CN105653725A - MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields - Google Patents

MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields Download PDF

Info

Publication number
CN105653725A
CN105653725A CN201610043971.3A CN201610043971A CN105653725A CN 105653725 A CN105653725 A CN 105653725A CN 201610043971 A CN201610043971 A CN 201610043971A CN 105653725 A CN105653725 A CN 105653725A
Authority
CN
China
Prior art keywords
feature
random field
condition random
mysql database
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610043971.3A
Other languages
Chinese (zh)
Inventor
唐卓
李巧巧
李肯立
刘昆昆
付仲明
钟莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN201610043971.3A priority Critical patent/CN105653725A/en
Publication of CN105653725A publication Critical patent/CN105653725A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/211Schema design and management
    • G06F16/212Schema design and management with details for data modelling support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2457Query processing with adaptation to user needs
    • G06F16/24575Query processing with adaptation to user needs using context
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses process and analysis of an improved MYSQL safety database system access log with a mandatory access control strategy. Bugs and hazardous events occurring in the system operation process are manually annotated, a characteristic value is extracted, a characteristic template is defined, correctness and reasonability of a CRFs-BLP model are adjusted and verified by setting different model parameters, and by analyzing labeling results and excavating defects of existing system safety strategy rule setting, related access rights of a user are modified to improve safety perception and self-repairing capacity of the database system. The mandatory access control strategy is provided to reach B1 level safety, the F value reaches 93% or more, and the method has certain practical meaning.

