CN103116620B - Based on the unstructured data safety filtering method of strategy - Google Patents

Abstract

The invention provides a kind of unstructured data safety filtering method based on strategy, the technology combined by Technology and Administration carries out a kind of method of safety filtering to unstructured data, technically, by the policing rule expression formula specification policing rule of flexible design; In management, by the demand analysis to operation system, managerial personnel and business personnel's Joint Designing go out suitable policing rule, the operating personnel of unstructured data transmission are data interpolation attribute flags information, during filtration, the parameter that policing rule expression formula and label information mate as policing rule is mated, by matching result, safety filtering is carried out to unstructured data.

Description

Policy-based Unstructured Data Security Filtering Method

technical field

The invention belongs to the field of information security, and in particular relates to a policy-based unstructured data security filtering method.

Background technique

With the increasing improvement of social informatization construction, many large enterprises and government departments have realized informatization and digitalization of office operations. However, due to the safety of the initial construction, the network is divided into internal network and external network, resulting in isolated information islands. In order to better serve the users and the public, enterprises or government departments have begun to interconnect their internal networks with the Internet to a limited extent, which brings about the security of data transmission.

The data in network information mainly has two data forms: structured and unstructured. Structured data is often stored in the database in the form of a two-dimensional table. Because the data is easy to extract, it is relatively easy to filter during the interaction process; and like Word , PDF, image, video, etc. have no fixed form of unstructured data. Their data formats are different, and the data content is difficult to extract. How can network switching devices filter them well, and even perform unified security filtering analysis It is a big challenge for current filtration equipment.

The patent application number is CN201110316665.X, and the invention application titled the tag-based unstructured data security filtering method provides a unstructured data security filtering method. Although unstructured data can be filtered, the policy rules are relatively simple , cannot perform policy matching filtering on tagged values of unstructured data in a flexible manner.

Contents of the invention

In order to overcome the above-mentioned defects, the present invention provides a policy-based unstructured data security filtering method, by configuring policy expressions with variables on the server side, designing a policy matching algorithm, and adding tag values for unstructured data on the client side , when the client sends the unstructured data with tagged value to the server, according to the policy expression, the tagged value of the unstructured data is matched and filtered in a very flexible way through the policy matching algorithm.

In order to achieve the above object, the present invention provides a policy-based unstructured data security filtering method, which performs data filtering during data transmission between the server and the client. The improvement is that the method includes the following steps:

(1). Design strategy rule expression;

(2). Combining the attributes and business requirements of unstructured data, design specific policy rules based on policy rule expressions;

(3). According to policy rules and unstructured data attributes, unstructured data attributes are recorded in the form of tag information and transmitted together with unstructured data;

(4). Analyze the policy rules, and construct the policy rules in the form of strings into a tree data structure for policy matching calculation;

(5). Parse the tag information and save it in the hash table;

(6). The policy rule data structure and the tag information in the hash table are used as parameters for policy rule matching, and the matching result is calculated. If the match is successful, the data is allowed to pass, otherwise the data is not allowed to pass, and the log is recorded.

In the preferred technical solution provided by the present invention, in said step 1, the policy rule is a text string expression stored in the policy configuration file; the policy rule is composed of self-defined expressions; the policy rule expression is determined by the server according to the business Requirements and unstructured data document attribute design to filter unstructured data.

In the second preferred technical solution provided by the present invention, the expression includes: variable, value and operator; the value of the variable is extracted from the data tag information during the strategy matching process.

In the third preferred technical solution provided by the present invention, in the step 3, the marking information is marked by the client according to the attributes of the document data, business requirements and condition information agreed by both parties; the document mark is a key-value corresponding List; where the keys are variables on the policy expression and the values are the values of the variables.

In the fourth preferred technical solution provided by the present invention, the mark on the document includes: the size, type and file name of the document.

In the fifth preferred technical solution provided by the present invention, in the step 4, the policy rules are parsed into a data structure suitable for policy matching, so as to facilitate policy matching calculations; when parsing the policy rules, lexical analysis is performed on the policy rules of the text And grammatical analysis, if the policy rules are correct, generate a tree-shaped policy data structure, otherwise report an error.

