CN114978627A - Method and system for controlling data authority of big data - Google Patents

Method and system for controlling data authority of big data Download PDF

Info

Publication number
CN114978627A
CN114978627A CN202210509242.8A CN202210509242A CN114978627A CN 114978627 A CN114978627 A CN 114978627A CN 202210509242 A CN202210509242 A CN 202210509242A CN 114978627 A CN114978627 A CN 114978627A
Authority
CN
China
Prior art keywords
sase
level
authority
wan
manufacturers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210509242.8A
Other languages
Chinese (zh)
Inventor
黎嘉慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Bmw Culture Communication Co ltd
Original Assignee
Hunan Bmw Culture Communication Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Bmw Culture Communication Co ltd filed Critical Hunan Bmw Culture Communication Co ltd
Priority to CN202210509242.8A priority Critical patent/CN114978627A/en
Publication of CN114978627A publication Critical patent/CN114978627A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data authority control method of big data, which comprises the following steps: a plurality of UE carry out data access to an SD-WAN platform through an SDP proxy, and the SD-WAN platform records user logs of the plurality of UE; the SD-WAN platform performs hierarchical processing on user logs of the plurality of UEs; a plurality of SASE manufacturers carry out user log access requests to the SD-WAN platform through an SASE gateway; and the SD-WAN platform sets the permissions to the SASE manufacturers, and pushes the user logs matched with the different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.