Description

MYSQL database forced symmetric centralization adaptive optimization method based on condition random field
Technical field
The invention belongs to data security arts, particularly relate to a kind of MYSQL database forced symmetric centralization adaptive optimization method based on condition random field.
Background technology
Along with various Cyberthreats are on the increase, information system is more and more urgent to the demand of safety, and people recognize the safe and efficient access control technology importance for complication system gradually. Access the potential safety hazard that the access of sensitive data and keystone resources is avoided bringing by control by restricting main body in system because of the operation error of unauthorized users to access or validated user. Both at home and abroad that the research of access control technology is a lot of at present, control if DAC, MAC and RBAC are to other various access control mechanisms from traditional access, this technology is more and more suitable for the demand of modern social development. From the 60 to 70's of 20th century, access control technology just grows up gradually, and what it was initial is primarily intended to the solution safe sharing problem of data. Access control mechanisms is one of important channel of protection data safety; make explicit restriction user by some way to the access profile of system resource and authority; user is retrained to the unauthorized access of some specific resources in system with this; thus the unauthorized access avoiding illegal user or the safety problem caused because of the operation error of validated user, to ensure that system resource is normally accessed under controlled conditions. Access control to primarily can be used for limiting: the scope of resource that access and the validated user permission of legal resource are accessed by validated user by the access of illegal resource, disabled user. Its core is exactly the formulation of access control policy, and strategy mainly determines mandatory rule during user's access system resources, and the user only obtaining mandate just can carry out corresponding valid operation in systems. Due to network technology development, alternately changing, the main flow access control technology such as self contained navigation DAC (DiscretionaryAccessControlpolicy), forced symmetric centralization MAC (MandatoryAccessControl) and access control based roles RBAC (Role-BasedAccessControl) obtains abundant application in every field.
In addition database technology is as one of the core technology of current information system, has been widely used in all trades and professions, is mainly used in data carrying out effectively management, storage and processing.Have a wide range of applications particularly in the confidential departments such as government, military affairs, public security and the Important Economic such as finance, security department, these departments are generally all higher to the security requirement of data, and its data have strict hierarchy, require that the content that the user of different stage sees is different, once important sensitive information is compromised, serious consequence and huge economic loss will be caused. Database Systems are as the kernel software of management data, it is necessary to assure the confidentiality of data message, integrity and availability. It is MYSQL database that the present invention tests the data base of use, and the service logic of PostgreSQL database system MySQL is typical self contained navigation mechanism. On the one hand, the MySQL database used now only has a set of simple Safety Management Measures, its safe access control mechanism is relatively weak, only achieves authentication when user logs in and the access based on permission system controls (namely self contained navigation). Self contained navigation model DAC is a kind of most common for protecting the access control method of system resource; it occurs in the time-sharing system at beginning of the seventies late 1960s the earliest; by founder's (i.e. main body of data; also known as owner) other main body access rule to these data is set according to the wish of oneself realizes, the access strategy of the data that it has can also be modified by data owner at any time in addition. Due to the motility of its licensing scheme be prone to autgmentability, DAC is widely used in currently a popular Unix, Linux and Windows operating system. Owing to motility and the advantage being easily achieved of DAC strategy make it play an important role in the access of various commercial operating systems controls, but there is also following deficiency:
1. principal rights is excessive. Owing to object owner can determine other main bodys access ability to this object according to the wish of oneself, other main bodys are once obtain corresponding authority, equally possible autonomous the access rights of this object being passed to other main body, namely other main bodys can obtain the access rights to object by indirectly mode. Principal rights is excessive causes that authority constantly spreads in systems so that authority leaks, thus threatening the safety of object;
2. data flow is uncontrollable. Main body can be random authorize or cancel other main bodys access rights to this object, it is impossible to data flow is carried out effectively control and management, may be unexpected by the direction of propagation of data, this will cause the leakage of data;
3. cannot resist Trojan horse attack. When a certain object is not had access rights by main body, he can run legal procedure and read or revise this object, and system is to cannot be distinguished by the attack that this amendment is user operation or rogue program.
In order to solve problem above, the safety strengthening the existing system implementing DAC strategy is inevitable, and Mandatory Access Control is exactly a kind of reasonable means. Forced symmetric centralization MAC carrys out the flow direction of restricted information by comparing the safety label of Subjective and Objective, strengthens the safety of system, to some extent solves the DAC Trojan horse attack that can not resist. BLP model is first Security Policy Model for the military that multilevel security confidentiality can be provided to ensure, it is based on an information flow police, by allowing information from lower security level-systems to the one-way flow of high security level system, realize the forced symmetric centralization of multilevel security.First BLP model is put forward by D.Bell and J.LaPadula, then it is carried out revision and in addition perfect by again, become first ratio and more fully with formalization method, security of system is carried out the mathematical model of Strict Proof, be also the basis of multilvel security policy. Because of its versatility and theory �� coefficient; it is widely used in the confidentiality of protection system resource although BLP model has been studied and applied to BLP model widely in the system that various demands for security are higher; but along with the development that computer security is theoretical, it also exposes following defect gradually:
The focus of 1.BLP model is in that the confidentiality of sensitive data, it does not have considers the integrity aspect of data, causes that it can not be applied in the middle of commercial field well;
2., owing to BLP is mainly used in the application that level of security level is more, this can cause that the management to accessing control is made troubles, and workload is big, mandate is managed relatively difficult, lacks motility;
3. can not simulate and avoid concealed channel problem;
4.BLP model is excessively secret, causes that it can not well use in practice;
5., once certain main body is defined as trusted subjects, then in its life cycle, it is with regard to the sovereign right of owner, the excessive access rights of trusted subjects may cause the leakage of object resource.
Summary of the invention
For solving the problems referred to above, the invention provides a kind of MYSQL database forced symmetric centralization adaptive optimization method based on condition random field. the present invention is directed to the system access log of the MYSQL safety database improved with Mandatory Access Control to carry out processing and analyzing, leak and hazard event to occurring in system operation manually mark, extract eigenvalue, defined feature masterplate, and correctness and the reasonability of CRFs-BLP model is adjusted and verifies by arranging different model parameters, the defect then passing through annotation results analysis and arranging with the existing security strategy rule of system of excavating, and then revise the relevant access rights of user, to strengthen safe perception and the self-repairing capability of Database Systems.
For reaching above-mentioned technique effect, the technical scheme is that
A kind of MYSQL database forced symmetric centralization adaptive optimization method based on condition random field, comprises the steps:
Step one, in MySQL database source code add Mandatory Access Control, before user operation increase forced symmetric centralization function; The model of Mandatory Access Control is the BLP Mandatory Access Control Model based on condition random field, and the raw data set of condition random field is the history access log of MySQL database; Raw data set is labeled, and described mark includes the safety label of main information and the safety label of object information; MySQL database increasing body table and object table, wherein includes the safety label of all main informations in system and main information in body table, object the exterior and the interior includes object information and the safety label of object information; Body table and object table are for being forever stored in the safety label of the main information in MySQL database and the safety label of object information in MySQL database;
The mark that raw data set is carried out by step 2, basis, use machine learning method that the BLP Mandatory Access Control Model based on condition random field is defined systematic state transfer rule, proposes feature extracting method, analyze and excavate the defect that the existing security strategy rule of system is arranged, the relevant access rights revising user model again, make interception rate by mistake will be with the increase of system access and reduce.
Further improve, described step one, comprise the steps:
1.1, initializing forced symmetric centralization information while MySQL server starts, the model of forced symmetric centralization information is the BLP Mandatory Access Control Model based on condition random field;The raw data set of condition random field is the history access log of MySQL database; History access log pretreatment becomes CRF++ data set format; One operation that data concentration includes current time system mode, user does of the initial data concentration of condition random field and system of users ask the response made;
1.2, in the original data dictionary of MySQL, body table and object table are added; Wherein including the safety label of all main informations in system and main information in body table, object the exterior and the interior includes object information and the safety label of object information; Body table and object table are for being forever stored in the safety label of the main information in MySQL database and the safety label of object information in MySQL database;
1.3, the user that request accesses, the form being accessed for object and access are obtained; It is accessed for object and includes table, data base and user; Access the language used and include DDL (DDL) and DML (DML);
1.4, judge whether access request meets the definition territory of request, then call compare () method and compare the safe level of Subjective and Objective, and judge whether to meet safe axiom, finally return to request results, first the method obtains Subjective and Objective level of confidentiality and department's collection, then compare, by then returning 1, not by then returning-1; 1 represents that access request is passed through;-1 represents that access request is not passed through; Described safe axiom includes simple and safe property (SimpleSecurity, upwards do not read) it is called for short ss-characteristic, discretionary security (Discretionaryproperty) and is called for short ds-characteristic and * character (not writing downwards), wherein ss-character and *-character describe " above writing reading " strategy of BLP model.
1.5, judge whether access request meets safe axiom, return request results; According to request results, raw data set being labeled, described mark includes the safety label of main information and the safety label of object information.
Further improve, described step 2, comprise the steps:
2.1, extraction system is to characteristic vector as the raw data set of condition random field of user's response of making of request and current time system mode;
2.2, feature set defined feature function is selected; Feature set includes two category features, and a category feature is basic feature, another kind of is characterized as assemblage characteristic; Basic feature refers to only consider the current record impact on annotation results in the training process; Assemblage characteristic is the new feature of basic feature combined together composition, represents and accounts in scope by the context environmental of current record; Basic feature combine formed assemblage characteristic method include homogenous characteristics context combination and/or inhomogeneity feature between combination;
2.3, carry out feature extraction according to characteristic function and generate feature templates, carry out learning process and training process, the BLP Mandatory Access Control Model based on condition random field is carried out modeling again and obtains the new BLP Mandatory Access Control Model based on condition random field and new prediction key algorithm.
Further improving, in step 2.3, learning process and training process comprise the steps: respectively
2.3.1, training process: using training set and feature templates as input, construction feature function, solve gradient function, call LBFGS Algorithm for Solving the most optimized parameter vector, the model file of formation condition random field;
2.3.2, learning process:
2.3.2.1, test process is carried out: by the model file of the condition random field that training process obtains, test set and feature templates are as input, construction feature function, call viterbi Algorithm for Solving optimization path generation first to predict the outcome, predicting the outcome of generation is called viterbi Algorithm for Solving optimization path, generates second and predict the outcome;
2.3.2.2: predict the outcome to first and second predict the outcome and carry out cross validation, predict the outcome first and the second record predicting the outcome middle repetition is deleted, then call getNewRule algorithm, the model file of condition random field is revised, obtain the model file of new condition random field; GetNewRule algorithm is divided into two stages: duplicate removal stage and sorting phase; The duplicate removal stage refers to be deleted by the record repeated according to request feature and annotation results; Sorting phase refers to utilize hash algorithm the data after duplicate removal to be classified, and request feature and annotation results are generated cryptographic Hash by the rule of classification, classify according to cryptographic Hash.
Further improving, described main information includes all users, the safe level of main body, the level of confidentiality of main body and relevant remarks; Described object information includes data base belonging to object, object title, object type, object safe level, object level of confidentiality and relevant remarks.
Further improve, the step of described Mandatory Access Control includes: received server-side judges that user asks the object accessed and mode of operation whether in the extent of competence of its correspondence after the operation of user, control is further accessed again according to the level of security of subject and object, namely forced symmetric centralization MAC checks by rear, the self contained navigation security strategy arranged by system again checks, after main body has only passed through the security inspection that both accesses control, relevant object could be accessed.
Advantages of the present invention is as follows:
1. the present invention provides a kind of BLP forced symmetric centralization adaptive optimization technology based on condition random field, first, this technology lacks this problem of dynamic sensing ability to security of system state and risk for existing most access control model, for BLP Mandatory Access Control Model, propose the security of system State Forecasting Model based on condition random field this machine learning method of CRFs, first define model element and transformation rules, and give training and the prediction algorithm of CRFs-BLP model, then history access log is carried out pretreatment and mark, extraction eigenvalue is predicted, find that its F value has reached more than 93%, there is certain practical significance.
2. the present invention is also by the Technology application of proposition to actual database, the inter access control mechanism of PostgreSQL database MySQL is analyzed, find that the access control policy of MySQL only has simple self contained navigation mechanism, by in data base all subject and objects add safety label, and implement the present invention propose Mandatory Access Control to reach B1 level security. The output function of general journal is changed to carry out the prediction of system mode by the technology provided. Then with the training of CRFs-BLP and prediction algorithm, its access log data are analyzed, Vulnerability events and other non-secure event are carried out handmarking, completes the feature extraction of database security log access, and define relevant feature templates. Obtain the best mark performance by adjusting model parameter, analyze the defect arranged with the existing security strategy rule of system of excavating. Then the record in user right table predefined in data base is modified, strengthens safe perception and the self-repairing capability of Database Systems.
Accompanying drawing explanation
The MySQL access control model that Fig. 1 improves;
Fig. 2 CRFs-BLP data flow figure;
Fig. 3 attack attempt experimental result;
Fig. 4 pretends user and attacks experimental result.
Detailed description of the invention
Below in conjunction with drawings and Examples, the present invention is described further.
Embodiment 1
Below in conjunction with drawings and Examples, the present invention is described further.
A kind of MYSQL database Mandatory Access Control adaptive optimization technology based on condition random field. MySQL database has a set of safe of oneself and off-gauge access control mechanisms, but self contained navigation principal rights is excessive may result in information leakage and Trojan horse attack, reduces the safety of data base. this technology considers that the service logic of PostgreSQL database system MySQL is typical self contained navigation mechanism, and rights management is very flexible. due to the defect of its increasing income property and access control mechanisms aspect, this technology selects MySQL to realize platform as CRFs-BLP, is firstly added Mandatory Access Control so that it is reach B1 level security database standard, be specifically shown in Fig. 1. forced symmetric centralization function was increased before user operation, and Subjective and Objective label information persistence in data base is existed in data base, the original data dictionary of MySQL is modified, add two system tables of Subjective and Objective, wherein inside body table, include all users in system, the safe level of main body, the level of confidentiality of main body and relevant remarks, object table master includes data base belonging to object, object title, object type, object safe level, object level of confidentiality and relevant remarks. after received server-side to the operation of user, judge that user asks the object accessed and mode of operation whether in the extent of competence of its correspondence, control is further accessed again according to the level of security of subject and object, namely forced symmetric centralization MAC checks by rear, the self contained navigation security strategy arranged by system again checks, after main body has only passed through the security inspection that both accesses control, relevant object could be accessed, so that MySQL database system reaches B1 level security (safety label protected level, front two-stage respectively user's discretionary protection level and system design protection level).
The first step: before PostgreSQL database system MySQL self contained navigation mechanism, adds Mandatory Access Control so that it is reach B1 level security database standard.
Step 1: start at MySQL server and should initialize forced symmetric centralization information simultaneously.
Step 2: add two system tables in the original data dictionary of MySQL: body table and object table.
Step: 3: the user that the request of acquisition accesses, is accessed for object (table, data base, user etc.) and the form (DDL, DML etc.) accessed.
Step 4: judge whether to meet the definition territory of request, then calls compare () method and compares its safe level.
Step 5: judge whether to meet corresponding safe axiom (ss, ds and * character), finally return to request results (yes, no,?). It is specifically shown in shown in accompanying drawing 1.
Second step: use machine learning method that BLP Mandatory Access Control Model is modeled again, define systematic state transfer rule, it is proposed that feature extracting method.
Step 1: the history access log of information system can as the raw data set of CRFs (condition random field), and history log pretreatment is become and as the specific format of CRF++ data set, and data set can be labeled by the present invention.
Step 2: need the request of extracting and current state as the characteristic vector of CRFs data set. Wherein by a five-tuple, { �� 1, ��, �� 2, oj, x} form the value of " request " characteristic vector.
The initial data of step 3:CRFs concentrates " request " characteristic vector to be commonly defined as five-tuple { �� 1, ��, a ��2,oj, x} forms, and wherein the value of main body �� 1 is that 0 expression takes null value, and value is siRepresenting a concrete main body s, the value of request element �� is g/r/c/d, object ojValue 0 represent take null value, value 1 represents concrete object o; Main body ��2Value 0 represent take null value, value is the 1 concrete main body s of representative; Arbitrary value (r/w/e/a/c) inside the value access attribute collection of x. Adopt request characterizing definition method can obtain specifically certain request tuple value for (0, g, s1,o1, r). Wherein the situation of �� 1 non-NULL is only applied to BLP rule 6 and rule 7, and therefore in rule 1, �� 1 takes null value, and namely 0; When request obtains certain authority, the value of request element �� should be g; ��2And ojMain body s in the rule of correspondenceiWith object oj; What x took the representative of r value is that request obtains read access power.
Step 4: select appropriate feature set defined feature function for particular task. It is generally defined feature template, is simply indicated existing by the form of feature, with this, feature in training set is carried out instantiation. Additionally, the definition of feature templates is also step comparatively crucial in CRFs, it affects the indexs such as the accuracy rate of data, recall rate.
Step 5: after carrying out feature extraction, the model parameter problem of design conditions random field, and parameters weighting training, generate feature templates.
Step 6: proceeding by study and training experiment definition CRFs-BLP model and prediction algorithm after carrying out feature extraction and generating feature templates, the concrete detailed process formed is shown in accompanying drawing 2.
Step 7: exactly test data set is predicted after model training. For meeting the data of CRFs-BLP rule, it is possible to adopt viterbi algorithm system request is labeled and predicts, find the hidden state sequence that maximum probability occurs.
Step 8: utilize construction feature function and Lattice grid, calls viterbi Algorithm for Solving optimization path, ultimately produces and predict the outcome.
Step 9: the record of the middle repetition that predicts the outcome is deleted, then calls getNewRule algorithm, rule is revised, obtain new rule.
Contrast experiment between step 10:BLP and CRF-BLP demonstrates the effectiveness of this technology of the present invention.
The MYSQL database access log of CRFS-BLP forced symmetric centralization is learnt and training by the present invention. The defect then passing through annotation results analysis and arranging with the existing security strategy rule of system of excavating, and then revise the relevant access rights of user, to strengthen safe perception and the self-repairing capability of Database Systems.
In order to further illustrate the effect of the present invention, it is explained as follows further:
The first step: the pretreatment of history access log.
Step 1: the historical data having selected Hunan University's big data aggregate laboratory of Great Wall information medical treatment to gather from the whole province's medical information system, has analyzed the access record of a week in its certain period in the past.
Step 2: daily record is analyzed, extracts characteristic vector, is then pressed prescribed form and generates data set, and data set is labeled.
Second step: study and training process.
Step 1: first by Various types of data random alignment, the ratio also according to RRSS and P-Fold Cross-Validation technique is classified as training data and test data, then respectively obtain 35611/48075 training data 17806/5342 test data.
Step 2: take different model parameters and be trained, show that optimum parameter value is to obtain the mark performance of the best. Altogether do 6 experiments, be gradually increased training set size, until it reaches maximum training several 48075.
Step 3: detection threatens, and the present invention is by being analyzed to the inappropriate access rights of dynamic corrections certain user to MySQL access log annotation results. By lot of examples being trained the Behavior law of feature mode and the exception therefrom excavated and extract under user's even in everyday situations, carry out self-teaching to obtain predictive ability, and it can be used as the description to historical behavior, construct personal behavior model according to training sample, form detection unit.
Step 4: update corresponding authority list again after regarding as Deviant Behavior pattern after being judged by manager by record abnormal in testing result.
Step 5: draw study conclusion and be depicted as lab diagram, accompanying drawing 3 and accompanying drawing 4 show that detecting attack and spoof attack to validated user based on the database user dystropy of machine learning has good testing result. Wherein accompanying drawing 3 and accompanying drawing 4 are often organized and be followed successively by from left to right: verification and measurement ratio, rate of failing to report, rate of false alarm and detection accuracy.
The explanation of above example is only intended to help to understand the core concept of the present invention; Simultaneously for one of ordinary skill in the art, according to the thought of the present invention, all will change in specific embodiments and applications, in sum, this specification content should not be construed as limitation of the present invention.

Claims (6)

1. the MYSQL database forced symmetric centralization adaptive optimization method based on condition random field, it is characterised in that comprise the steps:
Step one, in MySQL database source code add Mandatory Access Control, before user operation increase forced symmetric centralization function; The model of Mandatory Access Control is the BLP Mandatory Access Control Model based on condition random field, and the raw data set of condition random field is the history access log of MySQL database; Raw data set is labeled, and described mark includes the safety label of main information and the safety label of object information; MySQL database increasing body table and object table, wherein includes the safety label of all main informations in system and main information in body table, object the exterior and the interior includes object information and the safety label of object information; Body table and object table are for being forever stored in the safety label of the main information in MySQL database and the safety label of object information in MySQL database;
The mark that raw data set is carried out by step 2, basis, use machine learning method that the BLP Mandatory Access Control Model based on condition random field is defined systematic state transfer rule, proposes feature extracting method, analyze and excavate the defect that the existing security strategy rule of system is arranged, the relevant access rights revising user model again, make interception rate by mistake will be with the increase of system access and reduce.
2. the MYSQL database forced symmetric centralization adaptive optimization method based on condition random field as claimed in claim 1, it is characterised in that described step one, comprises the steps:
1.1, initializing forced symmetric centralization information while MySQL server starts, the model of forced symmetric centralization information is the BLP Mandatory Access Control Model based on condition random field; The raw data set of condition random field is the history access log of MySQL database;History access log pretreatment becomes CRF++ data set format; One operation that data concentration includes current time system mode, user does of the initial data concentration of condition random field and system of users ask the response made;
1.2, in the original data dictionary of MySQL, body table and object table are added; Wherein including the safety label of all main informations in system and main information in body table, object the exterior and the interior includes object information and the safety label of object information; Body table and object table are for being forever stored in the safety label of the main information in MySQL database and the safety label of object information in MySQL database;
1.3, the user that request accesses, the form being accessed for object and access are obtained; It is accessed for object and includes table, data base and user; Access the language used and include DDL and DML;
1.4, judge whether access request meets the definition territory of request, then call compare () method and compare the safe level of Subjective and Objective, and judge whether to meet safe axiom, finally return to request results, first the method obtains Subjective and Objective level of confidentiality and department's collection, then compare, by then returning 1, not by then returning-1; 1 represents that access request is passed through;-1 represents that access request is not passed through; Described safe axiom includes simple and safe property, discretionary security and * character;
1.5, judge whether access request meets safe axiom, return request results; According to request results, raw data set being labeled, described mark includes the safety label of main information and the safety label of object information.
3. the MYSQL database forced symmetric centralization adaptive optimization method based on condition random field as claimed in claim 2, it is characterised in that described step 2, comprises the steps:
2.1, extraction system is to characteristic vector as the raw data set of condition random field of user's response of making of request and current time system mode;
2.2, feature set defined feature function is selected; Feature set includes two category features, and a category feature is basic feature, another kind of is characterized as assemblage characteristic; Basic feature refers to only consider the current record impact on annotation results in the training process; Assemblage characteristic is the new feature of basic feature combined together composition, represents and accounts in scope by the context environmental of current record; Basic feature combine formed assemblage characteristic method include homogenous characteristics context combination and/or inhomogeneity feature between combination;
2.3, carry out feature extraction according to characteristic function and generate feature templates, carry out learning process and training process, the BLP Mandatory Access Control Model based on condition random field is carried out modeling again and obtains the new BLP Mandatory Access Control Model based on condition random field and new prediction key algorithm.
4. the MYSQL database forced symmetric centralization adaptive optimization method based on condition random field as claimed in claim 3, it is characterised in that in step 2.3, learning process and training process comprise the steps: respectively
2.3.1, training process: using training set and feature templates as input, construction feature function and, solve gradient function, call LBFGS Algorithm for Solving the most optimized parameter vector, the model file of formation condition random field;
2.3.2, learning process:
2.3.2.1, test process is carried out: by the model file of the condition random field that training process obtains, test set and feature templates are as input, construction feature function, call viterbi Algorithm for Solving optimization path generation first to predict the outcome, predicting the outcome of generation is called viterbi Algorithm for Solving optimization path, generates second and predict the outcome;
2.3.2.2: predict the outcome to first and second predict the outcome and carry out cross validation, predict the outcome first and the second record predicting the outcome middle repetition is deleted, then call getNewRule algorithm, the model file of condition random field is revised, obtain the model file of new condition random field; GetNewRule algorithm is divided into two stages: duplicate removal stage and sorting phase; The duplicate removal stage refers to be deleted by the record repeated according to request feature and annotation results; Sorting phase refers to utilize hash algorithm the data after duplicate removal to be classified, and request feature and annotation results are generated cryptographic Hash by the rule of classification, classify according to cryptographic Hash.
5. the MYSQL database forced symmetric centralization adaptive optimization method based on condition random field as claimed in claim 1, it is characterised in that described main information includes all users, the safe level of main body, the level of confidentiality of main body and relevant remarks; Described object information includes data base belonging to object, object title, object type, object safe level, object level of confidentiality and relevant remarks.
6. the MYSQL database forced symmetric centralization adaptive optimization method based on condition random field as claimed in claim 1, it is characterized in that, the step of described Mandatory Access Control includes: received server-side judges that user asks the object accessed and mode of operation whether in the extent of competence of its correspondence after the operation of user, control is further accessed again according to the level of security of subject and object, namely forced symmetric centralization MAC checks by rear, the self contained navigation security strategy arranged by system again checks, after main body has only passed through the security inspection that both accesses control, relevant object could be accessed.
CN201610043971.3A 2016-01-22 2016-01-22 MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields Pending CN105653725A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610043971.3A CN105653725A (en) 2016-01-22 2016-01-22 MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610043971.3A CN105653725A (en) 2016-01-22 2016-01-22 MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields

Publications (1)

Publication Number Publication Date
CN105653725A true CN105653725A (en) 2016-06-08

Family

ID=56486436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610043971.3A Pending CN105653725A (en) 2016-01-22 2016-01-22 MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields

Country Status (1)

Country Link
CN (1) CN105653725A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046522A (en) * 2016-11-18 2017-08-15 深圳市证通电子股份有限公司 Safety access control method and device
CN109040044A (en) * 2018-07-25 2018-12-18 郑州云海信息技术有限公司 A kind of remote system safety regulation automatic verification method and system
CN109639735A (en) * 2019-01-24 2019-04-16 重庆邮电大学 A kind of test method of IPv6 industry wireless network security level
CN109977693A (en) * 2019-03-08 2019-07-05 北京椒图科技有限公司 A kind of generation method and device of forced symmetric centralization rule
CN110990864A (en) * 2019-11-27 2020-04-10 支付宝(杭州)信息技术有限公司 Report authority management method, device and equipment
CN111897768A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Method and device for configuring object access policy
CN112491902A (en) * 2020-12-01 2021-03-12 北京中软华泰信息技术有限责任公司 Web application permission access control system and method based on URL
CN113765884A (en) * 2021-07-29 2021-12-07 苏州浪潮智能科技有限公司 Cross-network file mandatory access control method, device and system
CN115730020A (en) * 2022-11-22 2023-03-03 哈尔滨工程大学 Automatic driving data monitoring method and system based on MySQL database log analysis
CN117632905A (en) * 2023-11-28 2024-03-01 广州视声智能科技有限公司 Database management method and system based on cloud use records

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060115145A1 (en) * 2004-11-30 2006-06-01 Microsoft Corporation Bayesian conditional random fields
CN101106458A (en) * 2007-08-17 2008-01-16 华中科技大学 A distributed access control method based on risk
CN101546261A (en) * 2008-10-10 2009-09-30 华中科技大学 Secure web page tag library system supported by multiple strategies
US20120254143A1 (en) * 2011-03-31 2012-10-04 Infosys Technologies Ltd. Natural language querying with cascaded conditional random fields

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060115145A1 (en) * 2004-11-30 2006-06-01 Microsoft Corporation Bayesian conditional random fields
CN101106458A (en) * 2007-08-17 2008-01-16 华中科技大学 A distributed access control method based on risk
CN101546261A (en) * 2008-10-10 2009-09-30 华中科技大学 Secure web page tag library system supported by multiple strategies
US20120254143A1 (en) * 2011-03-31 2012-10-04 Infosys Technologies Ltd. Natural language querying with cascaded conditional random fields

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
YANG K 等: "DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems", 《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 *
梁洪亮 等: "一个安全标记公共框架的设计与实现", 《软件学报》 *
马萌 等: "基于条件随机场的改进型BLP访问控制模型", 《计算机科学》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046522A (en) * 2016-11-18 2017-08-15 深圳市证通电子股份有限公司 Safety access control method and device
CN107046522B (en) * 2016-11-18 2020-06-30 深圳市证通电子股份有限公司 Security access control method and device
CN109040044A (en) * 2018-07-25 2018-12-18 郑州云海信息技术有限公司 A kind of remote system safety regulation automatic verification method and system
CN109639735A (en) * 2019-01-24 2019-04-16 重庆邮电大学 A kind of test method of IPv6 industry wireless network security level
CN109977693A (en) * 2019-03-08 2019-07-05 北京椒图科技有限公司 A kind of generation method and device of forced symmetric centralization rule
CN110990864A (en) * 2019-11-27 2020-04-10 支付宝(杭州)信息技术有限公司 Report authority management method, device and equipment
CN111897768A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Method and device for configuring object access policy
CN111897768B (en) * 2020-06-28 2024-02-02 北京可信华泰信息技术有限公司 Configuration method and device of object access policy
CN112491902A (en) * 2020-12-01 2021-03-12 北京中软华泰信息技术有限责任公司 Web application permission access control system and method based on URL
CN113765884A (en) * 2021-07-29 2021-12-07 苏州浪潮智能科技有限公司 Cross-network file mandatory access control method, device and system
CN115730020A (en) * 2022-11-22 2023-03-03 哈尔滨工程大学 Automatic driving data monitoring method and system based on MySQL database log analysis
CN115730020B (en) * 2022-11-22 2023-10-10 哈尔滨工程大学 Automatic driving data monitoring method and monitoring system based on MySQL database log analysis
CN117632905A (en) * 2023-11-28 2024-03-01 广州视声智能科技有限公司 Database management method and system based on cloud use records
CN117632905B (en) * 2023-11-28 2024-05-17 广州视声智能科技有限公司 Database management method and system based on cloud use records

Similar Documents

Publication Publication Date Title
CN105653725A (en) MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields
Busuioc Accountable artificial intelligence: Holding algorithms to account
Khambhammettu et al. A framework for risk assessment in access control systems
Turkmen et al. Analysis of XACML policies with SMT
Jiang et al. A medical big data access control model based on fuzzy trust prediction and regression analysis
Yi et al. Network security risk assessment model based on fuzzy theory
Li et al. Research on Multi‐Target Network Security Assessment with Attack Graph Expert System Model
WO2021188199A1 (en) Efficient retrieval and rendering of access-controlled computer resources
Yang et al. An unsupervised learning‐based network threat situation assessment model for internet of things
Singh et al. Database intrusion detection using role and user behavior based risk assessment
Okutan et al. Predicting the severity and exploitability of vulnerability reports using convolutional neural nets
CN112822004B (en) Belief network-based targeted privacy protection data publishing method
CN111967046B (en) Self-adaptive access control method for big data resources
Khanna et al. Classification of SQL injection attacks using fuzzy tainting
Yang et al. Using Conditional Random Fields to Optimize a Self-Adaptive Bell–LaPadula Model in Control Systems
CN111506313A (en) Program control flow confusion method and system based on neural network
Jiang [Retracted] Research on Machine Learning Algorithm for Internet of Things Information Security Management System Research and Implementation
Xie et al. Towards a Statistical Model Checking Method for Safety‐Critical Cyber‐Physical System Verification
Domingo-Ferrer et al. Collaborative explanation of deep models with limited interaction for trade secret and privacy preservation
CN110990869B (en) Power big data desensitization method applied to privacy protection
Qiu et al. A fine-grained dynamic access control method for power IoT based on kformer
Ndrejaj et al. Artificial Intelligence governance: a study on the ethical and security issues that arise
Prasath et al. Autonomous Application in Requirements Analysis of Information System Development for Producing a Design Model
Sriramoju et al. Predicting The Misusability Of Data From Malicious Insiders
Zhao et al. A novel scheme for access control policy generating and evaluating in IoT based on machine learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160608