In the sixth preferred technical solution provided by the present invention, the step 5 includes the following steps: (5-1). Extracting the document mark L from the document D;

(5-2). Build a hash table H to save the tag information;

(5-3). Obtain tag information item by item, and fill the information into H in the form of key-value pair <key, value>.

In the seventh preferred technical solution provided by the present invention, the step 6 includes the following steps:

(6-1). Construct a first-in first-out queue Queue;

(6-2). Traversing the tree structure expression Exp from the root;

(6-3). Determine the element in the queue. If it is 1, return the result value calculated by Exp, otherwise return an error.

In the eighth preferred technical solution provided by the present invention, the step 6-2 includes the following steps:

a. If the left subtree is not empty, traverse the left subtree of the tree;

b. If the right subtree is not empty, traverse the right subtree of the tree;

c. If Exp is value, put Exp into Queue;

d. If Exp is a variable var, use the Get function to extract the variable value from the hash table H stored in the tag to construct a new Exp, and put the new Exp into the Queue;

e. If Exp is an operator, judge the operand number N of the operator, and take N operands from QQueue, calculate the expression, save the calculation result in the new Exp in the form of value, and then save the new Exp The Exp into the Queue.

In the ninth preferred technical solution provided by the present invention, the Get function is Get(key, H)->value;

The Get function returns the corresponding value from the hash table H through the key. At this time, the variable var is used as the key of H.

Compared with the prior art, a policy-based unstructured data security filtering method provided by the present invention aims to solve the problem of secure transmission of unstructured data between networks of different security levels; There is no good way to solve the problem of security of the transmission, but the policy-based technology designs an efficient policy matching algorithm by configuring the policy rule expression, and marks the attributes of the documents exchanged by the gateway server (between different networks) interface), according to the policy rule expression, the policy matching algorithm is used to match the document tag attributes, so as to filter the document security to ensure the security of unstructured data in the transmission process.

Description of drawings

Figure 1 is a schematic diagram of the components involved in the method.

FIG. 2 is a schematic flowchart of a policy-based method for unstructured data security filtering.

Figure 3 is a schematic diagram of the tree structure.

detailed description

As shown in Figure 2, a policy-based unstructured data security filtering method performs data filtering during data transmission between the server and the client, including the following steps:

(1). Design strategy rule expression;

(2). Combining the attributes and business requirements of unstructured data, design specific policy rules based on policy rule expressions;

(3). According to policy rules and unstructured data attributes, unstructured data attributes are recorded in the form of tag information and transmitted together with unstructured data;

(4). Analyze the policy rules, and construct the policy rules in the form of strings into a tree data structure for policy matching calculation;

(5). Parse the tag information and save it in the hash table;

(6). The policy rule data structure and the tag information in the hash table are used as parameters for policy rule matching, and the matching result is calculated. If the match is successful, the data is allowed to pass, otherwise the data is not allowed to pass, and the log is recorded.

In the step 1, the policy rule is a text string expression stored in the policy configuration file; the policy rule is composed of self-defined expressions; the policy rule expression is designed by the server according to business requirements and unstructured data document attributes , to filter on unstructured data.

The expression includes: variable, value and operator; the value of the variable is extracted from the data tag information during the policy matching process.

In said step 3, the marking information is marked by the client according to the attributes of the document data, the business requirements and the conditional information agreed by both parties; the document marking is a list corresponding to a key value; wherein, the key is the key on the policy expression variable, the value is the value of the variable.

The marking of the document includes: the size, type and file name of the document.

In said step 4, the policy rule is parsed into a data structure suitable for policy matching, so as to facilitate policy matching calculation; when parsing the policy rule, lexical analysis and grammatical analysis are carried out to the policy rule of the text, if the policy rule is correct, generate a tree type policy data structure, otherwise an error will be reported.

The step 5 includes the following steps: (5-1). Extracting the document mark L from the document D;

(5-2). Build a hash table H to save the tag information;

(5-3). Obtain tag information item by item, and fill the information into H in the form of key-value pair <key, value>.

Described step 6 comprises the steps:

(6-1). Construct a first-in first-out queue Queue;

(6-2). Traversing the tree structure expression Exp from the root;

(6-3). Determine the element in the queue. If it is 1, return the result value calculated by Exp, otherwise return an error.

Said step 6-2 comprises the following steps:

a. If the left subtree is not empty, traverse the left subtree of the tree;

b. If the right subtree is not empty, traverse the right subtree of the tree;

c. If Exp is value, put Exp into Queue;

d. If Exp is a variable var, use the Get function to extract the variable value from the hash table H stored in the tag to construct a new Exp, and put the new Exp into the Queue;

e. If Exp is an operator, judge the number of operands N of the operator, and take N operands from the Queue, calculate the expression, save the calculation result in the new Exp in the form of value, and then save the new Exp The Exp into the Queue.

The Get function is Get(key, H)->value; the Get function returns the corresponding value from the hash table H through the key, and the variable var is used as the key of H at this time.

The policy-based unstructured data security filtering method is further explained through the following embodiments.

Figure 1 shows the reference architecture of policy-based unstructured data security filtering method, which mainly includes three parts: policy rule information, data label information and matching algorithm. Policy rule information includes policy rules and rule analysis. Policy rules are expression text strings, stored in policy configuration files, which are the basis for filtering; rule parsing is to parse the rule text into an expression form (data structure) suitable for matching. The tag information is an attribute description made by the client for the document, including document-related information, user operation information, etc. Different documents have different tag information. The matching algorithm calculates and matches according to the tag information of the data transmitted by the client and the policy rule expression, and uses the matching result as the basis for document filtering. By designing and configuring policy rules on the server side and adding attribute descriptions to documents on the client side, the policy results are matched according to the relationship between data attributes and policy rule expressions, which are used as filtering credentials. The policy rules are designed as mathematical expressions with variables, and the calculation is very simple. In addition, due to the flexibility of policy rules, this filtering method is very scalable.

The specific introduction is given below:

Policy rule: A policy rule is a text string expression stored in a policy configuration file. Policy rules consist of one or more custom expressions. Expressions consist of variables, values and operators. The value of the variable is extracted from the data tag information during the policy matching process. Because policy rules use expressions, the design of policy rules is very flexible. During implementation, specific and appropriate policy rule expressions are designed by server administrators or salespersons based on business requirements and attributes of unstructured data documents to filter unstructured data.

Parsing policy rules: After the policy rules are configured, in order to better match and calculate the policy rules, it is necessary to parse the policy rules into a data structure suitable for policy matching to facilitate policy matching calculations. When parsing the policy rules, it is necessary to perform lexical analysis and syntax analysis on the policy rules of the text string. If the policy rules are correct, a policy data structure will be generated, otherwise, an error will be reported.

Marking information: Marking information is marked by the client (the end that sends the data) to the document (such as the size, type, file name, etc.) of the document according to the attributes of the document data, business requirements, and conditional information agreed by both parties. Document markup is flexible and mutable, and it is a list of key-value pairs, where the key is a variable on the policy expression and the value is the value of the variable.

Matching: After having the rule data structure and tag information, the matching algorithm takes the rule data structure and tag information as parameters, and filters documents by traversing and calculating the policy rule expression; in the matching calculation, the variables in the expression are tagged The value of the corresponding variable in the message is replaced. Compared with policy rules and tag information, the matching algorithm is independent, and it is not affected by the previous two parts.

1. Policy rule expression design

The core task of the policy-based unstructured data security filtering method is to design policy rules that adapt to the filtering conditions. This patent proposes a grammatical specification P of policy rules. Based on this specification, various policy rules can be flexibly designed. The specification P of policy rules is described as: P is composed of three basic elements: variables, values, and operators. The operation rules are:

Rule 1: The value value and the variable var are expressions exp

Rule 2: Expressions form new expressions through the unary operator opu

Rule 3: Expressions and expressions form the expression formation strategy of the final form of new expressions through the binocular operator opb. In the above description, the variable is composed of letters, numbers and underscores, and the first letter is not a number; the value is composed of integer numbers (mathematical integers), floating-point numbers (mathematical real numbers) and strings; operators Relational operators (>, >=, <, <=, ==, !=), logical operators (&&, ||, !) and substrings (substr: the subcharacter whose left operand is the right operand String) operation composition.

The formal description of the policy rule specification P is as follows:

When configuring policy rules, the designer selects the appropriate variable and the value that the variable satisfies according to the policy rule specification, combined with business requirements and user operations, and forms a policy rule through the relationship between the variable and the value through the operator. The form of a string is saved in the policy rule file. The design steps are as follows:

a. Specification P according to policy rules;

b. Based on the attribute information of the document and combined with the business requirement information, the text requirements are converted into policy rules

expression exp

For example: Do initial filtering by document type. If the business requirement only accepts PDF documents, the variable doc_type can be designed, and the == operator is used, and the policy expression is

doc_type == "PDF"

When this expression is called PDF, the result of the operation is true, and it is allowed to pass, otherwise, it is not allowed to pass. Another example: Assume that the document security level has five levels: 1, 2, 3, 4, and 5, and the larger the number, the higher the level. A certain business requirement is that when the document security level is greater than 3, the document is not allowed to be transmitted, and the variable doc_security_grade can be designed. The operators are > and ! , the policy expression is

! (doc_security_grade>3)

Indicates that when the document security level is greater than 3, the return result is false, and the transmission is not allowed; otherwise, the transmission is allowed.

2. Mark information

The policy-based unstructured data security filtering method marks documents on the client side (document transmission side). The tag not only contains the encryption, digital abstract, authorization, owner and other information that all documents will exist in the document, but also contains the value information of the variables in the server-side policy rules. The steps to mark information are:

a. Build Mark L

b. Obtain the attribute information A of the document and add it to the tag L(A)

c. Obtain user operation attribute information O, add to mark L(O)

d. Add the mark to the data document data D(L)

3. Analysis of policy rules

In method flow 1, the designed policy rules exist in the form of strings, and in order to perform policy matching operations, the policies in the form of strings need to be presented in a data structure suitable for matching rules.

In order to perform policy matching well, use the following data structure to save policy expressions.

Exp can save a value expression (using the data field); Exp can save an expression with an operator. At this time, the operator is saved in the operator, lchild saves the left operand, and rchild saves the right operand. Through the recursion of multiple Exps, Exp can finally save a complete strategy.

The purpose of policy rule parsing is to parse the policy rule exp in the form of a character string into a policy with Exp structure, so as to facilitate policy matching. The policy parsing rules are as follows:

a. Recursively process exp as follows:

b-1. When exp is the value value or the variable var, construct an Exp, save the value in the data field in the Exp, and leave the other fields empty;

b-2. When exp is op _u exp, construct an Exp, assign op _u to the operator field in the Exp, assign the exp behind op _u to the rchild of the Exp, and leave the other fields empty;

b-3. When exp is expop _b exp, construct an Exp, assign op _b to the operator field in Exp, assign the exp after oP _b to the rchild of Exp, assign the exp before oP _b to lchild of Exp, and other fields Is empty;

b. Return the root of the tree data structure constructed by Exp, which is a complete policy data structure.

4. Label information extraction

After the server obtains the document data, it parses the document data to obtain tag information, and converts the tag information into a data structure suitable for matching calculation. Proceed as follows:

a. Extract document token L from document D;

b. Build a hash table (HashMap) H to save the tag information;

c. Obtain tag information item by item, and fill the information into H in the form of key-value pairs <key, value>.

5. Policy rule matching

Since the policy rules are stored in the tree structure in the form of expressions after parsing, when the policy is matched, the tree structure is traversed in the postorder, and the expression is calculated during the traversal, and a result value will be obtained in the end. The resulting value can be used to determine whether to allow the document to pass through. The policy matching steps are as follows:

a. Build a first-in first-out queue Queue;

b. Traverse the tree structure expression Exp in postorder from the root

b1. If the left subtree (lchild of Exp) is not empty, traverse the left subtree of the tree;

b2. If the right subtree (the rchild of Exp) is not empty, traverse the right subtree of the tree;

b3. If Exp is value value (data is not empty), put Exp into Queue;

b4. If Exp is a variable var (data is not empty), use the Get function to extract the variable value from the marked hash table (HashMap) H to construct a new Exp, and put the new Exp into the Queue.

The Get function is

Get(key, H)->value

The Get function returns the corresponding value from the hash table H through the key. At this time, the variable var is used as the key of H.

b5. If the operator of Exp is not empty, that is, the expression is an operator, judge the number of operands N of the operator, and take N operands from the Queue, calculate the expression, save the calculation result in the new Exp, and then Then put the new Exp into the Queue

Determine the element in the queue, if it is 1, return the result value calculated by Exp, otherwise, it means that the expression is wrong, and return an error.

For the convenience of description, we assume the following application examples:

An enterprise has an internal network with a high internal security level and an external network with a low security level. The external network is connected to the Internet. In order to meet the internal business needs of the enterprise and serve customers better, it is necessary to connect the internal network to the external network. At the gateway connecting the internal network and the external network, a policy-based unstructured data security filter is arranged, and internal and external users transmit documents and add tools for marking information for documents. Before the document is transmitted, mark information is added to the document policy variable according to the pre-negotiated policy. When passing through the connection between the internal and external network, that is, when filtering the server, the server will extract the mark information and perform matching calculation on the policy. Once the policy matching fails , the document will be rejected, otherwise, it will be allowed to pass. Assume that the application scenario is that the user transfers unstructured data files from the internal network with high security level to the external network with low security level. The specific implementation plan is as follows:

1. Policy rules:

Policy rules are set by the server administrator according to business requirements, and the client is required to fill in the variable values in the policy to filter when transmitting documents. It is assumed here that the business needs are as follows:

1. The source of the document is the IP of the intranet business system is 192.168.216.5

2. The file name cannot contain "scheme"

3. The confidentiality level of the document cannot exceed 3 (assuming that the confidentiality level is 1, 2, 3, 4, and 5, the higher the level, the higher the security level)

According to the policy rule specification, use the variable src to indicate the document source, name to indicate the document name, and sec_grade to indicate the file security level, and the policy rules are as follows,

(src="192.168.216.5")&&(!("Scheme" substrname))&&(sec_grade<=3)

2. Mark information:

On the client side of document transmission, during the negotiation process, the client knows that it needs to mark the document source, document name and document confidentiality. Suppose there is a client that transmits three documents:

The tag values for document 1 are as follows:

{src: 192.168.216.6, name: "Design", sec_grade=4}

Document 2 has tagged values as follows:

{src: 192.168.216.5, name: "Design", sec_grade=4}

Document 3 has tagged values as follows:

{src: 192.168.216.5, name: "Business System Operation Instructions", sec_grade=1}

3. Matching:

1. It is necessary to analyze the policy rules before matching, and convert the policy rules in the form of strings into a tree structure, then the policy rules in "one" will become the following tree structure, as shown in Figure 3.

2. Then traverse the tree structure according to the postorder, and when a variable is encountered, extract the value of the variable from the tag information to match the tag information, so as to filter the document.

The function of the post-order traversal tree is to calculate the value of the left subtree first, and then calculate the value of the right subtree. The left subtree and the right subtree are calculated, and then calculate the left subtree and right subtree of the upper subtree until root.

Therefore, according to the post-order traversal rules, for document 1 there is

2.1 Match calculation

src=192.168.216.5

Since the src value extracted by the tag is 192.168.216.6, the calculated value is false.

2.2 Match calculation

"scheme" substrname

Since the tag extraction file name value is "Design", the return value is true.

2.3 Match calculation

! ("Scheme" substrname)

Since the false result has been obtained in 2.2, the result of this step is true.

2.4 Match calculation

sec_grade>=3

Since sec_grade is 4, it returns false.

2.5 Match calculation

(!("scheme" substrname) && (sec_grade >= 3))

From the results of 2.3 and 2.4, this result is false.

2.6 Match calculation

(src=192.168.216.5)&&(!("Scheme" substrname)&&(sec_grade>=3))

It can be seen from the calculation results of 2.1 and 2.4 that the final matching result is false, so this document will be filtered, that is, not allowed to pass.

According to the above steps, the matching calculation is performed on document 2 and document 3, and the result of document 2 is false, while the result of document 3 is true, that is, document 3 is allowed to pass, but document 2 is not allowed to pass.

It should be declared that the contents and specific implementation methods of the present invention are intended to prove the practical application of the technical solutions provided by the present invention, and should not be construed as limiting the protection scope of the present invention. Those skilled in the art may make various modifications, equivalent replacements, or improvements under the inspiration of the spirit and principles of the present invention. But these changes or modifications are all within the protection scope of the pending application.

Claims (10)

1. a policy-based unstructured data security filtering method, data filtering is carried out when server and client carry out data transmission, it is characterized in that, described method comprises the steps: (1). Design strategy rule expression; (2). Combining the attributes and business requirements of unstructured data, design specific policy rules based on policy rule expressions; (3). According to policy rules and unstructured data attributes, unstructured data attributes are recorded in the form of tag information and transmitted together with unstructured data; (4). Analyze the policy rules, and construct the policy rules in the form of strings into a tree data structure for policy matching calculation; (5). Parse the tag information and save it in the hash table; (6). The policy rule data structure and the tag information in the hash table are used as parameters for policy rule matching, and the matching result is calculated. If the match is successful, the data is allowed to pass, otherwise the data is not allowed to pass, and the log is recorded. 2. The method according to claim 1, characterized in that, in said step 1, the policy rule is a text string expression stored in the policy configuration file; the policy rule is made up of self-defined expressions; the policy rule expression The format is designed by the server based on business requirements and attributes of unstructured data documents to filter unstructured data. 3. The method according to claim 2, wherein the expression includes: a variable, a value and an operator; the value of the variable is extracted from the data tag information during the policy matching process. 4. The method according to claim 1, characterized in that, in said step 3, the marking information is marked by the client according to the attributes of the document data, the business requirements and the conditional information agreed by both parties; the document marking is a A list of key-value correspondences; where the key is a variable on the policy expression and the value is the value of the variable. 5. The method according to claim 4, wherein the marking of the document includes: the size, type and file name of the document. 6. The method according to claim 1, characterized in that, in said step 4, the policy rules are parsed into a data structure suitable for policy matching, to facilitate policy matching calculations; when parsing the policy rules, the text policy The rules perform lexical analysis and syntax analysis. If the policy rules are correct, a tree-type policy data structure is generated, otherwise an error is reported. 7. The method according to claim 1, wherein said step 5 comprises the steps of: (5‐1). Extract document markup L from document D; (5‐2). Construct a hash table H to save the tag information; (5‐3). Obtain tag information item by item, and fill the information into H in the form of key-value pair <key, value>. 8. The method according to claim 1, wherein said step 6 comprises the steps of: (6-1). Construct a first-in first-out queue Queue; (6‐2). Traversing the tree structure expression Exp from the root; (6‐3). Determine the element in the queue, if it is 1, return the result value of Exp calculation, otherwise return an error. 9. The method according to claim 8, wherein said step 6-2 comprises the steps of: a. If the left subtree is not empty, traverse the left subtree of the tree; b. If the right subtree is not empty, traverse the right subtree of the tree; c. If Exp is value, put Exp into Queue; d. If Exp is a variable var, use the Get function to extract the variable value from the hash table H stored in the tag to construct a new Exp, and put the new Exp into the Queue; e. If Exp is an operator, judge the number of operands N of the operator, and take N operands from the Queue, calculate the expression, save the calculation result in the new Exp in the form of value, and then save the new Exp The Exp into the Queue. 10. The method according to claim 9, wherein the Get function is Get(key, H)->value; The Get function returns the corresponding value from the hash table H through the key. At this time, the variable var is used as the key of H.