match multiple pieces of information through a prefix. For example, Air China’s executives can subscribe to information at the agency level, while North China Bureau’s Flight Services Reporting Room can only subscribe to services at the regional level. This approach is also the basis for making access control highly flexible.

3.3. Routing of Service Information

To improve the efficiency of network transmission, SWIM transforms the traditional store-and-forward mode into a cache-forward mode [23]. While the service node is routing, it stores a copy of the information on some nodes in the transmission path. When the neighboring user needs this information again, it can be obtained in the cache of the short-distance node, such that each information transmission has the relatively shortest routing distance. The routing mechanism of SWIM is shown in Figure 2.

A three-part structure exists in the SWIM service node: Forwarding Information Base (FIB), Pending Interest Table (PIT), and Content Store (CS) [24]. The FIB is a base of forwarding information, the PIT stores the information in the packet or the interface set, and the CS keeps copies of the passed information.

When a visitor wants some information, it will send an Interest packet to the service node. The node looks for the information that matches the name in the CS. If it is found, the incoming interface is returned, and the information packet is discarded. If not, the node will look up the PIT to ensure that there is the same Interest packet that is forwarded from other nodes. If found, the entry is added to the PIT; if not, the FIB is searched. In the FIB, the node looks for the longest matching prefix and routes to determine the path of forwarding packets. When it is found, the node creates the information entry item in the PIT and forwards the packet. Otherwise, the information packet will be discarded.

When a Data packet arrives at the content router, the longest prefix is compared with the CS item. If the same cache data exist, it will be discarded or compared with the PIT. If there is a matching entry in the PIT, the Data packet is forwarded to the corresponding interface, and the packet is buffered in the CS table. If there is no matching entry in the PIT, the packet is discarded. The routing path of Data packets is just opposite to that of Interest packets.

3.4. SWIM Security Threat

SWIM has an open network environment and faces many security risks. This can lead to problems such as theft of trade secrets, maliciously tampering of aviation information, and disclosure of private data. These problems destroy the security of aviation data and affect the normal operation of civil aviation system. SWIM is subject to the following threats in terms of privacy protection and data security:(1)Confidentiality of privacy data: Due to the distributed characteristics of SWIM, the data are distributed in each service node, users cannot guarantee whether the privacy data will be leaked, and this hinders the further development of SWIM.(2)User access transgression: SWIM data comes from all kinds of ATM systems worldwide and has strong liquidity. After multiple transmission of data, information copy may be formed in unauthorized user nodes, so there is a risk of user access penetration.(3)Illegal user access: SWIM uses the name as the identification of the service information. If the external users master the naming rules, they can initiate access to the corresponding information, which may cause the leakage of private data.

ATM data of all kinds need complete information interaction between systems through SWIM at each stage of aircraft operation. According to the above security risk analysis, many security threats against SWIM data will affect the normal operation of the aircraft, and even threaten the safe operation of civil aviation system in serious cases.

4. SWIM Access Control Scheme

XACML is the most effective and appropriate access control policy language because it is compatible with different platforms and provides a distributed and flexible method for various access control scenarios of different systems [25]. XACML provides a combination algorithm, which combines a decision or the influence of multiple policies or rule elements into a decision through the policy combination algorithm of the policy element and the rule combination algorithm of the rule element and finally grants the applicant authority [26]. On the basis of the characteristics of SWIM and the actual business process of civil aviation in China, an ABAC scheme is proposed. In accordance with the improved XACML authorization model, an attribute association method is designed in the scheme to support more capable expression authorization policies and to enable flexible, fine-grained access control.

ABAC is a milestone in the development of access control technology, and XACML is the most influential access control policy expression language [27]. ABAC has gained increasing popularity in the last years due to its flexibility and expressiveness [28]. On the basis of the characteristics of SWIM, a flexible and fine-grained access control scheme based on ABAC and XACML is proposed to ensure the security of private data in SWIM.

4.1. SWIM Access Control Framework

SWIM has the characteristics of distribution and open network. It contains massive aviation data. In SWIM, user nodes are constantly moving, and accessible resources are updated in real time [15]. ABAC supports dynamic access control management by changing attribute values without changing the subject-object relationship that defines the underlying access control policy [29]. An ABAC rule is a tuple that specifies a collection of users, objects, operations, and constraints involving user and object properties [30]. In ABAC, a principal’s request to perform an action on an object is granted or denied based on the principal’s assigned attributes, the object’s assigned attributes, environmental conditions, and a set of policies specified based on those attributes and conditions [31]. In this chapter, we propose the SWIM access control framework.

The overall framework of the access control scheme is shown in Figure 3, which mainly includes policy execution point (PEP), policy decision point (PDP), policy administration point (PAP), and attribute authority (AA). The PEP, PDP, PAP, and AA are responsible for the context conversion of the access request; determining whether the request conforms to the corresponding authorization policy and returns the determination result; managing the authorization policy of various service information; and managing various attributes of SWIM, respectively.

The service requester finds the SWIM service node containing the request information or the corresponding copy through the FIB of each node in the transmission path and transmits the original access request (NAR) to the PEP of the node. On the basis of the access request information in the NAR, the PEP requests various types of attributes from the AA, uses these attributes to construct an attribute-based access request (AAR), and transmits it to the PDP. The PDP requests the matching authorization policy from the PAP in accordance with the naming of the service information requested in the AAR, determines the access authority by using the attribute information in the AAR and the association relationship of the access structure in the policy, and finally returns the determination result to the PEP. If the result of the determination is that access is permitted, the PEP returns the corresponding service information from the local CS to the requester; if the authority determines that the access is denied, the PEP returns the corresponding failure information.

4.2. Improved XACML Authorization Model

Formulation of an authorization policy is a prerequisite for implementing access control. XACML is a typical descriptive language in the ABAC environment [32]. We use the XACML language and the ABAC model to create access control policies [33]. XACML is based on XML and has good versatility, scalability, and platform independence. It describes access control requests and policies through attributes in subjects, resources, behaviors, and environmental information. Rules in XACML evaluate incoming access requests based on conditions passed using attribute expressions. However, XACML has a complex structural hierarchy where security policies are very flexible, and the range of attribute values defined by the policies is likely to overlap [34].

As a complete access control mechanism, XACML provides a flexible set of policy representation methods. With <Policy> as the root element of the policy, two child elements <Target> and <Rule> are defined below. <Target> indicates the target, which can be divided into the target targeted by the overall strategy and the target targeted by the location rule. <Rule> represents the rule and is an important part of the strategy. Each strategy can consist of one or more rules, and each rule needs to build an application environment together by using <Target> and <Condition>. The various attribute information of the two can be represented by four elements: <Subject>, <Resource>, <Action>, and <Condition> [35].

To enhance the ability of the strategy to express, the original XACML sets the child element <Subject> in the subject element <Subjects> for implementing the OR operation between the subject users. Hence, one XACML access policy can control multiple different subjects. While this approach enhances flexibility, the same attributes that exist between different users generate redundant information, resulting in increased storage overhead.

This study tests the storage space occupied by multiple groups of access policies with different attribute numbers and takes the average value. The experimental results are shown in Figure 4. As the number of attributes in the policy increases, the proportion of the space occupied by the attribute set in the policy increases. When the policy contains 10 attributes, the attribute set accounts for 80.3% of the total storage space. When the attribute exceeds 25, the proportion reaches 90.8%. Therefore, the attribute set is the main component of the strategy. Decreasing the redundant attribute information can effectively reduce the storage space of the policy.

Given that the cache-and-forward mechanism is the basis for SWIM to implement efficient information interaction, the storage capacity of CS in the service node directly affects the information transmission efficiency in the system. To allocate as much space as possible to the CS in exchange for enhanced transmission efficiency, the original XACML authorization model is improved. The improved model is shown in Figure 5.

In this scheme, the element in the section describing “users” in XACML policy description language is improved, and four attributes such as Group, Threshold, Extern Group, and Extern Threshold are added to the element. The current packet, the threshold value of the current packet, the external packet, and the threshold value of the external packet are, respectively, represented in the improved XACML authorization model. During XACML access control, different subpolicies are grouped to establish connections between these subpolicies, and external department limits are set according to access policies. Finally, Group, Threshold, Extern Group, and Extern threshold of each attribute in the policy are assigned by Group. By introducing these attributes and using the concept of threshold, the logical operation mode in the policy is expanded and the expression ability of the policy is enhanced.

In addition, XACML specifies four combination algorithms [36] to resolve the policy problem of the same resource managed by different PAPs. The rejection priority algorithm is adopted in the scheme. If a rule or policy application obtains a rejection result, then the user does not have the permission. The scope of the authority is further narrowed to ensure the security of service information.

The improved policy description method realizes flexible transformation between XACML and Boolean expression and can combine multiple access policies of the same service information into one description, which has good expression ability. The above improvements led to the optimization of ABAC model, which simplified the decision point for strategy traversal process, improved the efficiency of the matching attributes, enriched the access strategy expression type, effectively saved the storage space, and improved the whole performance of this scheme. This method is also the basis of attribute matching algorithm in subsequent chapters.

4.3. Attribute Association Algorithm

Attribute association is a process of associating and matching the attribute set possessed by the requester with the access structure in the corresponding resource strategy and obtaining the determination result. It is an important step for authority determination. In this scheme, a linear secret sharing scheme (LSSS) matrix is difficult to design for its abstract mathematical structure [37], but it has good application in attribute association. To express the LSSS matrix structure, LSSS and the monotone span program (MSP) are introduced and combined with the improved XACML to design a flexible attribute association algorithm.

4.3.1. Basic Theory

If a secret sharing scheme for a set of participants is linear over a finite field , then the following properties should be met [38]:(1)Everyone is distributed a share [39].(2)There is a shared generation matrix for the sharing scheme . Suppose rows and columns exist in , for all , the first row of the matrix is marked as a participant by . is a mapping from of participant set . At the same time, there is an -dimensional column vector . is the secret value to be shared, and is a random number. Then, is the secret sharing value in the secret sharing scheme , and the secret value belongs to the participant .

All the LSSS follow the above definition and have corresponding secret recovery algorithms. If the scheme is for the LSSS of the access structure , for the authorization set , let ; a set of recovery coefficients can be calculated to make , such that can be calculated and the original secret value can be restored [40].

Calculating the recovery coefficient is essentially a linear equation solving problem. can be found in polynomial time associated with the size of the shared secret matrix . For unlicensed collections, there is no corresponding recovery coefficient, which guarantees the security of LSSS.

4.3.2. Algorithm Design

In this scheme, the SWIM attribute corresponds to the participant in the LSSS concept, and the access right corresponds to the secret value to be shared. That is, each row vector in the secret sharing matrix is marked as an attribute by , and the authority information is scattered into attributes in the form of secret shared values. If the user’s attribute set satisfies the access structure in the corresponding policy, then the user can recover the authority value through the secret recovery algorithm and obtain the corresponding operation authority.

The implementation flow of the attribute association algorithm is shown in Figure 6, which mainly includes three steps: structural transformation, secret sharing matrix generation, and authority determination. This section elaborates the algorithm steps.

(1) Structural Transformation. The transformation structure is mainly for two aspects. They are the access structures of the attribute set in the access request and of the access control policy corresponding to the subscribed service. The original tree structure should be converted into a standard Boolean type. A Boolean expression is a way to describe a logical relationship by using attribute and threshold values. It is concise and flexible and is the basis for subsequent steps.

For example, the flight plan service strategy issued by Air China stipulates that the intelligence service of the flight service report room of the North China Air Traffic Control Administration and the executives within Air China can subscribe. The corresponding strategy is converted into a standard Boolean strategy:

(2) Generation of Secret Sharing Matrix. After the previous step of structural transformation, the Boolean expression of the access strategy is obtained. In this step, the MSP is used to process the strategy further, generate a secret sharing matrix, map each row vector in the matrix to the attribute, and form an access structure in the form of a matrix and a mapping finally.

Through the logical relationship of Boolean expressions, the strategy can be decomposed into several subelements. This method will transform the strategy layer by layer in units of subelements. The child element can either be a decomposed subpolicy or an attribute value. The MSP uses the threshold to convert the child elements into a matrix form [41], where represents the threshold value and represents the number of attributes in the child element. A generation matrix for a threshold can be expressed as

Suppose the original matrix is , where expresses the subelements decomposed in this operation mapped to the corresponding row vectors in the matrix. Let , , represent the row vector. Owing to the layer-by-layer decomposition, there is only one row vector in this method.

Assuming that the matrix is generated by the MSP on the basis of the threshold , let . is the first column element of , which can be written as . Let , and the result of each recursion is

The above operation is looped until all the child elements in the expression are decomposed into a single attribute value, and the corresponding secret sharing matrix and its mapping can be obtained. After conversion in the previous step, the corresponding results are as follows:

4.4. Performance Analysis

This section mainly analyzes the attribute association algorithm and overall performance in the scheme.

As the number of attributes increases, the structure of the access policy will be more complicated, and the attribute association time will also increase. The relationship between the permission judgment time and the number of attributes of the attribute association algorithm is verified. The experiment uses a SWIM user with 5 attributes to initiate 100 subscription requests for the service corresponding to the access policy with 5 to 50 attributes, records the permission determination time, and calculates the average time. Table 3 shows the test results. The permission judgment time increases with the increase in the attribute value. When the quantity of attributes increases from 5 to 50, the time only increases by nearly 9 ms, and the growth trend is inevident.

Given that SWIM is still in the construction stage, no specific technical indicators exist for access control functions. To verify the performance of the solution, this section compares the open-source XACML solutions provided by Sun and tests the time of the attribute association algorithm and the overall solution. The experimental method is the same as the above experiment, which uses the same user to subscribe to the service corresponding to the access policy containing different attribute numbers multiple times and records the corresponding time. The experimental results are shown in Figure 7.

Figure 7(a) shows the performance comparison of the attribute association methods in the two schemes. As the LSSS and the MSP are introduced into the scheme, the matching speed is slower, and it is more time-consuming than the original scheme.

However, the slopes of the two curves in the figure demonstrate that the two schemes have similar growth rates with the increase in the quantity of attributes. The strategies in each of the two schemes add 45 attributes, and the time increases by 8.876 and 8.816 ms. Therefore, the scheme does not cause the system performance to deteriorate due to the increase in the quantity of attributes.

Figure 7(b) shows a comparison of the overall performance of the two schemes. The time overhead of this solution is significantly smaller than the original scheme, and this solution has better performance. Although the scheme consumes more time in the attribute association method, the time cost of the overall scheme is similar to the method itself. The original scheme also has preorder work, such as policy traversal, which greatly reduces the overall performance of the scheme.

Compared with the original XACML access control scheme, this scheme designs an attribute association method based on LSSS in the permission determination process, which increases the attribute association time compared with the total access control time of the original scheme, so the time complexity increases. However, the attribute association algorithm designed in this scheme, combined with the improved XACML policy description language, can support access policies with richer expressive capabilities, optimize the performance of policy expression, and make access policies correspond to SWIM service information. The SWIM system involves a large number of civil aviation business applications. The civil aviation business data are shared through the subscription and publishing function, which consumes a lot of memory resources and increases the space complexity. However, the SWIM subscription and publishing function is not sensitive to time complexity. There may be a certain time delay in shared data, and the priority of space complexity is higher than that of time.

5. Simulation Experiment and Result Analysis

5.1. Experimental Environment

On the basis of SWIM’s architectural features and business processes, an experimental environment is built, which deploys access control solutions to the system and tests them. Figure 8 shows the network topology of the experimental environment.

The experiment simulates the information interaction between multiple departments of the two SWIM access nodes of the airline and the Air Traffic Control Bureau. The service information involved is derived from the real civil aviation network.

5.2. Stress Testing

With the stress test tool LoadRunner 11.0, the overall program performance is evaluated. It compares the test results with the original XACML solution to evaluate whether the solution is suitable for SWIM simulation environment. The test cases are shown in Table 4.

In accordance with the SWIM system architecture, the access control function is deployed on each access node. Therefore, the test environment of the performance indicator should be based on the actual operating environment of the node. Given that some copies of service information are stored on each node, the number of concurrent accesses of resources by users to the same node is effectively alleviated. Combined with the basic configuration of the experimental platform, the performance of the solution is tested in an environment where 100 users access the same type of service information concurrently.

The initial number of users in the test script is 20, and 20 users are added every 10 s until 3 min after the increase to 100 users. Then, 20 users are reduced every 10 s until all the users in the system are logged off. The average transaction response time and CPU usage are the main indicators in the test.

Figure 9 shows the average transaction response time of the two schemes during the test. The average transaction response time increases with the quantity of concurrent users. When the user reaches the peak, the response time of the two schemes is stable at 0.163 and 0.121 s. Compared with the original scheme, the average response time of the proposed scheme is reduced by 0.042 s, and the maximum response time is reduced by 0.064 s. Therefore, the scheme is slightly faster than the original scheme in execution speed.

Figure 10 shows the CPU usage of the two schemes during the test. As the quantity of concurrent users increases, the CPU usage also increases. When the concurrent amount reaches the peak, the CPU usage of the two schemes is stable at 32.046% and 35.847%. The proposed scheme has better performance than the original XACML scheme.

In accordance with the number of transaction passes and the number of transaction failures in the system’s stress test statistics, the success rate of this solution can reach 99.75%. This finding indicates that the scheme can be used normally in a relatively conserved SWIM environment.

Lastly, the performance of the two schemes in different concurrent environments is compared by comparing the number of users in the above test cases. The comparison results are shown in Figure 11.

Figure 11 depicts that when the quantity of users increases from 50 to 200, the average response time of the two schemes increases with the number of users; when the number of users increases from 200 to 500, the average response time of the two schemes stabilizes at 0.160 and 0.198 s. The reason is that the bandwidth of the experimental platform is limited, and the total amount of transactions tested does not increase indefinitely. When the user reaches a certain amount, the throughput, the number of clicks, and the total amount of transactions are at fixed values, resulting in stable response time. In accordance with the curve change in the figure, the performance of the proposed scheme is better than that of the original XACML scheme in the rising phase with lower concurrency and in the stable phase with larger concurrency.

6. Security Analysis

The security of this program is mainly analyzed from the following aspects:Availability: In accordance with the routing characteristics in SWIM, users only need to clarify the service information naming rules in the system without having to know the specific location of the requestor or the publisher in the network. This scheme uses XACML to describe the AAR and access policy and utilizes the service information naming as the identifier of the object resource. Therefore, it only needs to obtain the requester attribute set and the requested information naming to complete the determination of the authority, satisfy the SWIM routing features, and ensure the availability of service information.Confidentiality: This scheme is based on the fact that the user has passed the security certification. The user’s attribute set has been verified by a trusted third party and managed by the AA. In this case, the user cannot forge the attribute information, and the attributes carried in the access request are all true.The threshold combines the secret value and random number into rank vector and multiplies it with the multistep coefficient row vector to obtain a secret share value, which is distributed to multiple users. The secret value can be reconstructed only if or more than users jointly decrypt by using part of the secret information held.The attribute association algorithm of the scheme is based on the threshold secret sharing algorithm, and the permission value is dispersed into each attribute. Only when the number of attributes of the user reaches the threshold value and the user is determined as an authorized user, the confidentiality of the privacy information in the system can be guaranteed.In addition, as multiple users cannot aggregate attributes, unauthorized users cannot collude to obtain access rights. Given that the permission value uses the system time as the seed value for each judgment, the permission value is randomly generated, and the attacker cannot obtain SWIM data from the previously intercepted permission value.Integrity: Owing to the flexible naming scheme in SWIM, the elements in the name are not required to be human readable, such that message digest can be added to the URL naming rules. Each user generates local digest only following the Hash algorithm specified in SWIM. Comparing the local digest and information naming can ensure that the information has not been tampered during the transmission process. Information integrity protection in SWIM is then realized.

7. Conclusion

In consideration of the business process in China’s civil aviation, the characteristics of SWIM, and its security requirements, an ABAC scheme for SWIM environment is proposed. This scheme combines the improved XACML to design an access control framework. On this basis, an attribute association method is designed to support a strategy with enhanced representation capability. The performance test results show that compared with the original XACML, although the attribute association algorithm in the proposed scheme takes a long time, the overall performance is improved and some of the policy storage space is saved. The stress test results show that the technical indicators in the proposed scheme are superior to those in the original XACML. However, the attribute association algorithm in this article essentially uses the time complexity to exchange the space complexity. In terms of the algorithm alone, the proposed scheme takes more time than the original scheme. In the future, the efficiency of the algorithm should be improved by simplifying the algorithm flow and optimizing the algorithm structure.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This research was funded by the National Natural Science Foundation of China (Grant nos. U1933108, 62172418, and U2133203), the Scientific Research Project of Tianjin Municipal Education Commission (Grant no. 2019KJ117), and the Open Fund of Key Laboratory of Airworthiness Certification Technology of Civil Aviation Aircraft (SH2021111907).