Description

Method and system for controlling data authority of big data
Technical Field
The invention belongs to the technical field of information, and particularly relates to a method and a system for controlling data authority of big data.
Background
Currently, a network provider and an sase (secure Access Service edge) security resource pool of each enterprise/vendor cooperate import user traffic through an SDWAN platform of the network provider itself. The SDWAN platform is used for shunting and draining user traffic accessed to the cooperative security pool aiming at applications in which users are interested so as to avoid performance bottleneck when the traffic is too large.
However, while the secure resource pool of the SASE serves, the access control measures adopted by the SASE technology are only refined to the whole log data, the granularity is coarse, effective and accurate hierarchical classification control cannot be realized, and the security is reduced.
Disclosure of Invention
The invention provides a method and a system for controlling data authority of big data, which solve the problem of low security of SASE resource pool access control measures in the prior art and effectively improve the overall security of SASE resource pool management and control.
In order to achieve the above object, the present invention provides a method for controlling data permission of big data, comprising:
a plurality of UE carry out data access to an SD-WAN platform through an SDP agent, and the SD-WAN platform records user logs of the plurality of UE;
the SD-WAN platform performs hierarchical processing on user logs of the plurality of UEs;
a plurality of SASE manufacturers carry out user log access requests to the SD-WAN platform through an SASE gateway;
and the SD-WAN platform sets the permissions to the SASE manufacturers, and pushes the user logs matched with the different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.
Optionally, the SD-WAN platform performs hierarchical processing on the user logs of the plurality of UEs, including:
extracting the characteristics of the user logs, extracting keywords, value ranges and parameter types of the user logs, carrying out classification management on the sensitive logs, and outputting the types of the sensitive logs;
setting an encryption level of the user log based on the access authority of the UE;
and outputting the user log level based on the sensitive log type and the encryption level, wherein the user log level is a secret level S level, a heavy encryption level A level, a light encryption level B level and a non-encryption level C level.
Optionally, the extracting the features of the user log to extract the keywords, the value ranges, and the parameter types of the user log includes:
and extracting the characteristics of the user log through an artificial intelligence algorithm, extracting keywords, value ranges and parameter types of the user log, and acquiring the similarity degree of the keywords and the occurrence frequency of the similarity value.
Optionally, the SD-WAN platform performs permission setting to the multiple SASE vendors, including:
the SD-WAN platform acquires private keys in user log access requests of a plurality of SASE manufacturers;
and performing initial authority distribution of the plurality of SASE manufacturers based on the private key, wherein the authority is divided into a total manager authority S 'level, a partial manager authority A' level, a total visitor authority B 'level and a partial visitor authority C' level.
Optionally, after the initial permission assignment of the plurality of SASE vendors based on the private key, the method further comprises:
changing the initial authorities of the SASE manufacturers, wherein the changed authorities are all administrator authorities S 1 Stage, S 2 Stage, S 3 ' level, partial manager Authority A 1 Stage' A 2 Stage' A 3 ' level, Total visitor Right B 1 Stage B 2 Stage' B 3 ' level and partial visitor rights C 1 Stage C 2 Stage C 3 Stage' one.
Optionally, the method further comprises:
establishing a corresponding relation between SASE manufacturer authority and user log level, comprising the following steps:
setting a user log level matrix P ═ S, A, B, C ];
setting altered permission matrices for multiple SASE vendors
Figure BDA0003638638320000031
And determining the corresponding relation between the SASE manufacturer authority and the user log level based on the user log level matrix P and the authority matrix Q.
Optionally, determining a corresponding relationship between the SASE vendor authority and the user log level based on the user log level matrix P and the authority matrix Q includes:
multiplying the user log level matrix P and the authority matrix Q to obtain a product matrix R, and performing multi-level authority adaptive matching on each element in the R, or,
and convolving the user log level matrix P and the permission matrix Q to obtain a convolution matrix R ', and performing multi-level permission adaptive matching on each element in the R'.
Optionally, after the pushing the user logs matched with the different SASE vendors to the corresponding different SASE vendors, the method further includes:
acquiring the modification content and the modification frequency of the SASE manufacturer to the user log;
acquiring a pointer corresponding to the modified content based on the modified content and the modification frequency, and acquiring block source data corresponding to the modified content through the pointer, wherein the block source data comprises a first intelligent contract;
and performing authority verification on the modified content and the modified frequency, judging whether the modified content and the modified frequency meet the terms defined by the first intelligent contract, if so, passing the authority verification, and recording the authority verification in a block chain channel of the SD-WAN platform.
The embodiment of the invention also provides a data authority control system of big data, which comprises a plurality of UE, SDP agents, an SD-WAN platform, a plurality of SASE manufacturers and an SASE gateway, wherein,
the multiple UEs are used for carrying out data access to an SD-WAN platform through SDP agents, and the SD-WAN platform is used for recording user logs of the multiple UEs and carrying out hierarchical processing on the user logs of the multiple UEs;
the SASE manufacturers are used for carrying out user log access requests to the SD-WAN platform through an SASE gateway;
the SD-WAN platform is further used for setting permissions to the SASE manufacturers and pushing user logs matched with different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.
The embodiment of the invention provides a data authority control system of big data, which comprises a memory and a processor, wherein computer executable instructions are stored on the memory, and the processor realizes the method when running the computer executable instructions on the memory.
The method and the system of the embodiment of the invention have the following advantages:
in the embodiment of the invention, the user logs of each UE acquired by the SASE resource pool are subjected to grading processing, the authorities of each manufacturer in the SASE resource pool are classified, the user logs and the manufacturer authorities are correspondingly matched based on the grading of the user logs and the classification of the manufacturer authorities, and finally the user logs matched with one SASE manufacturer are pushed to the SASE manufacturer. The overall safety is greatly improved.
Drawings
FIG. 1 is a diagram of a data authority control system architecture for big data in one embodiment;
FIG. 2 is a flow diagram of a method for data authority control of big data in one embodiment;
FIG. 3 is a block chain memory structure diagram of a block header in one embodiment;
FIG. 4 is a diagram of a Mercker root data structure in one embodiment;
FIG. 5 is a diagram illustrating the hardware components of the system in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Fig. 1 is a Network architecture diagram of an embodiment of the present invention, and as shown in fig. 1, the embodiment of the present invention includes a Software Defined Wide Area Network (SD-WAN) platform 10, an SDP proxy 11, a user terminal UE12, a plurality of SASE vendors 13, and a SASE gateway 14. The SD-WAN platform 10 includes a data warehouse and a central server, and is configured to perform different control and operation on each vendor in the SASE resource pool, continuously collect data access requests sent by different UEs, complete data interaction of the UEs, and continuously generate user logs of different UEs, so that each SASE vendor at the back end can call and refer the user logs. The SDP proxy 11 is a proxy for the UE12 to access to the SD-WAN platform, and can safely access to the SD-WAN platform through the SDP proxy; the SASE manufacturers 13 are located at the back ends of the SD-WAN, share various resources of the SD-WAN platform in a secure resource pool mode, and receive control of the SD-WAN platform, and the SASE manufacturers 13 do not have access capability and need to access through the SASE gateway 14, so that various interactions of the SASE manufacturers actually complete the interactions with the SD-WAN platform through the SASE gateway.
In the embodiment of the invention, when the UE is accessed to the SD-WAN platform through the SDP agent, the SD-WAN platform needs to set a certain access control strategy to set the authority of various operations of the UE, and sets the authority of the user log based on the corresponding authority so as to match the acquisition of the corresponding SASE manufacturer.
Fig. 2 is a flowchart of authority control in the embodiment of the present invention, and as shown in fig. 2, the embodiment of the present invention includes the following steps:
s101, a plurality of UE carry out data access to an SD-WAN platform through an SDP agent, and the SD-WAN platform records user logs of the UE;
before a plurality of UE access to the SD-WAN platform, the security verification is needed through an SDP agent, and after the verification is passed, the data access is carried out to the SD-WAN platform through the SDP agent, generally speaking, the security verification and authentication operation can be carried out through a handshake protocol, and the data interaction is carried out, wherein the interaction content can be in various forms.
S102, the SD-WAN platform carries out hierarchical processing on user logs of the UE;
in the prior art, a good hierarchical processing mechanism is not provided for user logs, so that various high-authority SASE manufacturers can indiscriminately access any user log, and even can tamper part of the user logs to bypass a subsequent access control mechanism.
The hierarchical processing of the user log is essentially a measure for fine control, and in the implementation process of the fine control measure, the user log needs to be subjected to level judgment to determine the user log under different levels, the object allowed to be accessed, and the operational authority all need to be subjected to strict logic setting, for example, common operational authority may include readable, writable, readable and writable.
In the embodiment of the present invention, the classification processing may specifically include the following steps:
s1021, extracting the characteristics of the user logs, extracting keywords, value ranges and parameter types of the user logs, performing sensitive log classification management, and outputting sensitive log types; the method comprises the steps of extracting features of a user log through an artificial intelligence algorithm, extracting keywords, value ranges and parameter types of the user log, and obtaining the similarity degree of the keywords and the occurrence frequency of the similarity value. The artificial intelligence algorithm can adopt a common NLP natural language processing method which is relatively conventional, and the embodiment of the invention does not describe the method again.
In addition, in the embodiment of the invention, the sensitive log comprises one or more sensitive expressions or sensitive words, the sensitive expressions and the sensitive words are specified by the SD-WAN, and if the sensitive expressions or the sensitive words are identified, the user log is marked as the sensitive log. And different sensitive expressions have different corresponding sensitive types, different corresponding encryption levels and different operation authorities, and can be preset by an SD-WAN platform.
S1022, setting the encryption level of the user log based on the access authority of the UE; in the embodiment of the present invention, the access right is determined based on an initial setting of the UE, for example, the UE may be classified into a high security level, a medium security level and a low security level, the access right may be set as an unreadable, readable, writable, readable and writable security access right, and an encryption level corresponding to the access right may also be adaptively set based on different scenarios.
And S1023, outputting the user log level based on the sensitive log type and the encryption level, wherein the user log level is a secret level S level, a heavy encryption level A level, a light encryption level B level and a non-encryption level C level respectively.
After the SD-WAN platform obtains the sensitive log type and the encryption level, the user log level can be set. The absolute security level S represents that only a very small number of SASE vendors can obtain their users, and further refinement and distinction are required after the user log is obtained, that is, different operation permission determinations of the user log need to be performed. The heavy encryption level A and the light encryption level B are two types which are commonly used, the heavy encryption level is generally encrypted by adopting an asymmetric secret algorithm, the encryption strength is high, and the decryption difficulty is high, otherwise, the light encryption level is encrypted by adopting a simpler symmetric secret algorithm, the encryption strength is relatively low, and the decryption difficulty is relatively low. In the embodiment of the present invention, heavy and light are relatively expressions, and may also be expressed as a first encryption level and a second encryption level.
S103, a plurality of SASE manufacturers carry out user log access requests to the SD-WAN platform through an SASE gateway;
after the level of the user log is set in the S102, an SASE manufacturer carries out an access request of the user log to the SD-WAN platform through an SASE gateway so as to obtain the user log and carry out operations such as background user portrait and the like.
And S104, the SD-WAN platform sets the permissions to the SASE manufacturers, and pushes the user logs matched with the different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.
In the embodiment of the present invention, the SD-WAN platform performs permission setting for a plurality of SASE vendors, which may be divided into initial setting and change setting, where the initial setting specifically is:
the SD-WAN platform acquires private keys in user log access requests of the SASE manufacturers; after generating the access request message, the SASE manufacturer sets a private key in the message so that the SD-WAN performs authority distribution based on the private key.
And performing initial authority distribution of the SASE manufacturers based on the private key, wherein the authority is divided into a full manager authority S 'level, a partial manager authority A' level, a full visitor authority B 'level and a partial visitor authority C' level. For the authority allocation operation of the SASE manufacturer, the authority allocation operation can be divided into a total manager authority S 'level, a partial manager authority A' level, a total visitor authority B 'level and a partial visitor authority C' level. All manager permissions have all access permissions and editing permissions (developer permissions), user logs can be modified randomly, correspondingly, part of manager permissions only have part of access permissions and editing permissions, and user logs are modified within a limited range. Different from the manager, the visitor authority has no editing authority but only access authority, all the access authority can access all the contents of the user log but cannot modify the contents, and part of the visitor authority can only access part of the contents of the user log but cannot modify the contents.
The change setting is specifically as follows:
changing the initial authorities of the SASE manufacturers, wherein the changed authorities are all administrator authorities S 1 Stage, S 2 Stage' S 3 ' level, partial manager Authority A 1 Stage' A 2 Stage' A 3 ' level, Total visitor Right B 1 Stage B 2 Stage B 3 ' level and partial visitor rights C 1 Stage C 2 Stage' C 3 Stage' one. That is, on the basis of the S, A, B and C levels, each authority level is divided into different levels more finely, and the S level can be divided into three levels, namely S level 1 Stage, S 2 Stage, S 3 The remaining rights are also divided into three levels, level' and the same way.
After the change setting of the SASE vendor authority is performed, the SD-WAN platform needs to establish a corresponding relationship between the SASE vendor authority and the user log level, specifically,
the SD-WAN platform sets a user log level matrix P as [ S, A, B, C ];
setting modified permission matrices for multiple SASE vendors
Figure BDA0003638638320000091
And determining the corresponding relation between the SASE manufacturer authority and the user log level based on the user log level matrix P and the authority matrix Q.
For example, multiplying the user log level matrix P and the permission matrix Q to obtain a product matrix R, and performing multi-level permission adaptive matching on each element in R, or,
and convolving the user log level matrix P and the permission matrix Q to obtain a convolution matrix R ', and performing multi-level permission adaptive matching on each element in the R'. Wherein R or R' may be represented as:
Figure BDA0003638638320000092
as can be seen, R can be classified into classes 1-12, respectively denoted S 1 ' S to C 3 And the' C is set by comprehensively considering the grades of the user logs and the permissions of SASE manufacturers at different grades, and the corresponding operation permissions are completely different.
In the embodiment of the invention, in order to ensure the consistency of modification and prevent malicious tampering, the embodiment of the invention also calls a block chain technology to ensure the consistency of modification modes. After the user logs matched with the different SASE vendors are pushed to the corresponding different SASE vendors, the method further comprises the following steps:
acquiring the modification content and the modification frequency of the SASE manufacturer to the user log;
acquiring a pointer corresponding to the modified content based on the modified content and the modification frequency, and acquiring block source data corresponding to the modified content through the pointer, wherein the block source data comprises a first intelligent contract;
and performing authority verification on the modified content and the modified frequency, judging whether the modified content and the modified frequency meet the terms defined by the first intelligent contract, if so, passing the authority verification, and recording the authority verification in a block chain channel of the SD-WAN platform.
The block chain technology provides the capabilities of data on the chain of not being tampered, sharing a searchable record on the chain and the like, provides a multi-party trust and data sharing mechanism, and can realize the traceability management of the life cycle of the data by utilizing a shared record book. The block chain has the characteristics of tamper resistance, traceability, high safety and the like, and can effectively solve the problems of source data tampering, deletion, safety and the like in the current data management.
In the embodiment of the present invention, the block chain may be divided into one or more channels, each channel is a physical block chain, and is isolated from data of other channels for storage and transmission, and data can only be accessed by a participant of the channel. The cloud server can set a block chain channel according to the source data collected by the data terminal, and the block chain channel comprises block data stored in a chain manner.
Fig. 3 is a data structure diagram of the chunk source data into which the chunk data is inserted. As shown in fig. 3, the root node is a kind of block source data, the parent node is each block source data, and the child nodes include two types, namely block data and original data, and the original data includes access data content, access frequency and access location; according to the block chain storage mechanism, the block data of each block source data points to the next block data. Each block data comprises an intelligent contract, a block header and a block body, wherein the block header comprises a block height (the block number from the block to the block header on the block chain), a hash value of a previous block, a Mercker root, a transaction number and timestamp information, and the block body comprises the source data type, the data size and a data terminal corresponding to the source data. In addition, the block header also contains a pointer to the hash value of the previous block header, which is a key factor for preventing the block chain from being tampered, and in the block chain technology, each block contains the hash values of all data records of the previous block, so that the newest block always indirectly contains the data information of all previous blocks. If any data information in the block chain is changed, the hash values of all the following blocks are changed, and the verification cannot be passed. Therefore, verifying the hash value of the last block is equivalent to verifying the entire ledger, and such a blockchain constitutes an easily verifiable, non-falsifiable overall ledger.
The block chain memory structure of the block head is shown in fig. 4.
The chunk header hash value is calculated by performing SHA3-256 twice on the previous chunk hash, timestamp, and mercker root. The merkel Merkle root node is a hash value of a merkel root formed by all the service data in the block, and a structural schematic diagram is shown in fig. 5. The above hash value generation algorithm mainly uses SHA3-256 hash algorithm, which is a one-way function, difficult or impossible to reverse, and is the most secure hash algorithm at present, to convert an input with an arbitrary length into an output with a fixed length.
The intelligent contract is arranged in an independent space of the block head and is responsible for the authority control of the block chain channel, the storage of the block chain data and the access of the data, and the authority can be only given if the terms of the intelligent contract are met, so that the block chain data can be accessed and updated. In addition, the intelligent contract is also an interface for interaction between the block chain network and the outside, and is provided with an internal access SDK (software development kit) of the block chain and the like, so that a user can conveniently obtain data on the chain. The role and the user of the access data are limited through the intelligent contract and the access control strategy, more flexible access authority control is provided through the intelligent contract, and different strategies can be formulated for nodes, organizations, roles and users.
The embodiment of the invention also provides a big data authority control system, which comprises a plurality of UE, SDP agents, an SD-WAN platform, a plurality of SASE manufacturers and an SASE gateway, wherein,
the multiple UEs are used for carrying out data access to an SD-WAN platform through SDP agents, and the SD-WAN platform is used for recording user logs of the multiple UEs and carrying out hierarchical processing on the user logs of the multiple UEs;
the SASE manufacturers are used for carrying out user log access requests to the SD-WAN platform through an SASE gateway;
the SD-WAN platform is further used for setting permissions to the SASE manufacturers and pushing user logs matched with different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.
The embodiment of the invention provides a data authority control system of big data, which comprises a memory and a processor, wherein the memory stores computer executable instructions, and the processor realizes the method when running the computer executable instructions on the memory.
The method and the system of the embodiment of the invention have the following advantages:
in the embodiment of the invention, the user logs of each UE acquired by the SASE resource pool are subjected to grading processing, the authorities of each manufacturer in the SASE resource pool are classified, the user logs and the manufacturer authorities are correspondingly matched based on the grading of the user logs and the classification of the manufacturer authorities, and finally the user logs matched with one SASE manufacturer are pushed to the SASE manufacturer. The overall safety is greatly improved.
The embodiment of the present invention further provides a system, which includes a memory and a processor, where the memory stores computer-executable instructions, and the processor implements the method when running the computer-executable instructions on the memory.
Embodiments of the present invention also provide a computer-readable storage medium having stored thereon computer-executable instructions for performing the method in the foregoing embodiments.
FIG. 5 is a diagram illustrating the hardware components of the system in one embodiment. It will be appreciated that fig. 5 only shows a simplified design of the system. In practical applications, the systems may also respectively include other necessary elements, including but not limited to any number of input/output systems, processors, controllers, memories, etc., and all systems that can implement the big data management method of the embodiments of the present application are within the protection scope of the present application.
The memory includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or a portable read-only memory (CD-ROM), which is used for storing instructions and data.
The input system is for inputting data and/or signals and the output system is for outputting data and/or signals. The output system and the input system may be separate devices or may be an integral device.
The processor may include one or more processors, for example, one or more Central Processing Units (CPUs), and in the case of one CPU, the CPU may be a single-core CPU or a multi-core CPU. The processor may also include one or more special purpose processors, which may include GPUs, FPGAs, etc., for accelerated processing.
The memory is used to store program codes and data of the network device.
The processor is used for calling the program codes and data in the memory and executing the steps in the method embodiment. For details, reference may be made to the description in the method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. For example, the division of the unit is only one logical function division, and other division may be implemented in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. The shown or discussed mutual coupling, direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable system. The computer instructions may be stored on or transmitted over a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)), or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a read-only memory (ROM), or a Random Access Memory (RAM), or a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape, a magnetic disk, or an optical medium, such as a Digital Versatile Disk (DVD), or a semiconductor medium, such as a Solid State Disk (SSD).
The above is only a specific embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of various equivalent modifications or substitutions within the technical scope of the present application, and these modifications or substitutions should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method for controlling data authority of big data is characterized by comprising the following steps:
a plurality of UE carry out data access to an SD-WAN platform through an SDP proxy, and the SD-WAN platform records user logs of the plurality of UE;
the SD-WAN platform performs hierarchical processing on user logs of the plurality of UEs;
a plurality of SASE manufacturers carry out user log access requests to the SD-WAN platform through an SASE gateway;
and the SD-WAN platform sets permissions to the SASE manufacturers, and pushes the user logs matched with the different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.
2. The method of claim 1, wherein the SD-WAN platform performs a hierarchical processing of user logs of the plurality of UEs, comprising:
extracting the characteristics of the user logs, extracting keywords, value ranges and parameter types of the user logs, carrying out classification management on the sensitive logs, and outputting the types of the sensitive logs;
setting an encryption level of the user log based on the access authority of the UE;
and outputting the user log level based on the sensitive log type and the encryption level, wherein the user log level is a secret level S level, a heavy encryption level A level, a light encryption level B level and a non-encryption level C level.
3. The method of claim 2, wherein the extracting the features of the user log to extract keywords, value ranges and parameter types of the user log comprises:
and extracting the characteristics of the user log through an artificial intelligence algorithm, extracting the keywords, the value range and the parameter type of the user log, and acquiring the similarity degree of the keywords and the occurrence frequency of the similarity value.
4. The method of claim 2, wherein the SD-WAN platform performs permission setting to the plurality of SASE vendors, comprising:
the SD-WAN platform acquires private keys in user log access requests of the SASE manufacturers;
and performing initial authority distribution of the SASE manufacturers based on the private key, wherein the authority is divided into a full manager authority S 'level, a partial manager authority A' level, a full visitor authority B 'level and a partial visitor authority C' level.
5. The method of claim 4, wherein after the initial rights assignment for the plurality of SASE vendors based on the private key, the method further comprises:
changing the initial authorities of the SASE manufacturers, wherein the changed authorities are all administrator authorities S 1 Stage, S 2 Stage, S 3 ' level, partial manager Authority A 1 Stage' A 2 ' stage, A 3 ' level, Total visitor Right B 1 Stage B 2 Stage B 3 ' level and partial visitor rights C 1 Stage C 2 Stage C 3 Stage' one.
6. The method of claim 5, further comprising:
establishing a corresponding relation between SASE manufacturer authority and user log level, comprising the following steps:
setting a user log level matrix P ═ S, A, B, C ];
setting altered permission matrices for multiple SASE vendors
Figure FDA0003638638310000021
And determining the corresponding relation between the SASE manufacturer authority and the user log level based on the user log level matrix P and the authority matrix Q.
7. The method of claim 6, wherein determining the SASE vendor authority-user log level correspondence based on the user log level matrix P and the authority matrix Q comprises:
multiplying the user log level matrix P and the authority matrix Q to obtain a product matrix R, and carrying out multi-level authority self-adaptive matching on each element in the R, or,
and convolving the user log level matrix P and the permission matrix Q to obtain a convolution matrix R ', and performing multi-level permission adaptive matching on each element in the R'.
8. The method according to any of claims 1-7, wherein after said pushing the user logs matching the different SASE vendors to the corresponding different SASE vendors, the method further comprises:
acquiring the modification content and the modification frequency of the SASE manufacturer to the user log;
acquiring a pointer corresponding to the modified content based on the modified content and the modification frequency, and acquiring block source data corresponding to the modified content through the pointer, wherein the block source data comprises a first intelligent contract;
and performing authority verification on the modified content and the modified frequency, judging whether the modified content and the modified frequency meet the terms defined by the first intelligent contract, if so, passing the authority verification, and recording the authority verification in a block chain channel of the SD-WAN platform.
9. A big data authority control system, which comprises a plurality of UEs, SDP agents, SD-WAN platforms, a plurality of SASE manufacturers and SASE gateways, wherein,
the multiple UEs are used for carrying out data access to an SD-WAN platform through SDP agents, and the SD-WAN platform is used for recording user logs of the multiple UEs and carrying out hierarchical processing on the user logs of the multiple UEs;
the SASE manufacturers are used for carrying out user log access requests to the SD-WAN platform through an SASE gateway;
the SD-WAN platform is further used for setting permissions to the SASE manufacturers and pushing user logs matched with different SASE manufacturers to the corresponding different SASE manufacturers based on the corresponding relation between the permissions of the different SASE manufacturers and the user log levels.
10. A big data entitlement control system comprising a memory having stored thereon computer executable instructions and a processor implementing the method of any one of claims 1 to 8 when executing the computer executable instructions on the memory.
CN202210509242.8A 2022-05-11 2022-05-11 Method and system for controlling data authority of big data Pending CN114978627A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210509242.8A CN114978627A (en) 2022-05-11 2022-05-11 Method and system for controlling data authority of big data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210509242.8A CN114978627A (en) 2022-05-11 2022-05-11 Method and system for controlling data authority of big data

Publications (1)

Publication Number Publication Date
CN114978627A true CN114978627A (en) 2022-08-30

Family

ID=82981206

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210509242.8A Pending CN114978627A (en) 2022-05-11 2022-05-11 Method and system for controlling data authority of big data

Country Status (1)

Country Link
CN (1) CN114978627A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107329884A (en) * 2017-06-30 2017-11-07 郑州云海信息技术有限公司 The access auditing method and system of a kind of storage system
CN111897786A (en) * 2020-05-27 2020-11-06 深圳市广和通无线股份有限公司 Log reading method and device, computer equipment and storage medium
CN112131196A (en) * 2020-09-09 2020-12-25 华人运通(上海)云计算科技有限公司 Distributed log processing method and device, terminal equipment and storage medium
CN112437082A (en) * 2020-11-22 2021-03-02 深圳市赛宇景观设计工程有限公司 Data sending method based on block chain
US11159576B1 (en) * 2021-01-30 2021-10-26 Netskope, Inc. Unified policy enforcement management in the cloud
CN114363077A (en) * 2022-01-10 2022-04-15 河南能睿科技有限公司 Management system based on safety access service edge

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107329884A (en) * 2017-06-30 2017-11-07 郑州云海信息技术有限公司 The access auditing method and system of a kind of storage system
CN111897786A (en) * 2020-05-27 2020-11-06 深圳市广和通无线股份有限公司 Log reading method and device, computer equipment and storage medium
CN112131196A (en) * 2020-09-09 2020-12-25 华人运通(上海)云计算科技有限公司 Distributed log processing method and device, terminal equipment and storage medium
CN112437082A (en) * 2020-11-22 2021-03-02 深圳市赛宇景观设计工程有限公司 Data sending method based on block chain
US11159576B1 (en) * 2021-01-30 2021-10-26 Netskope, Inc. Unified policy enforcement management in the cloud
CN114363077A (en) * 2022-01-10 2022-04-15 河南能睿科技有限公司 Management system based on safety access service edge

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李长连等: "《基于SD-WAN构建SASE模型思路浅析》", 《邮电设计技术》 *

Similar Documents

Publication Publication Date Title
CN109766722B (en) Method for constructing intelligent contract in block chain
US11153092B2 (en) Dynamic access control on blockchain
KR101432317B1 (en) Translating role-based access control policy to resource authorization policy
US8225378B2 (en) Auditing authorization decisions
US7003116B2 (en) System for encrypted file storage optimization via differentiated key lengths
US10127401B2 (en) Redacting restricted content in files
US20070011749A1 (en) Secure clipboard function
US20030081784A1 (en) System for optimized key management with file groups
US20230239134A1 (en) Data processing permits system with keys
CN111368330B (en) Ethernet intelligent contract auditing system and method based on block chain
US20210226778A1 (en) Contextual key management for data encryption
US11063922B2 (en) Virtual content repository
CN104506487A (en) Credible execution method for privacy policy in cloud environment
RU2546585C2 (en) System and method of providing application access rights to computer files
US10356104B2 (en) Securing services and intra-service communications
US9058472B1 (en) System and method of applying access rules to files transmitted between computers
CN116743481A (en) Service security management and control method, device, equipment and storage medium
CN114978627A (en) Method and system for controlling data authority of big data
US20220150241A1 (en) Permissions for backup-related operations
US9825763B2 (en) Systems for automated forensic data capture
Mahar et al. TTECCDU: a blockchain-based approach for expressive authorization management
KR102267560B1 (en) Method for Managing Modified Record of Data Which Can Reduce Size of Data Stored in Block Chain
CN113411300B (en) Ciphertext policy attribute based encryption-based on-chain authority management method and system
Selvaganesh et al. Secure data storage based on efficient auditing scheme
Kumar et al. Efficient Blockchain Enabled Attribute-based Access Control as a Service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination