CN106961441B - User dynamic access control method for Hadoop cloud platform - Google Patents

User dynamic access control method for Hadoop cloud platform Download PDF

Info

Publication number
CN106961441B
CN106961441B CN201710219329.0A CN201710219329A CN106961441B CN 106961441 B CN106961441 B CN 106961441B CN 201710219329 A CN201710219329 A CN 201710219329A CN 106961441 B CN106961441 B CN 106961441B
Authority
CN
China
Prior art keywords
user
stage
instruction
behavior
pattern
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710219329.0A
Other languages
Chinese (zh)
Other versions
CN106961441A (en
Inventor
杨宏宇
孟令现
胡立杰
王玥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Civil Aviation University of China
Original Assignee
Civil Aviation University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Civil Aviation University of China filed Critical Civil Aviation University of China
Priority to CN201710219329.0A priority Critical patent/CN106961441B/en
Publication of CN106961441A publication Critical patent/CN106961441A/en
Application granted granted Critical
Publication of CN106961441B publication Critical patent/CN106961441B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a user dynamic access control method for a Hadoop cloud platform, which comprises the following steps in sequence: the method comprises the steps of S1 stage of building a processing module, S2 stage of collecting an instruction sequence, S3 stage of processing a user instruction, S4 stage of generating a global K model, S5 stage of receiving a user request, S6 stage of evaluating user behavior, S7 stage of calculating a comprehensive evaluation value and S8 stage of assigning roles to users; the user dynamic access control method for the Hadoop cloud platform occupies less internal memory of the server, ensures the operating speed and the reaction speed of the server, has high accuracy in classifying user behaviors and relatively stable access control effect, can effectively realize dynamic access control on the Hadoop cloud platform user in real time, and ensures the safety of the Hadoop cloud platform.

Description

User dynamic access control method for Hadoop cloud platform
Technical Field
The invention relates to the technical field of computer authority management and access control, in particular to a user dynamic access control method for a Hadoop cloud platform.
Background
The Hadoop cloud platform is an open-source distributed computing cloud platform, is favored by various large electronic commerce and Internet enterprises due to the characteristics of high reliability, high expansibility, high efficiency and high fault tolerance, and meanwhile, along with the wide application of the Hadoop cloud platform in various fields, the safety problem is increasingly prominent; among the numerous security problems of the Hadoop cloud platform, data security is one of the core problems of the Hadoop cloud platform, and access control ensures that resources are not illegally used and accessed by limiting the access capacity and range of a user to data information, so that the method becomes an important guarantee for the data security in the cloud platform. The existing Hadoop cloud platform does not fully consider the normal or abnormal attribute change of the user in the design of a security access control mechanism, so that the existing Hadoop cloud platform has great potential safety hazard.
At present, research on a safety mechanism of a Hadoop cloud platform is advanced at home and abroad to a certain extent, Gupta C and the like design an abnormal detection system of the Hadoop platform based on a density estimation and Principal Component Analysis (PCA) method, so that the user behavior of the Hadoop cloud platform is monitored in real time, and the workload of a cloud platform administrator is increased due to the lack of a corresponding fault-tolerant mechanism and an abnormal user processing mechanism; tan Z et al propose a dynamic access control model based on trust level, but do not combine the trust model and the access control model well and only perform theoretical analysis. And since a detection method for user behavior is not described and the model is too complex, the model cannot be well combined with the conventional Hadoop cloud platform.
Disclosure of Invention
The invention aims to provide a user dynamic access control method for a Hadoop cloud platform.
Therefore, the technical scheme of the invention is as follows:
a user dynamic access control method for a Hadoop cloud platform is disclosed, wherein the Hadoop cloud platform comprises an operating system, a main server and an authentication server, and the user dynamic access control method for the Hadoop cloud platform comprises the following steps in sequence:
1) stage S1 of building a processing module: at this stage, an instruction collection module, an instruction processing module, a user request receiving module, a behavior classification module and a role division module are established on a main server of the Hadoop cloud platform, and then the stage S2 is entered;
2) stage S2 of instruction sequence Collection: at this stage, the instruction collection module collects user operation records from the main server, establishes a corresponding behavior database for each user, and then enters a stage S3;
3) stage S3 of processing the user instruction: at this stage, the instruction processing module (2) respectively performs parallelization processing on all instructions of each user by sequentially adopting a string table compression algorithm and a dictionary compression algorithm, extracts an instruction characteristic value of each user, and then enters an S4 stage;
the method for processing the user operation instruction in the step 3) comprises the following steps in sequence:
a) filtering the instruction parameter information in the collected instruction operation records of all users, only reserving instruction names, and arranging the instruction names of a fixed number of each user into an instruction stream according to time information to form a user instruction sequence block B;
b) extracting all command character combinations in the sequence from the user command sequence block B, namely the user command sequence pattern piAnd calculating a user command sequence pattern piNumber f of occurrences in current user instruction sequence block BiObtaining the string table compression algorithm LZW dictionary D { pi,fi};
c) Then according to a user instruction sequence pattern p in an LZW dictionaryiThe weight ω in the user instruction sequence block BiAnd a mode length LiExtracting a final historical user behavior pattern cp, namely an instruction characteristic value of the user;
the step c) is that the user instruction characteristic value is extracted from the LZW dictionary D { pi,fiIn the { there is a user command sequence pattern piWill compare each with the user command sequence pattern piOther instruction sequence pattern p with an edit distance difference of 1xAnd placing the user instruction sequence pattern in a subset, and selecting the user instruction sequence pattern with the largest product of the weight value and the pattern length in the subset as an instruction characteristic value of the user.
4) Stage S4 of generating the global K model: at this stage, K compression dictionaries are generated for each user according to the instruction feature value of each user, and the K compression dictionaries are grouped into a global K model G, where the global K model G ═ { CD ═1,CD2,..CDi,..CDKAnd then entering the S5 stage;
5) stage S5 of receiving a user request: in this stage, a user accesses the Hadoop cloud platform according to self needs to send an access request, the user request receiving module generates a user instruction behavior sequence S and a user behavior mode sp of the user behavior instruction sequence S according to the access request of the user, and then the S6 stage is entered;
6) stage S6 of assessment of user behavior: at this stage, judging whether a user behavior pattern sp is abnormal or not in a voting mode by using K compression dictionaries in the global K model, calibrating the user behavior pattern sp by using a behavior classification module to obtain a user behavior pattern with a classification label, and then entering an S7 stage;
7) stage S7 of calculating the comprehensive evaluation value: at this stage, calculating a user current behavior evaluation value, a user historical behavior evaluation value and a user recommended behavior evaluation value by combining the user behavior mode with the classification label obtained in the step 6); calculating a comprehensive evaluation value of the user by using the current behavior evaluation value of the user, the historical behavior evaluation value of the user, the recommended behavior evaluation value of the user and the initial evaluation value of the user, and then entering the stage S8;
8) stage S8 of role assignment to the user: at this stage, the role division module judges whether the user behavior is abnormal according to the comprehensive evaluation value of the user, if the user behavior is normal, the administrator gives authority according to the comprehensive evaluation value and distributes roles to the administrator to realize resource access, and if the user behavior is abnormal, the administrator refuses the access of the user and gives a service refusal prompt.
And 6) updating the global K model G along with the addition of a new instruction block of the user, counting the total times of judging the user behavior pattern sp to be normal by each compression dictionary in the global K model G after the new instruction block of the user completely generates a compression dictionary, and replacing the compression dictionary with the minimum total times of judging the user behavior pattern sp to be normal in the global K model by using the newly generated compression dictionary from the first access of the user behavior pattern sp to the current access.
When the user behavior is evaluated in the step 6), if the user behavior pattern sp of the user behavior instruction sequence S and the single compression dictionary CDiWhen the edit distance of any historical user behavior pattern cp in the dictionary is greater than x% L, a single compression dictionary CD is usediDetermining a user behavior pattern sp as abnormal, wherein L is the length of the historical user behavior pattern cp, and x>30。
When the user behavior is evaluated in the step 6), if more than K/2 compression dictionaries exist in the global K model to judge that a user behavior pattern sp is abnormal, the global K model judges that the user behavior pattern sp is abnormal, otherwise, the global K model is normal; and if K is an even number and the number of compression dictionaries in the global K model for judging that the user behavior pattern sp is abnormal is K/2, judging according to the latest judgment result of the user behavior pattern sp stored in the main server before, if the latest judgment result of the user behavior pattern sp stored in the main server is abnormal, judging that the current user behavior pattern sp is abnormal, and otherwise, judging that the current user behavior pattern sp is normal.
And 7) adopting a sliding window algorithm when calculating the user historical behavior evaluation value in the step 7).
The method for allocating the roles to the users in the step 8) comprises the following steps in sequence:
i) setting a plurality of initial roles, and setting access authority for each initial role by an administrator;
II) mapping all users on the operating system to Hadoop cloud platform users, and realizing unified management of the platform users;
III) establishing a Normal user group GpnAnd abnormal user group GpaAnd adding all users passing identity authentication initially into a normal user group GpnAt the same time, the normal user group GpnAdding the data into a service level access control list;
IV) the main server will use the UseriThe comprehensive behavior evaluation value T is equal to the threshold value TdAnd (3) comparison: when T is less than or equal to TdTime, query search exception user group GPaWith or without UseriIf there is no UseriThen User will be usediJoining an abnormal user group GpaAnd recording the Time of additionsAnd expiration date TimevDeleting the normal user group GpnUseri(ii) a If there is a UseriThen reset its validity TimevWhen Time isvLess than or equal to 0, UseriRe-adding into the normal user group Gpn
V) UseriWhen a cloud service request is sent to the main server after authentication of the authentication server and verification of the main server, the main server judges whether to respond to the request according to a user list in the service level access control list: if the User usesiIn the access control list, responding to the request, combining the authority granted to the user by the administrator, and allocating different roles to the user to realize the access to the resources; otherwise, returning a rejection flag through Token and giving a rejection service prompt.
Compared with the prior art, the user dynamic access control method for the Hadoop cloud platform occupies less internal memory of the server, ensures the operating speed and the reaction speed of the server, has high accuracy in classifying user behaviors and relatively stable access control effect, can effectively realize dynamic access control on the Hadoop cloud platform user in real time, and ensures the safety of the Hadoop cloud platform.
Drawings
Fig. 1 is a flowchart of a dynamic access control method for a Hadoop cloud platform user according to the present invention.
FIG. 2 is a block diagram of a Hadoop cloud platform user dynamic access control system.
Detailed Description
The invention will be further described with reference to the following figures and specific examples, which are not intended to limit the invention in any way.
As shown in fig. 1-2, the user dynamic access control method for the Hadoop cloud platform includes the following steps performed in sequence:
1) stage S1 of building a processing module: at this stage, an instruction collection module 1, an instruction processing module 2, a user request receiving module 3, a behavior classification module 4 and a role division module 5 are established on a main server of the Hadoop cloud platform, and then the stage S2 is entered;
2) stage S2 of instruction sequence Collection: at this stage, the instruction collection module 1 collects user operation records from the main server, establishes a corresponding behavior database for each user, and then enters a stage S3;
3) stage S3 of processing the user instruction: at this stage, the instruction processing module 2 adopts the string table compression algorithm and the dictionary compression algorithm in sequence to perform parallelization processing on all instructions of each user respectively, extracts the instruction characteristic value of each user, and then enters the stage of S4;
4) stage S4 of generating the global K model: at this stage, K compression dictionaries are generated for each user according to the instruction feature value of each user, and the K compression dictionaries are grouped into a global K model G, where the global K model G ═ { CD ═1,CD2,..CDi,..CDKAnd then entering the S5 stage;
5) stage S5 of receiving a user request: in this stage, a user accesses the Hadoop cloud platform according to the self requirement to send an access request, the user request receiving module 3 generates a user instruction behavior sequence S and a user behavior pattern sp of the user behavior instruction sequence S according to the access request of the user, and then the stage S6 is entered;
6) stage S6 of assessment of user behavior: at this stage, judging whether a user behavior pattern sp is abnormal or not in a voting mode by using K compression dictionaries CD in the global K model, calibrating the user behavior pattern sp by using a behavior classification module 4 to obtain a user behavior pattern with a classification label, and then entering a stage S7;
7) stage S7 of calculating the comprehensive evaluation value: at this stage, calculating a user current behavior evaluation value, a user historical behavior evaluation value and a user recommended behavior evaluation value by combining the user behavior mode with the classification label obtained in the step 6); calculating a comprehensive evaluation value of the user by using the current behavior evaluation value of the user, the historical behavior evaluation value of the user, the recommended behavior evaluation value of the user and the initial evaluation value of the user, and then entering the stage S8;
8) stage S8 of role assignment to the user: at this stage, the role division module 5 judges whether the user behavior is abnormal according to the comprehensive evaluation value of the user, if the user behavior is normal, the administrator gives authority according to the comprehensive evaluation value and allocates roles to the user to realize resource access, and if the user behavior is abnormal, the administrator denies the access of the user and gives a service denial prompt.
The method for processing the user operation instruction in the step 3) comprises the following steps in sequence:
a) filtering the instruction parameter information in the collected instruction operation records of all users, only reserving instruction names, and arranging instruction names of a fixed number of each user into an instruction stream according to time information to form a user instruction sequence block B;
b) extracting all command character combinations in the sequence from the user command sequence block B, namely the user command sequence pattern piAnd calculate the user's fingerLet sequence Pattern piNumber of occurrences f in the current sequence blockiObtaining the LZW dictionary D { pi,fi};
c) Then according to user command sequence mode piThe weight ω in the user instruction sequence block BiAnd a mode length LiAnd extracting the final historical user behavior pattern cp, namely the instruction characteristic value of the user.
The method for extracting the characteristic value of the user instruction in the step c) is an LZW dictionary D { pi,fiThe instruction sequence pattern p present iniWill each be associated with an instruction sequence pattern piOther instruction sequence pattern p with an edit distance difference of 1xAnd placing the instruction sequence pattern in a subset, and selecting the instruction sequence pattern with the largest product of the weight value and the pattern length in the subset as the characteristic value of the user instruction.
And 6), updating the global K model G along with the addition of a new instruction block of the user, counting the total times of judging the user behavior pattern sp to be normal by each compression dictionary in the global K model after the new instruction block of the user completely generates a compression dictionary, and replacing the compression dictionary with the minimum total times of judging the user behavior pattern sp to be normal in the global K model by using the newly generated compression dictionary from the first access of the user behavior pattern sp to the current access.
When the user behavior is evaluated in the step 6), if the user behavior pattern sp of the user behavior instruction sequence S and the single compression dictionary CDiWhen the edit distance of any historical user behavior pattern cp in the dictionary is greater than x% L, a single compression dictionary CD is usediDetermining a user behavior pattern sp as abnormal, wherein L is the length of the historical user behavior pattern cp, and x>30。
When the user behavior is evaluated in the step 6), if more than K/2 compression dictionaries exist in the global K model to judge that a user behavior pattern sp is abnormal, the global K model judges that the user behavior pattern sp is abnormal, otherwise, the global K model is normal; and if K is an even number and the number of compression dictionaries in the global K model for judging that the user behavior pattern sp is abnormal is K/2, judging according to the latest judgment result of the user behavior pattern sp stored in the main server before, if the latest judgment result of the user behavior pattern sp stored in the main server is abnormal, judging that the current user behavior pattern sp is abnormal, and otherwise, judging that the current user behavior pattern sp is normal.
And 7) adopting a sliding window algorithm when calculating the user historical behavior evaluation value in the step 7).
The method for allocating the roles to the users in the step 8) comprises the following steps in sequence:
i) setting a plurality of initial roles, and setting access authority for each initial role by an administrator;
II) mapping all users on the operating system to Hadoop cloud platform users, and realizing unified management of the platform users;
III) establishing a Normal user group GpnAnd abnormal user group GpaAnd adding all users passing identity authentication initially into a normal user group GpnAt the same time, the normal user group GpnAdding the data into a service level access control list;
IV) the main server will use the UseriThe comprehensive behavior evaluation value T is equal to the threshold value TdAnd (3) comparison: when T is less than or equal to TdTime, query search exception user group GPaWith or without UseriIf there is no UseriThen User will be usediJoining an abnormal user group GpaAnd recording the Time of additionsAnd expiration date TimevDeleting the normal user group GpnUseri(ii) a If there is a UseriThen reset its validity TimevWhen Time isvLess than or equal to 0, UseriRe-adding into the normal user group Gpn
V) UseriWhen a cloud service request is sent to the main server after authentication of the authentication server and verification of the main server, the main server judges whether to respond to the request according to a user list in the service level access control list: if the User usesiIn the access control list, responding to the request, combining the authority granted to the user by the administrator, and allocating different roles to the user to realize the access to the resources; otherwise, go toAnd returning a rejection mark after Token and giving a rejection service prompt.
The embodiment of the user dynamic access control method for the Hadoop cloud platform provided by the invention comprises the following steps:
firstly, establishing an instruction collection module 1, an instruction processing module 2, a user request receiving module 3, a behavior classification module 4 and a role division module 5 on a main server of a Hadoop cloud platform;
then, the instruction collection module 1 collects user operation records from the main server, and establishes a corresponding behavior database for each user,
secondly, the instruction processing module 2 adopts a string table compression algorithm and a dictionary compression algorithm in sequence to respectively carry out parallelization processing on all instructions of each user, and the method for extracting the instruction characteristic value of each user is as follows:
a) filtering the instruction parameter information in the collected instruction operation records of all users, only reserving instruction names, and arranging the instruction names of a fixed number of each user into an instruction stream according to time information to form a user instruction sequence block B;
b) extracting all command character combinations in the sequence from the user command sequence block B, namely the user command sequence pattern piAnd calculating a user command sequence pattern piNumber f of occurrences in current user instruction sequence block BiObtaining the LZW dictionary D { pi,fi};
c) Then according to a user instruction sequence pattern p in an LZW dictionaryiThe weight ω in the user instruction sequence block BiAnd a mode length LiExtracting a final historical user behavior pattern cp, namely an instruction characteristic value of the user; the method for extracting the characteristic value of the user instruction is an instruction sequence pattern p existing in the LZW dictionary DiEach with an instruction sequence pattern piOther user instruction sequence pattern p with an edit distance difference of 1xPutting the user instruction sequence mode into a subset, and selecting the user instruction sequence mode with the largest product of the weight value and the mode length in the subset as an instruction characteristic value of a user;
wherein, the user command sequence pattern piWeight ω of (d)iThe formula of the calculation is as follows:
Figure GDA0002374057920000091
in the formula (1), fiIs a user command sequence pattern piThe number of times of occurrence in the current user instruction sequence block B, n being user instruction sequence patterns p different from each other in the current user instruction sequence block BiThe number of (2);
then, K compression dictionaries are generated for each user according to the instruction characteristic value of each user, and the K compression dictionaries are combined into a global K model G, wherein the global K model G is { CD ═ CD1,CD2,..CDi,..CDK};
Then, when a user accesses the Hadoop cloud platform according to self needs and sends an access request, the user request receiving module 3 generates a user instruction behavior sequence S and a user behavior mode sp of the user behavior instruction sequence S according to the access request of the user;
secondly, judging whether a user behavior pattern sp is abnormal or not in a voting mode by using K compression dictionaries in the global K model, calibrating the user behavior pattern sp by using a behavior classification module 4, judging that the user behavior pattern sp is abnormal by using the global K model if more than K/2 compression dictionaries are in the global K model, and otherwise, judging that the user behavior pattern sp is normal by using the global K model; if K is an even number and the number of compression dictionaries determining that a user behavior pattern sp is abnormal in the global K model is K/2, judging according to a latest judgment result of the user behavior pattern sp stored in the main server before, if the latest judgment result of the user behavior pattern sp stored in the main server is abnormal, determining that the current user behavior pattern sp is abnormal, otherwise, determining that the current user behavior pattern sp is normal, calibrating the user behavior pattern sp, wherein the normal user behavior pattern sp is 1, and the abnormal user behavior pattern sp is 0, so that the user behavior pattern with the classification label is obtained; and updating the global K model G along with the addition of a new instruction block of the user, counting the total times of judging the user behavior pattern sp to be normal by each compression dictionary in the global K model G after the new instruction block of the user completely generates a compression dictionary, and replacing the compression dictionary with the minimum total times of judging the user behavior pattern sp to be normal in the global K model by using the newly generated compression dictionary from the first access of the user behavior pattern sp to the current access.
Then, calculating a user current behavior evaluation value, a user historical behavior evaluation value and a user recommended behavior evaluation value; and calculating a comprehensive evaluation value of the user by using the current behavior evaluation value of the user, the historical behavior evaluation value of the user, the recommended behavior evaluation value of the user and the initial evaluation value of the user, wherein a calculation formula of the comprehensive evaluation value of the user is as follows:
T=Ts+α×Vn+β×Vp+γ×Vr(2)
in the formula (2), T is the comprehensive evaluation value of the user, TsInitial behavior evaluation value V set for all users for Hadoop cloud platformnFor the evaluation of the current behavior of the user, VpEvaluation value for user historical behavior, VrRecommending behavior evaluation values for the users, α, gamma respectively representing the current behavior evaluation values V of the usersnEvaluation value V of user's historical behaviorpAnd user recommended behavior evaluation value VrThe weight of (c) should satisfy α according to the principle of user behavior evaluation>β>γ and α + β + γ ═ 1;
wherein, the current behavior evaluation value V of the usernThe calculation formula of (a) is as follows:
Vn=w+λ(-θ×j) (3)
in the formula (3), w is a constant; theta is more than or equal to 0 and less than or equal to 1 and represents the evaluation value V of abnormal behavior on the current behavior of the usernThe magnitude of the effect of (c); lambda is a selection factor, and when the current behavior of the user is abnormal behavior, lambda is 1; otherwise, λ is 0; j is the cumulative number of times that the behavior is determined to be abnormal from when the user is rejoined to the normal user group until the current behavior is performed.
User historical behavior evaluation value VpThe calculation of (2) adopts a sliding window algorithm, wherein the user behavior record except the left edge of the sliding window is an overdue record, and the right edge of the sliding window is arranged to the left side of the current user behavior; when calculating the evaluation value, only calculating the evaluation value of the user behavior in the sliding window, the user history rowAs an evaluation value VpThe calculation formula of (a) is as follows:
Figure GDA0002374057920000111
in the formula (4), T is the length of the sliding window; i is the serial number of a user behavior mode sp in the sliding window; vnAnd evaluating the current behavior of the user.
User recommended behavior evaluation value VrThe calculation formula of (a) is as follows:
Figure GDA0002374057920000112
in the formula (5), k is the number of user recommended evaluation values given by the Hadoop cloud platform; vriAnd the ith recommended behavior evaluation value of the user given by the Hadoop cloud platform is represented.
Finally, the method for judging whether the user behavior is abnormal or not by the role division module 5 according to the comprehensive evaluation value of the user comprises the following steps:
i) setting a plurality of initial roles, and setting access authority for each initial role by an administrator;
II) mapping all users on the operating system to Hadoop cloud platform users, and realizing unified management of the platform users;
III) establishing a Normal user group GpnAnd abnormal user group GpaAnd adding all users passing identity authentication initially into a normal user group GpnAt the same time, the normal user group GpnAdding the data into a service level access control list;
IV) the main server will use the UseriThe comprehensive behavior evaluation value T is equal to the threshold value TdAnd (3) comparison: when T is less than or equal to TdTime, query search exception user group GPaWith or without UseriIf there is no UseriThen User will be usediJoining an abnormal user group GpaAnd recording the Time of additionsAnd expiration date TimevDeleting the normal user group GpnUseri(ii) a If there is a UseriThen reset its validity TimevWhen Time isvLess than or equal to 0, usingiRe-adding into the normal user group Gpn
V) UseriWhen a cloud service request is sent to the main server after authentication of the authentication server and verification of the main server, the main server judges whether to respond to the request according to a user list in the service level access control list: if the User usesiIf the access control list shows that the user acts normally, responding to the request, combining the authority granted to the user by the administrator, and allocating different roles to the user to realize the access to the resources; otherwise, the user behavior is abnormal, and a rejection mark is returned through Token and a rejection service prompt is given.

Claims (4)

1. A user dynamic access control method for a Hadoop cloud platform is disclosed, wherein the Hadoop cloud platform comprises an operating system, a main server and an authentication server, and is characterized by comprising the following steps in sequence:
1) stage S1 of building a processing module: at this stage, an instruction collection module, an instruction processing module, a user request receiving module, a behavior classification module and a role division module are set up on a main server of the Hadoop cloud platform, and then the stage S2 is entered;
2) stage S2 of instruction sequence Collection: at this stage, the instruction collection module (1) collects user operation records from the main server, establishes a corresponding behavior database for each user, and then enters a stage S3;
3) stage S3 of processing the user instruction: at this stage, the instruction processing module (2) respectively performs parallelization processing on all instructions of each user by sequentially adopting a string table compression algorithm and a dictionary compression algorithm, extracts an instruction characteristic value of each user, and then enters an S4 stage;
the method for processing the user operation instruction in the step 3) comprises the following steps in sequence:
a) filtering the instruction parameter information in the collected instruction operation records of all users, only reserving instruction names, and arranging the instruction names of a fixed number of each user into an instruction stream according to time information to form a user instruction sequence block B;
b) extracting all command character combinations in the sequence from the user command sequence block B, namely the user command sequence pattern piAnd calculating a user command sequence pattern piNumber f of occurrences in current user instruction sequence block BiObtaining the string table compression algorithm LZW dictionary D { pi,fi};
c) Then according to a user instruction sequence pattern p in an LZW dictionaryiThe weight ω in the user instruction sequence block BiAnd a mode length LiExtracting a final historical user behavior pattern cp, namely an instruction characteristic value of the user;
the method for extracting the characteristic value of the user instruction in the step c) is that the characteristic value is extracted from an LZW dictionary D { pi,fiIn the { there is a user command sequence pattern piWill compare each with the user command sequence pattern piOther instruction sequence pattern p with an edit distance difference of 1xPutting the user instruction sequence mode into a subset, and selecting the user instruction sequence mode with the largest product of the weight value and the mode length in the subset as an instruction characteristic value of a user;
4) stage S4 of generating the global K model: at this stage, K compression dictionaries are generated for each user according to the instruction feature value of each user, and the K compression dictionaries are grouped into a global K model G, where the global K model G ═ { CD ═1,CD2,..CDi,..CDKAnd then entering the S5 stage;
5) stage S5 of receiving a user request: in this stage, a user accesses the Hadoop cloud platform according to self needs to send an access request, the user request receiving module generates a user instruction behavior sequence S and a user behavior mode sp of the user behavior instruction sequence S according to the access request of the user, and then the S6 stage is entered;
6) stage S6 of assessment of user behavior: at this stage, if the user behavior pattern sp of the user behavior command sequence S is associated with a single compression dictionary CDiThe edit distance of any historical user behavior pattern cp in (1) is greater than xL, then a single compression dictionary CDiDetermining a user behavior pattern sp as abnormal, wherein L is the length of the historical user behavior pattern cp, and x>30;
Judging whether a user behavior pattern sp is abnormal or not in a voting mode by using K compression dictionaries in the global K model G, calibrating the user behavior pattern sp by using a behavior classification module to obtain a user behavior pattern with a classification label, and then entering an S7 stage;
when the user behavior is evaluated, if more than K/2 compression dictionaries exist in the global K model G to judge that a user behavior pattern sp is abnormal, the global K model G judges that the user behavior pattern sp is abnormal, otherwise, the global K model G is normal; if K is an even number and the number of compression dictionaries in the global K model G for judging that the user behavior pattern sp is abnormal is K/2, judging according to the latest judgment result of the user behavior pattern sp stored in the main server before, if the latest judgment result of the user behavior pattern sp stored in the main server is abnormal, the current user behavior pattern sp is abnormal, and if not, the current user behavior pattern sp is normal;
7) stage S7 of calculating the comprehensive evaluation value: at this stage, calculating a user current behavior evaluation value, a user historical behavior evaluation value and a user recommended behavior evaluation value by combining the user behavior mode with the classification label obtained in the step 6); calculating a comprehensive evaluation value of the user by using the current behavior evaluation value of the user, the historical behavior evaluation value of the user, the recommended behavior evaluation value of the user and the initial evaluation value of the user, and then entering the stage S8;
8) stage S8 of role assignment to the user: at this stage, the role division module judges whether the user behavior is abnormal according to the comprehensive evaluation value of the user, if the user behavior is normal, the administrator gives authority according to the comprehensive evaluation value and distributes roles to the administrator to realize resource access, and if the user behavior is abnormal, the administrator refuses the access of the user and gives a service refusal prompt.
2. The method as claimed in claim 1, wherein the global K model G in step 6) is updated with addition of a new instruction block of the user, and each time a compression dictionary is completely generated by the new instruction block of the user, the total number of times that the user behavior pattern sp is determined to be normal is counted for each compression dictionary in the global K model G, and the number of times is counted from the first access of the user behavior pattern sp to the current access, and the compression dictionary with the least total number of times that the user behavior pattern sp is determined to be normal in the global K model is replaced with the newly generated compression dictionary.
3. The method as claimed in claim 1, wherein a sliding window algorithm is used in the step 7) of calculating the evaluation value of the historical behavior of the user.
4. The method as claimed in claim 1, wherein the method for assigning roles to users in step 8) comprises the following steps in sequence:
i) setting a plurality of initial roles, and setting access authority for each initial role by an administrator;
II) mapping all users on the operating system to Hadoop cloud platform users, and realizing unified management of the platform users;
III) establishing a Normal user group GpnAnd abnormal user group GpaAnd adding all users passing identity authentication initially into a normal user group GpnAt the same time, the normal user group GpnAdding the data into a service level access control list;
IV) the main server will use the UseriThe comprehensive behavior evaluation value T is equal to the threshold value TdAnd (3) comparison: when T is less than or equal to TdTime, query search exception user group GPaWith or without UseriIf there is no UseriThen User will be usediJoining an abnormal user group GpaAnd recording the Time of additionsAnd expiration date TimevDeleting the normal user group GpnUseri(ii) a If there is a UseriThen reset its validity TimevWhen Time isvLess than or equal to 0, usingiRe-adding into the normal user group Gpn
V) UseriWhen a cloud service request is sent to the main server after authentication of the authentication server and verification of the main server, the main server judges whether to respond to the request according to a user list in the service level access control list: if the User usesiIn the access control list, responding to the request, combining the authority granted to the user by the administrator, and allocating different roles to the user to realize the access to the resources; otherwise, returning a rejection flag through Token and giving a rejection service prompt.
CN201710219329.0A 2017-04-06 2017-04-06 User dynamic access control method for Hadoop cloud platform Active CN106961441B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710219329.0A CN106961441B (en) 2017-04-06 2017-04-06 User dynamic access control method for Hadoop cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710219329.0A CN106961441B (en) 2017-04-06 2017-04-06 User dynamic access control method for Hadoop cloud platform

Publications (2)

Publication Number Publication Date
CN106961441A CN106961441A (en) 2017-07-18
CN106961441B true CN106961441B (en) 2020-05-22

Family

ID=59484043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710219329.0A Active CN106961441B (en) 2017-04-06 2017-04-06 User dynamic access control method for Hadoop cloud platform

Country Status (1)

Country Link
CN (1) CN106961441B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107665315B (en) * 2017-10-31 2020-12-15 上海应用技术大学 Role and trust-based access control method suitable for Hadoop
CN107818268A (en) * 2017-11-15 2018-03-20 中国联合网络通信集团有限公司 The access control method and server of big data platform
CN108134697B (en) * 2017-12-21 2021-01-19 四川管理职业学院 Hadoop architecture cloud platform risk assessment and early warning method
CN109525593B (en) * 2018-12-20 2022-02-22 中科曙光国际信息产业有限公司 Centralized safety management and control system and method for hadoop big data platform

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611699A (en) * 2012-02-22 2012-07-25 浪潮(北京)电子信息产业有限公司 Method and system for access control in cloud operation system
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN105282160A (en) * 2015-10-23 2016-01-27 绵阳师范学院 Credibility-based dynamic access control method
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN105871854A (en) * 2016-04-11 2016-08-17 浙江工业大学 Self-adaptive cloud access control method based on dynamic authorization mechanism
US9607322B1 (en) * 2013-09-19 2017-03-28 Amazon Technologies, Inc. Conditional promotion in content delivery

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050027731A1 (en) * 2003-07-30 2005-02-03 Daniel Revel Compression dictionaries

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611699A (en) * 2012-02-22 2012-07-25 浪潮(北京)电子信息产业有限公司 Method and system for access control in cloud operation system
US9607322B1 (en) * 2013-09-19 2017-03-28 Amazon Technologies, Inc. Conditional promotion in content delivery
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN105282160A (en) * 2015-10-23 2016-01-27 绵阳师范学院 Credibility-based dynamic access control method
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN105871854A (en) * 2016-04-11 2016-08-17 浙江工业大学 Self-adaptive cloud access control method based on dynamic authorization mechanism

Also Published As

Publication number Publication date
CN106961441A (en) 2017-07-18

Similar Documents

Publication Publication Date Title
US10484413B2 (en) System and a method for detecting anomalous activities in a blockchain network
CN106961441B (en) User dynamic access control method for Hadoop cloud platform
CN106682906B (en) Risk identification and service processing method and equipment
CN108833139B (en) OSSEC alarm data aggregation method based on category attribute division
CN111177743B (en) Credit big data oriented risk control method and system thereof
CN109241223B (en) Behavior track identification method and system
CN108268886B (en) Method and system for identifying plug-in operation
CN110287688A (en) Associated account number analysis method, device and computer readable storage medium
CN109829721B (en) Online transaction multi-subject behavior modeling method based on heterogeneous network characterization learning
CN112231750B (en) Multi-mode privacy protection method
CN112131004A (en) Data processing method based on communication of Internet of things and cloud computing server
CN116842099B (en) Multi-source heterogeneous data processing method and system
CN113132311A (en) Abnormal access detection method, device and equipment
CN112839014A (en) Method, system, device and medium for establishing model for identifying abnormal visitor
CN111259167B (en) User request risk identification method and device
TWI677830B (en) Method and device for detecting key variables in a model
CN115062013A (en) Information recommendation method, device, equipment and storage medium
CN117614693A (en) Cloud internal security threat detection method based on behavior traffic
CN110991241B (en) Abnormality recognition method, apparatus, and computer-readable medium
CN113824739B (en) User authority management method and system of cloud management platform
CN114676420A (en) AI and big data combined cloud office information processing method and server
CN110059315B (en) Scientific and technological resource perception fusion decision method
CN112434650A (en) Multi-spectral image building change detection method and system
CN114816964B (en) Risk model construction method, risk detection device and computer equipment
CN105843671A (en) Cloud platform based virtual machine resource security monitoring and risk preprocessing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant