CN110334116B - Optimal object granularity determination method based on multi-granularity decision system - Google Patents

Optimal object granularity determination method based on multi-granularity decision system Download PDF

Info

Publication number
CN110334116B
CN110334116B CN201910625217.4A CN201910625217A CN110334116B CN 110334116 B CN110334116 B CN 110334116B CN 201910625217 A CN201910625217 A CN 201910625217A CN 110334116 B CN110334116 B CN 110334116B
Authority
CN
China
Prior art keywords
granularity
access
optimal
control system
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910625217.4A
Other languages
Chinese (zh)
Other versions
CN110334116A (en
Inventor
韩道军
薛钰
臧国轻
沈亚田
许晨波
陈金育
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University
Original Assignee
Henan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University filed Critical Henan University
Priority to CN201910625217.4A priority Critical patent/CN110334116B/en
Publication of CN110334116A publication Critical patent/CN110334116A/en
Application granted granted Critical
Publication of CN110334116B publication Critical patent/CN110334116B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2453Query optimisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an optimal object granularity determining method based on a multi-granularity decision system, which comprises the following steps: a: judging whether the access control system to be processed is a newly-built access control system or an access control system to be optimized; b: judging whether a consistent multi-granularity-level object granularity decision model is stored in a database; c: constructing an object granularity decision model with multiple granularity levels; d: selecting the determined optimal object granularity according to the granularity layer number in the constructed object granularity selection model with multiple granularity layers; e: calling an object granularity decision model with consistent multi-granularity levels to reduce an accessed object; f: respectively calculating a set of the global optimal guest granularity and the local optimal guest granularity of all the guests, and then selecting the determined optimal guest granularity according to the deviation rate of the global optimal guest granularity and the average value of the deviation rates of the local optimal guest granularities of all the guests. The invention can simplify the confirmation process of the optimal object granularity.

Description

Optimal object granularity determination method based on multi-granularity decision system
Technical Field
The invention relates to the field of optimal object granularity optimization in an access control system, in particular to an optimal object granularity determination method based on a multi-granularity decision system.
Background
Currently, access granularity selection in an access control system is mainly divided into two aspects, namely role permission granularity selection of an access control model based on roles on one hand and granularity selection of access permissions on the other hand, and the access permission granularity is divided into object granularity and operation granularity.
The selection of the access authority of the object granularity in the existing access control system still depends on the traditional experience, the client requirement is firstly clarified in the analysis of the information security requirement, and the widely used technology for acquiring the user requirement is interview so far. Interviews come in two forms, formal interviews and informal interviews. During formal interviews, system analysts will prepare specific questions in advance; in an informal interview, the analyst will ask open questions that the user can freely answer. When the opinion of a large number of people needs to be investigated, a questionnaire can be distributed to the investigated people, and the analyst needs to peruse the retrieved questionnaire, and then visit some users pertinently to ask new questions that occur while analyzing the questionnaire, and then compare and analyze the interview results to determine the choice of object granularity. The requirement analysis process has the defects of long time period, high cost and the like. Secondly, the permission granularity selection and the system requirement have great mismatching, on one hand, because the requirement analyst is a natural person, subjective errors can be made; on the other hand, the customer's needs may change while the system is being developed. Based on the technical limitations, there has been not much research on how to select the optimal granularity of object access in the access control system.
The existing permission granularity selection method is single, and the access permission of a subject to an object is small in selectable scope in the face of complex and variable user requirements. The access authority of the main body is too large, information can be leaked unintentionally, Trojan attack cannot be effectively prevented, and the flexibility is poor. Otherwise, the authorization process of the access subject to the access object is complicated, and the access operation implementation mechanism is complex. Therefore, it is an urgent need to select an appropriate access authority granularity for performing access behaviors in a multi-granularity access control system.
Disclosure of Invention
The invention aims to provide an optimal object granularity determining method based on a multi-granularity decision system, which can simplify the process of determining the optimal object granularity when an access control system is newly built or the existing access control system is optimized, avoid resource waste and provide technical support for permission object granularity selection in information security requirement analysis.
The invention adopts the following technical scheme:
1. an optimal object granularity determination method based on a multi-granularity decision system comprises the following steps:
a: b, judging whether the access control system to be processed is a newly-built access control system or an access control system to be optimized, and if the access control system to be processed is the newly-built access control system, entering the step B; if the access control system is to be optimized, entering step F;
b: judging whether an object granularity decision model with multiple granularity levels consistent with the newly-built access control system is stored in the database or not according to the actual use requirement of the newly-built access control system, and entering the step C if the consistent object granularity decision model with multiple granularity levels does not exist in the database; if the database stores consistent multi-granularity-level object granularity decision models, entering a step E;
c: on the basis of the single granularity level object granularity decision model, constructing a multi-granularity level object granularity decision model in an access control system by taking different granularity levels for the access authority of accessing an object; then entering step D;
d: selecting the number of granularity layers in the model according to the object granularity of the multiple granularity layers constructed in the step C, if the number of granularity layers is less than or equal to three layers, calculating and using the global optimal object granularity as the determined optimal object granularity, and if the number of granularity layers is more than three layers, calculating and using a set of local optimal object granularities as the determined optimal object granularity; then storing the multi-granularity-level object granularity selection model constructed in the step C and the determined optimal object granularity into a database;
e: calling an object granularity decision model with multiple granularity layers consistent with a newly-built access control system from a database, carrying out reduction operation on an access object, selecting part of access subjects according to the actual use requirement of the newly-built access control system, and obtaining the optimal object granularity for the access object by using the called object granularity decision model with multiple granularity layers from the database;
f: respectively calculating the global optimal object granularity of the access control system to be optimized and the local optimal object granularity set of all objects, then calculating the deviation ratio p of the global optimal object granularity and the average value q of the deviation ratio of the local optimal object granularity of all objects, finally comparing the deviation ratio p of the global optimal object granularity and the average value q of the deviation ratio of the local optimal object granularity of all objects, if p is larger than or equal to q, selecting the global optimal object granularity obtained by calculation as the determined optimal object granularity, and if p is smaller than q, selecting the local optimal object granularity set obtained by calculation as the determined optimal object granularity.
In the step C:
the single-granularity-level object granularity decision model is a triple OGDM (S { r }, O, J); wherein S is an access subject, O is an access object, J is an access authority, r is an access result,
Figure BDA0002126859760000021
let S be { x ═ x 1 ,x 2 ,…,x n }, O={a 1 ,a 2 ,…,a m In which x 1 ,x 2 ,…,x n Respectively represent the 1 st access subject, the 2 nd access subject, …, the nth access subject, a 1 ,a 2 ,…,a m Respectively representing a 1 st access object, a 2 nd access object, … and an m < th > access object;
the access subject S obtains different observed values according to different scales on the access authority J, and an object granularity decision model OGDM with multiple granularity levels can be obtained k Wherein k represents the number of layers, including all of the granularity layers that can be constructed; object granularity decision model OGDM with multiple granularity levels k The number of the constructed granularity layers is I, and the layers are arranged from fine granularity to coarse granularityConstruct, access subject S ═ { x ═ x 1 ,x 2 ,…,x n And recording the access object set of each layer as
Figure BDA0002126859760000031
Figure BDA0002126859760000032
Respectively representing the 1 st access object, the 2 nd access object, … and the m-th access object in the k-th layer object granularity decision model, namely obtaining the multi-granularity-level object granularity decision model OGDM k =(S{r},O k ,J)。
In the step D:
the method for determining the global optimal object granularity comprises the following steps:
d11: object granularity decision model OGDM at multi-granularity level k On each layer in the layer (A), each access object is divided into access subjects, and the access subjects are assumed to be
Figure BDA0002126859760000033
Lower access principal x 1 ,x 2 ,…,x n And access objects
Figure BDA0002126859760000034
Lower access principal x 1 ,x 2 ,…,x n The one-to-one correspondence is the same, then the handle
Figure BDA0002126859760000035
And
Figure BDA0002126859760000036
dividing into one class, repeating the above steps, recording division results and obtaining a set of division results of each layer, and recording the set as R O
D12: object granularity decision model OGDM at multi-granularity level k On each layer in the system, each access object is divided according to the access result, and the access object is assumed to be
Figure BDA0002126859760000037
And
Figure BDA0002126859760000038
allowing access, accessing objects
Figure BDA0002126859760000039
And
Figure BDA00021268597600000310
if the access is not allowed, the access is divided according to the access result, and the access is carried out
Figure BDA00021268597600000311
And
Figure BDA00021268597600000312
is divided into one class, will
Figure BDA00021268597600000313
And
Figure BDA00021268597600000314
dividing into one class, repeating the same, recording division result and obtaining all access objects a k Set on each layer, denoted as R r
D13: comparing the division results R O And a division result R r If, if
Figure BDA00021268597600000315
Judging that the decision system of the layer is coordinated; if it is not
Figure BDA00021268597600000316
Judging that the decision system of the layer is uncoordinated; the upper layer of the first uncoordinated granularity layer is the global optimal object granularity; r O Representing a set of access objects divided by the access subject, R r Representing that the access object is divided into the obtained sets according to the authority result;
the method for determining the local optimal object granularity comprises the following steps:
d21: in thatMulti-granularity-level object granularity decision model OGDM k On each layer in the layer (A), each access object is divided into access subjects, and the access subjects are assumed to be
Figure BDA00021268597600000317
Lower access principal x 1 ,x 2 ,…,x n And access object a 2 Lower access principal x 1 ,x 2 ,…,x n The one-to-one correspondence is the same, then the handle
Figure BDA00021268597600000318
And
Figure BDA00021268597600000319
dividing into one class, repeating the same, recording division result and obtaining each access object a k Set of places, denoted as
Figure BDA00021268597600000320
k represents the number of layers;
d22: object granularity decision model OGDM at multi-granularity level k On each layer in the system, each access object is divided according to the access result, and the access object is assumed to be
Figure BDA00021268597600000321
And
Figure BDA00021268597600000322
allowing access to, objects
Figure BDA00021268597600000323
And
Figure BDA00021268597600000324
if the access is not allowed, the access is divided according to the access result, and the access is carried out
Figure BDA00021268597600000325
And
Figure BDA00021268597600000326
is divided into one class, will
Figure BDA00021268597600000327
And
Figure BDA00021268597600000328
dividing into one class, repeating the same, recording division result and obtaining each access object a k Is set as [ a ]] r
D23: comparing each access object a in step 2 k Is in the set [ a ]] r Whether or not each access object a in step 1 is included k Set of places
Figure BDA0002126859760000041
If it is
Figure BDA0002126859760000042
Then the access object a is judged k The decision system of the layer is coordinated; if it is
Figure BDA0002126859760000043
Then the access object a is judged k The decision system of the layer is uncoordinated; the last layer of the first-appearing uncoordinated granularity layer is the access object a k Local optimum guest particle size of (i.e.
Figure BDA0002126859760000044
And is
Figure BDA0002126859760000045
When the k-th layer granularity is related to accessing object a k Local optimal guest granularity of (a); and thus a set of locally optimal object granularities for all visiting objects.
In the step E:
object granularity decision model OGDM at multi-granularity level k =(S{r},O k In J), given
Figure BDA0002126859760000046
If it is
Figure BDA0002126859760000047
Figure BDA0002126859760000048
And for any
Figure BDA0002126859760000049
If not, it is called B k Object granularity decision model OGDM (object granularity decision model) with multiple granularity levels k =(S{r},O k A reduction of J), wherein
Figure BDA00021268597600000410
Indicating that the access object is part of the access object B k Partitioning the resulting set, R r Representing access objects divided into sets by rights, b k Representing partial access to subject B k One or more of the access objects,
Figure BDA00021268597600000411
refer to Access object B k In which the main body b is removed k Of another part of the body.
The step F comprises the following specific steps:
f1: calculating to obtain a global optimal object granularity of the access control system to be optimized and a set of local optimal object granularities of all objects according to the step D;
f2: calculating the deviation ratio of the global optimal object granularity of the access control system to be optimized according to the following formula and recording as p, calculating the deviation ratio of the local optimal object granularity of all the objects and then taking the average value and recording as q;
when in use
Figure BDA00021268597600000412
When the deviation ratio is
Figure BDA00021268597600000413
When in use
Figure BDA00021268597600000414
When the deviation ratio is
Figure BDA00021268597600000415
Wherein, N is the total number of granularity layers of the multi-granularity-level object granularity decision model constructed in the step C, k is the optimal object granularity obtained in the step D, and i is the object granularity used by the access control system to be optimized;
f3: and if p is larger than or equal to q, selecting the calculated global optimal object granularity of the access control system to be optimized as the determined optimal object granularity, and if p is smaller than q, selecting the calculated set of the local optimal object granularity of the access control system to be optimized as the determined optimal object granularity.
In step F, the deviation ratio is a ratio of the current deviation value to the maximum deviation value, the deviation value is a deviation between the optimal object granularity of the access control system to be optimized obtained in step D and the object granularity currently used by the access control system to be optimized, and the deviation value is
Figure BDA0002126859760000051
N is the total number of granularity layers of the multi-granularity-level object granularity decision model constructed in the step C, k is the optimal object granularity obtained in the step D, i is the object granularity used by the access control system to be optimized, the current deviation value refers to the difference value between the currently used object granularity and the optimal object granularity of the access control system to be optimized obtained according to the step D, and the maximum deviation value refers to the maximum value of the current deviation value; when in use
Figure BDA0002126859760000052
When the deviation ratio is
Figure BDA0002126859760000053
When in use
Figure BDA0002126859760000054
When the deviation ratio is
Figure BDA0002126859760000055
Wherein the value range of the deviation ratio is [0, 1 ]]。
The invention provides a method for determining optimal object granularity based on a multi-granularity decision system theory aiming at an object granularity decision model in an access control system, and the method is realized by analyzing multi-granularity OGDM k According to different conditions, two selection algorithms of optimal granularity of the access object are provided, namely global optimal object granularity selection and local optimal object granularity selection, and an automatic auxiliary tool is provided for authority object granularity selection work in information security requirement analysis.
Compared with the prior art, the granularity selection work of the access object mainly focuses on operation or based on some principles of information security and experience of information security engineers, an automatic auxiliary tool is lacked, and the risks that the granularity value of the access object cannot be selected, the flexibility is poor, and the authority granularity is not matched with the system requirement exist.
Compared with the prior art, the invention has the advantages that: when an access control system is newly built or the existing access control system is optimized, the confirmation process of the optimal object granularity is simplified, resource waste is avoided, and technical support is provided for permission object granularity selection in information security requirement analysis. In the existing access control system, a subject usually considers whether to give permission to an object, and how to select the granularity of permission giving. The traditional object granularity value is generally determined, the invention is based on the multi-granularity decision system theory, provides the changeability of the object granularity value, and provides an object granularity decision model OGDM for determining multi-granularity layers in information security requirement analysis k . On the basis of various choices of the object granularity, an algorithm for selecting the optimal object granularity is provided. And the main body reduction work can be carried out in the information security requirement analysis according to the existing model, so that the waste of resources is avoided. The result shows that the object granularity in the invention has variability, higher flexibility and larger object granularity value selectivity, and the operation of selecting the authority object granularity in the information security requirement analysis is more convenient.
Drawings
Fig. 1 is a schematic diagram of a first-layer object granularity decision model obtained in an embodiment of the present invention;
fig. 2 is a schematic diagram of a second-layer object granularity decision model obtained in an embodiment of the present invention;
fig. 3 is a schematic diagram of a third layer object granularity decision model obtained in an embodiment of the present invention;
FIG. 4 is a schematic flow chart of the present invention.
Detailed Description
The invention is described in detail below with reference to the following figures and examples:
as shown in fig. 1 to 4, the method for determining the optimal object granularity based on the multi-granularity decision system according to the present invention includes the following steps:
a: b, judging whether the access control system to be processed is a newly-built access control system or an access control system to be optimized, and if the access control system to be processed is the newly-built access control system, entering the step B; if the access control system is to be optimized, entering step F;
b: judging whether an object granularity decision model with multiple granularity levels consistent with the newly-built access control system is stored in the database or not according to the actual use requirement of the newly-built access control system, and entering the step C if the consistent object granularity decision model with multiple granularity levels does not exist in the database; if the database stores an object granularity decision model with multiple consistent granularity levels, entering the step E;
c: on the basis of the single granularity level object granularity decision model, constructing a multi-granularity level object granularity decision model in an access control system by taking different granularity levels for the access authority of accessing an object; then entering step D;
the access control system aims to limit the access authority of an access subject to an access object, and in order to solve the problem of single selection of object granularity values, the multi-granularity-level object granularity decision model can be obtained in the access control system by taking different granularity levels for the access authority of the access object according to the principle that different marking scales have different segmentation on data and different granularity levels are generated according to the diversity of object granularity.
The object granularity decision model of the single granularity level constructed in the invention is a triple OGDM (S { r }, O, J); wherein S is an access subject, O is an access object, J is access authority, r is an access result,
Figure BDA0002126859760000061
let S be { x ═ x 1 ,x 2 ,…, x n },O={a 1 ,a 2 ,…,a m In which x 1 ,x 2 ,…,x n Respectively represent the 1 st access subject, the 2 nd access subject, …, the nth access subject, a 1 ,a 2 ,…,a m Respectively, the 1 st access object, the 2 nd access object, …, and the m-th access object.
When the access subject S obtains different observed values according to different scales on the access authority J, an object granularity decision model OGDM of multiple granularity levels can be obtained k Where k represents the number of layers, including all of the granularity layers that can be constructed. Object granularity decision model OGDM with multiple granularity levels k The number of constructed granularity layers is I, the layers are constructed from fine granularity to coarse granularity layer by layer, and an access subject S is { x ═ x 1 ,x 2 ,…,x n And recording the access object set of each layer as
Figure BDA0002126859760000062
Figure BDA0002126859760000063
Respectively representing the 1 st access object, the 2 nd access object, … and the m-th access object in the k-th layer object granularity decision model, namely obtaining the multi-granularity-level object granularity decision model OGDM k =(S{r},O k ,J)。
D: selecting the number of granularity layers in the model according to the object granularity of the multiple granularity layers constructed in the step C, if the number of granularity layers is less than or equal to three layers, calculating and using the global optimal object granularity as the determined optimal object granularity, and if the number of granularity layers is more than three layers, calculating and using a set of local optimal object granularities as the determined optimal object granularity; then storing the multi-granularity-level object granularity selection model constructed in the step C and the determined optimal object granularity into a database;
in the design stage of the access control system, the selection of the optimal object granularity of the access authority is divided into two cases:
in the multi-granularity-level object granularity selection model constructed in the step C, when the number of granularity layers is less than or equal to three, the situation that the system scale is small and the selectable range of object granularity values is small is judged, and then granularity levels suitable for all object operations are selected to meet the requirements, namely the globally optimal object granularity is selected; when the number of granularity layers is larger than three, the system which is large in scale and complex in object operation is judged, the optimal authority granularity of each access object can be discussed aiming at each access object, and namely the local optimal object granularity is selected.
The method for determining the global optimal object granularity comprises the following steps:
d11: object granularity decision model OGDM at multi-granularity level k On each layer in the layer (A), each access object is divided into access subjects, and the access subjects are assumed to be
Figure BDA0002126859760000071
Lower access principal x 1 ,x 2 ,…,x n And access objects
Figure BDA0002126859760000072
Lower access principal x 1 ,x 2 ,…,x n The one-to-one correspondence is the same, then the handle
Figure BDA0002126859760000073
And
Figure BDA0002126859760000074
dividing into one class by analogy, recording the division result and obtaining a set of the division result of each layer, and marking as R O
D12: object granularity decision model OGDM at multi-granularity level k On each layer in the system, each access object is divided according to the access result, and the access object is assumed to be
Figure BDA0002126859760000075
And
Figure BDA0002126859760000076
allowing access, accessing objects
Figure BDA0002126859760000077
And
Figure BDA0002126859760000078
if the access is not allowed, the access is divided according to the access result, and the access is carried out
Figure BDA0002126859760000079
And
Figure BDA00021268597600000710
is divided into one class, will
Figure BDA00021268597600000711
And
Figure BDA00021268597600000712
dividing into one class, repeating the above steps, recording division result and obtaining all access objects a k Set on each layer, denoted as R r
D13: comparing the division results R O And a division result R r If, if
Figure BDA00021268597600000713
Judging that the decision system at the layer is coordinated; if it is not
Figure BDA00021268597600000714
Judging that the decision system of the layer is uncoordinated; the upper layer with inconsistent granularity layer for the first time is the global optimal object particleDegree; r O Representing a set of access objects divided by the access subject, R r Indicating that the access object is divided into the resulting sets according to the results of the permissions.
In summary, in steps D11 to D13, the object granularity decision model OGDM at multiple granularity levels k =(S{r}, O k On each layer of J), if
Figure BDA00021268597600000715
The decision system of the layer called the multi-granularity-level object granularity decision model is coordinated, otherwise, the decision system of the layer called the multi-granularity-level object granularity decision model is uncoordinated, and the global optimal object granularity is determined according to the uncoordinated decision system.
The method for determining the local optimal object granularity comprises the following steps:
d21: object granularity decision model OGDM at multiple granularity levels k On each layer in the layer (A), each access object is divided into access subjects, and the access subjects are assumed to be
Figure BDA00021268597600000716
Lower access principal x 1 ,x 2 ,…,x n And access object a 2 Lower access principal x 1 ,x 2 ,…,x n The one-to-one correspondence is the same, then the handle
Figure BDA00021268597600000717
And
Figure BDA00021268597600000718
dividing into one class, repeating the same, recording division result and obtaining each access object a k Set of places, denoted as
Figure BDA00021268597600000719
k represents the number of layers.
D22: object granularity decision model OGDM at multi-granularity level k On each layer in the system, each access object is divided according to the access result, and the access object is assumed to be
Figure BDA0002126859760000081
And
Figure BDA0002126859760000082
allowing access, accessing objects
Figure BDA0002126859760000083
And
Figure BDA0002126859760000084
if the access is not allowed, the access is divided according to the access result, and the access is carried out
Figure BDA0002126859760000085
And
Figure BDA0002126859760000086
is divided into one class, will
Figure BDA0002126859760000087
And
Figure BDA0002126859760000088
dividing into one class, repeating the same, recording division result and obtaining each access object a k Is set as [ a ]] r
D23: comparing each access object a in step 2 k Is in the set [ a ]] r Whether or not each access object a in step 1 is included k Set of places
Figure BDA0002126859760000089
If it is
Figure BDA00021268597600000810
Then the access object a is judged k The decision system of the layer is coordinated; if it is
Figure BDA00021268597600000811
Then the access object a is judged k The decision system of the layer is uncoordinated; first appearance of inconsistent granularity layerThe upper layer of the number is the access object a k Local optimum guest particle size of (i.e.
Figure BDA00021268597600000812
And is
Figure BDA00021268597600000813
When the k-th layer granularity is related to accessing object a k Local optimal guest granularity of (a); and thus a set of locally optimal object granularities for all visiting objects.
In summary, in steps D21 to D23, the locally optimal object granularity is selected according to the coordination of each visiting object, i.e. the object granularity decision model OGDM at multiple granularity levels k =(S{r},O k In J), for a k ∈O k Given k, 1. ltoreq. k.ltoreq.I, if
Figure BDA00021268597600000814
And is
Figure BDA00021268597600000815
I.e. access object a k If the decision system of the k layer is coordinated and the decision system of the (k + 1) th layer is uncoordinated, the granularity of the k layer is judged to be related to the access object a k And thus a set of local optimal object granularities for all visiting objects. Wherein, a k Representing the access object a in the k-th layer object granularity decision model,
Figure BDA00021268597600000816
representing a set obtained by dividing the access object a according to the access subject on a k-th layer object granularity decision model, [ a ]] r And representing the result obtained by dividing the access object a according to the access authority on the k-th layer object granularity decision model.
E: calling an object granularity decision model with multiple granularity levels consistent with a newly built access control system from a database, and reducing an accessed object; according to the actual use requirement of a newly-built access control system, part of access subjects are selected, and the optimal object granularity for the access objects is obtained by utilizing an object granularity decision model with multiple granularity levels called from a database, so that the function of simplifying operation steps is achieved.
In step E of the invention, an object granularity decision model OGDM at multiple granularity levels k =(S{r},O k In J), given
Figure BDA00021268597600000817
If it is
Figure BDA00021268597600000818
And for any
Figure BDA00021268597600000819
If not, it is called B k Object granularity decision model OGDM (object granularity decision model) with multiple granularity levels k =(S{r},O k A reduction of J), wherein
Figure BDA00021268597600000820
Indicating that the access object is part of the access object B k Partitioning the resulting set, R r Representing access objects divided into sets by rights, b k Representing partial access to subject B k One or more of the access objects,
Figure BDA0002126859760000091
refer to Access object B k In which the main body b is removed k Of another part of the body.
F: respectively calculating the global optimal object granularity of the access control system to be optimized and the local optimal object granularity set of all objects, then calculating the deviation ratio p of the global optimal object granularity and the average value q of the deviation ratio of the local optimal object granularity of all objects, finally comparing the deviation ratio p of the global optimal object granularity and the average value q of the deviation ratio of the local optimal object granularity of all objects, if p is larger than or equal to q, selecting the global optimal object granularity obtained by calculation as the determined optimal object granularity, and if p is smaller than q, selecting the local optimal object granularity set obtained by calculation as the determined optimal object granularity.
The deviation rate is the ratio of the current deviation value to the maximum deviation value, the deviation value is the deviation between the optimal object granularity of the access control system to be optimized and the object granularity used by the access control system to be optimized, which are obtained according to the step D, and the deviation value is
Figure BDA0002126859760000092
N is the total number of granularity layers of the multi-granularity-level object granularity decision model constructed in the step C, k is the optimal object granularity obtained in the step D, i is the object granularity used by the access control system to be optimized, the current deviation value refers to the difference value between the currently used object granularity and the optimal object granularity of the access control system to be optimized obtained according to the step D, and the maximum deviation value refers to the maximum value of the current deviation value.
When in use
Figure BDA0002126859760000093
At a deviation ratio of
Figure BDA0002126859760000094
When in use
Figure BDA0002126859760000095
When the deviation ratio is
Figure BDA0002126859760000096
Wherein the value range of the deviation ratio is [0, 1 ]]。
The step F comprises the following specific steps:
f1: calculating to obtain a global optimal object granularity of the access control system to be optimized and a set of local optimal object granularities of all objects according to the step D;
f2: calculating the deviation ratio of the global optimal object granularity of the access control system to be optimized as p according to the following formula, calculating the deviation ratio of the local optimal object granularity of all the objects (namely calculating each local optimal object granularity in the set of the local optimal object granularities of all the objects of the access control system to be optimized according to the step D), and then taking the average value as q;
when in use
Figure BDA0002126859760000097
When the deviation ratio is
Figure BDA0002126859760000098
When in use
Figure BDA0002126859760000099
When the deviation ratio is
Figure BDA00021268597600000910
Wherein, N is the total number of granularity layers of the multi-granularity-level object granularity decision model constructed in the step C, k is the optimal object granularity obtained in the step D, and i is the object granularity used by the access control system to be optimized;
f3: and if p is larger than or equal to q, selecting the calculated global optimal object granularity of the access control system to be optimized as the determined optimal object granularity, and if p is smaller than q, selecting the calculated set of the local optimal object granularity of the access control system to be optimized as the determined optimal object granularity.
The following will further explain the optimal object granularity determination method based on the multi-granularity decision system according to the present invention with reference to the specific embodiment:
a: and D, judging that the access control system to be processed is the newly-built access control system, and then entering the step B.
B: and D, judging that an object granularity decision model with multiple granularity levels does not exist in the database according to the actual use requirement of the newly-built access control system, and entering the step C.
And C: let S ═ { x ═ x 1 ,x 2 ,…,x 9 Represents 9 different access principals, respectively: the system comprises a teaching yard master, a staff at a teaching office, a counselor 1, a counselor 2, a main department 1, a main department 2, a hostess employment center, a secondary book of a college and a school master; o ═ a 1 ,a 2 ,…,a 9 Represents 9 different access objects: the system comprises enrollment, registration, student status information, archive viewing, reward and punishment information, repair management, four-level and six-level achievement viewing, graduation inspection result query and party affair management, wherein r is an access result and represents whether a subject can access an object.
In the above embodiment, different mark scales are taken for each access object authority granularity value to obtain object granularity decision models of different levels, for example, an accessible range of an access object represents a constrained set by using an academic number as a unit to obtain a first-level object granularity decision model OGDM 1 =(S{r},O 1 J), as shown in fig. 1. In the first-layer object granularity decision model, a row represents an access object, and a column represents an access subject, for example, the 1 st row and the 8 th row teach graduation examination results of students with the college's long accessible school number of 4080001 and 4080400, that is, the access scope of the access subject to the access object. The access range is in units of a school number, which is composed of seven digits, the first digit being a grade (grade), which can be represented by g (g ═ 1, 2, 3, 4), the second, three digits representing the college (college), which can be represented by c, where c is an integer, and c belongs to [01,30](ii) a The last four bits are the sequence number. Line 10 indicates whether the object is accessible by the subject, 1 indicates accessible, and 0 indicates inaccessible.
Representing the constrained set by taking class as unit to obtain a second-layer object granularity decision model OGDM 2 =(S{r},O 2 J), as shown in fig. 2. In the second layer of object granularity decision model, the row and column representation is the same as that of the first layer of object granularity decision model, except that the access range is in a shift number unit, the shift number is composed of four bits, and the first three bits still represent the grade and the college; the fourth bit represents class (class), and s (s.epsilon. [ A, H)]) And (4) showing.
Representing the constrained set by taking the college as a unit to obtain a third-layer object granularity decision model OGDM 3 =(S{r},O 3 J), as shown in fig. 3. The difference between the third layer of object granularity decision model and the previous two layers of object granularity decision models is that the access range is in shift number units, the college number is composed of two digits and can also be represented by c, and c represents all colleges. Indicated as null.
And D, after constructing the multi-granularity-level object granularity decision model, entering the step D.
Step D: according to the step C, the number of granularity layers of the constructed multi-granularity-level object granularity selection model is equal to three, so that the global optimal object granularity is calculated and used as the determined optimal object granularity.
In the specific embodiment of the step C, an object granularity decision model OGDM of multiple granularity levels is obtained k =(S{r}, O k J), on each layer, the following is divided by access object:
O/O 1 ={{a 1 },{a 2 },{a 3 ,a 5 },{a 4 },{a 6 },{a 7 },{a 8 },{a 9 }};
O/O 2 ={{a 1 },{a 2 },{a 3 ,a 5 },{a 4 },{a 6 },{a 7 },{a 8 },{a 9 }};
O/O 3 ={{a 1 ,a 3 ,a 5 ,a 7 ,a 8 },{a 2 ,a 6 },{a 4 },{a 9 }};
the division by access results on each layer is as follows:
O/r={{a 3 ,a 5 ,a 7 ,a 8 },{a 1 ,a 2 ,a 4 ,a 6 ,a 9 }};
obviously, OGDM 1 =(S{r},O 1 J) are coordinated, so the object granularity decision model OGDM k Are coordinated. OGDM 2 =(S{r},O 2 J) are coordinated, OGDM 3 =(S{r},O 3 J) is uncoordinated, so the level 2 object granularity is the optimal object granularity for the system.

Claims (6)

1. An optimal object granularity determination method based on a multi-granularity decision system is characterized by comprising the following steps: the method comprises the following steps:
a: b, judging whether the access control system to be processed is a newly-built access control system or an access control system to be optimized, and if the access control system to be processed is the newly-built access control system, entering the step B; if the access control system is to be optimized, entering step F;
b: judging whether an object granularity decision model with multiple granularity levels consistent with the newly-built access control system is stored in the database or not according to the actual use requirement of the newly-built access control system, and entering the step C if the consistent object granularity decision model with multiple granularity levels does not exist in the database; if the database stores an object granularity decision model with multiple consistent granularity levels, entering the step E;
c: on the basis of the single granularity level object granularity decision model, constructing a multi-granularity level object granularity decision model in an access control system by taking different granularity levels for the access authority of accessing an object; then entering step D;
d: selecting the number of granularity layers in the model according to the object granularity of the multiple granularity layers constructed in the step C, if the number of granularity layers is less than or equal to three layers, calculating and using the global optimal object granularity as the determined optimal object granularity, and if the number of granularity layers is more than three layers, calculating and using a set of local optimal object granularities as the determined optimal object granularity; then storing the multi-granularity-level object granularity selection model constructed in the step C and the determined optimal object granularity into a database;
e: calling an object granularity decision model with multiple granularity layers consistent with a newly-built access control system from a database, carrying out reduction operation on an access object, selecting part of access subjects according to the actual use requirement of the newly-built access control system, and obtaining the optimal object granularity for the access object by using the called object granularity decision model with multiple granularity layers from the database;
f: respectively calculating the global optimal object granularity of the access control system to be optimized and the local optimal object granularity set of all objects, then calculating the deviation ratio p of the global optimal object granularity and the average value q of the deviation ratio of the local optimal object granularity of all objects, finally comparing the deviation ratio p of the global optimal object granularity and the average value q of the deviation ratio of the local optimal object granularity of all objects, if p is larger than or equal to q, selecting the global optimal object granularity obtained by calculation as the determined optimal object granularity, and if p is smaller than q, selecting the local optimal object granularity set obtained by calculation as the determined optimal object granularity.
2. The method for determining optimal object granularity based on a multi-granularity decision system according to claim 1, wherein in the step C:
the single-granularity-level object granularity decision model is a triple OGDM (S { r }, O, J); wherein S is an access subject, O is an access object, J is an access authority, r is an access result,
Figure FDA00021268597500000218
let S be { x ═ x 1 ,x 2 ,...,x n },O={a 1 ,a 2 ,...,a m In which x 1 ,x 2 ,…,x n Respectively represent the 1 st access subject, the 2 nd access subject, …, the nth access subject, a 1 ,a 2 ,...,a m Respectively representing a 1 st access object, a 2 nd access object, … and an m < th > access object;
the access subject S obtains different observed values according to different scales on the access authority J, and an object granularity decision model OGDM with multiple granularity levels can be obtained k Wherein k represents the number of layers, including all of the granularity layers that can be constructed; object granularity decision model OGDM with multiple granularity levels k The number of constructed granularity layers is I, the layers are constructed from fine granularity to coarse granularity layer by layer, and an access subject S is { x ═ x 1 ,x 2 ,...,x n And recording the access object set of each layer as
Figure FDA0002126859750000021
Figure FDA0002126859750000022
1≤k≤I,
Figure FDA0002126859750000023
Respectively representing the 1 st access object, the 2 nd access object, … and the m-th access object in the k-th layer object granularity decision model, namely obtaining the multi-granularity-level object granularity decision model OGDM k =(S{r},O k ,J)。
3. The method for determining optimal object granularity based on a multi-granularity decision system according to claim 2, wherein in the step D:
the method for determining the global optimal object granularity comprises the following steps:
d11: object granularity decision model OGDM at multi-granularity level k On each layer in the layer (A), each access object is divided into access subjects, and the access subjects are assumed to be
Figure FDA0002126859750000024
Lower access principal x 1 ,x 2 ,…,x n And access objects
Figure FDA0002126859750000025
Lower access principal x 1 ,x 2 ,…,x n The one-to-one correspondence is the same, then handle
Figure FDA0002126859750000026
And
Figure FDA0002126859750000027
dividing into one class by analogy, recording the division result and obtaining a set of the division result of each layer, and marking as R O
D12: object granularity decision model OGDM at multi-granularity level k On each layer in the system, each access object is divided according to the access result, and the access object is assumed to be
Figure FDA0002126859750000028
And
Figure FDA0002126859750000029
allowing access, accessing objects
Figure FDA00021268597500000210
And
Figure FDA00021268597500000211
if the access is not allowed, the access is divided according to the access result, and the access is carried out
Figure FDA00021268597500000212
And
Figure FDA00021268597500000213
is divided into one class, will
Figure FDA00021268597500000214
And
Figure FDA00021268597500000215
dividing into one class, repeating the same, recording division result and obtaining all access objects a k Set at each layer, denoted as R r
D13: comparing the division results R O And a division result R r If, if
Figure FDA00021268597500000216
Judging that the decision system of the layer is coordinated; if it is used
Figure FDA00021268597500000217
Judging that the decision system of the layer is uncoordinated; the upper layer of the first uncoordinated granularity layer is the global optimal object granularity; r O Representing a set of access objects divided by the access subject, R r Representing division of the access object into sets according to the result of the permissionsCombining;
the method for determining the local optimal object granularity comprises the following steps:
d21: object granularity decision model OGDM at multi-granularity level k On each layer in the layer (A), each access object is divided into access subjects, and the access subjects are assumed to be
Figure FDA0002126859750000031
Lower access principal x 1 ,x 2 ,…,x n And access object a 2 Lower access principal x 1 ,x 2 ,…,x n The one-to-one correspondence is the same, then the handle
Figure FDA0002126859750000032
And
Figure FDA0002126859750000033
dividing into one class, repeating the same, recording division result and obtaining each access object a k Set of places, denoted as
Figure FDA0002126859750000034
k represents the number of layers;
d22: object granularity decision model OGDM at multi-granularity level k On each layer in the system, each access object is divided according to the access result, and the access object is assumed to be
Figure FDA0002126859750000035
And
Figure FDA0002126859750000036
allowing access, accessing objects
Figure FDA0002126859750000037
And
Figure FDA0002126859750000038
if the access is not allowed, the access is divided according to the access result, and the access is carried out
Figure FDA0002126859750000039
And
Figure FDA00021268597500000310
is divided into one class, will
Figure FDA00021268597500000311
And
Figure FDA00021268597500000312
dividing into one class, repeating the same, recording division result and obtaining each access object a k Is set as [ a ]] r
D23: comparing each access object a in step 2 k Is in the set [ a ]] r Whether or not each access object a in step 1 is included k Set of places
Figure FDA00021268597500000313
If it is
Figure FDA00021268597500000314
Then the access object a is judged k The decision system of the layer is coordinated; if it is
Figure FDA00021268597500000315
Then the access object a is judged k The decision system of the layer is uncoordinated; the last layer of the first-appearing uncoordinated granularity layer is the access object a k Local optimum guest particle size of (i.e.
Figure FDA00021268597500000316
And (b) and (c).
Figure FDA00021268597500000317
Figure FDA00021268597500000318
When the k-th layer granularity is related to accessing object a k Local optimal guest granularity of (a); and thus a set of locally optimal object granularities for all visiting objects.
4. The method for determining optimal object granularity based on a multi-granularity decision system according to claim 3, wherein in the step E:
object granularity decision model OGDM at multi-granularity level k =(S{r},O k In J), given
Figure FDA00021268597500000319
If it is
Figure FDA00021268597500000320
And for any
Figure FDA00021268597500000321
If not, it is called B k Object granularity decision model OGDM (object granularity decision model) with multiple granularity levels k =(S{r},O k A reduction of J), wherein
Figure FDA00021268597500000322
Indicating that the access object is part of the access object B k Partitioning the resulting set, R r Representing access objects divided into sets by rights, b k Representing partial access to subject B k One or more of the access objects in (a),
Figure FDA00021268597500000323
refer to Access object B k In which the main body b is removed k Of another part of the body.
5. The method for determining optimal object granularity based on the multi-granularity decision system according to claim 4, wherein the step F comprises the following specific steps:
f1: calculating to obtain a global optimal object granularity of the access control system to be optimized and a set of local optimal object granularities of all objects according to the step D;
f2: calculating the deviation ratio of the global optimal object granularity of the access control system to be optimized according to the following formula and recording as p, calculating the deviation ratio of the local optimal object granularity of all the objects and then taking the average value and recording as q;
when in use
Figure FDA0002126859750000041
When the deviation ratio is
Figure FDA0002126859750000042
When in use
Figure FDA0002126859750000043
When the deviation ratio is
Figure FDA0002126859750000044
Wherein, N is the total number of granularity layers of the multi-granularity-level object granularity decision model constructed in the step C, k is the optimal object granularity obtained in the step D, and i is the object granularity used by the access control system to be optimized;
f3: and if p is larger than or equal to q, selecting the calculated global optimal object granularity of the access control system to be optimized as the determined optimal object granularity, and if p is smaller than q, selecting the calculated set of the local optimal object granularity of the access control system to be optimized as the determined optimal object granularity.
6. The method for determining optimal object granularity based on a multi-granularity decision system according to claim 5, wherein: in step F, the deviation ratio is a ratio of the current deviation value to the maximum deviation value, the deviation value is a deviation between the optimal object granularity of the access control system to be optimized obtained in step D and the object granularity currently used by the access control system to be optimized, and the deviation value is
Figure FDA0002126859750000045
N is the total number of granularity layers of the multi-granularity-level object granularity decision model constructed in the step C, k is the optimal object granularity obtained in the step D, i is the object granularity used by the access control system to be optimized, the current deviation value refers to the difference value between the currently used object granularity and the optimal object granularity of the access control system to be optimized obtained according to the step D, and the maximum deviation value refers to the maximum value of the current deviation value; when the temperature is higher than the set temperature
Figure FDA0002126859750000046
When the deviation ratio is
Figure FDA0002126859750000047
When in use
Figure FDA0002126859750000048
When the deviation ratio is
Figure FDA0002126859750000049
Wherein the value range of the deviation ratio is [0, 1 ]]。
CN201910625217.4A 2019-07-11 2019-07-11 Optimal object granularity determination method based on multi-granularity decision system Active CN110334116B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910625217.4A CN110334116B (en) 2019-07-11 2019-07-11 Optimal object granularity determination method based on multi-granularity decision system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910625217.4A CN110334116B (en) 2019-07-11 2019-07-11 Optimal object granularity determination method based on multi-granularity decision system

Publications (2)

Publication Number Publication Date
CN110334116A CN110334116A (en) 2019-10-15
CN110334116B true CN110334116B (en) 2022-09-16

Family

ID=68146407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910625217.4A Active CN110334116B (en) 2019-07-11 2019-07-11 Optimal object granularity determination method based on multi-granularity decision system

Country Status (1)

Country Link
CN (1) CN110334116B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101763476A (en) * 2009-12-25 2010-06-30 中国科学院计算技术研究所 Multilevel security policy conversion method
CN103312722A (en) * 2013-07-04 2013-09-18 河北科技大学 Control design method for fine-grained mandatory access
CN104484617A (en) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 Database access control method on basis of multi-strategy integration
CN106407823A (en) * 2016-09-26 2017-02-15 中国科学院计算技术研究所 A multi-granularity and multi-intensity access control method and system
CN108986872A (en) * 2018-06-21 2018-12-11 南通大学 More granularity attribute weight Spark methods for big data electronic health record reduction

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140372158A1 (en) * 2013-06-12 2014-12-18 Fair Isaac Corporation Determining Optimal Decision Trees

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101763476A (en) * 2009-12-25 2010-06-30 中国科学院计算技术研究所 Multilevel security policy conversion method
CN103312722A (en) * 2013-07-04 2013-09-18 河北科技大学 Control design method for fine-grained mandatory access
CN104484617A (en) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 Database access control method on basis of multi-strategy integration
CN106407823A (en) * 2016-09-26 2017-02-15 中国科学院计算技术研究所 A multi-granularity and multi-intensity access control method and system
CN108986872A (en) * 2018-06-21 2018-12-11 南通大学 More granularity attribute weight Spark methods for big data electronic health record reduction

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Chuntao Wang ; Suxia Ma.Application of Role-Based Access Control in Network Management System.《IEEE》.2010,第1-4页. *
云环境中细粒度访问控制方案的研究与实现;王聪;《中国优秀硕士学位论文全文数据库》;20181015;第I138-35页 *
多粒度决策系统属性约简的最优粒度选择;史进玲;《计算机科学》;20180228;第152-156页 *
多粒度决策系统的局部最优粒度选择;顾沈明;《南京大学学报(自然科学)》;20160331;第280-288页 *

Also Published As

Publication number Publication date
CN110334116A (en) 2019-10-15

Similar Documents

Publication Publication Date Title
Carroll et al. Indigenous data governance: strategies from United States native nations
Bayer et al. Tiebout sorting, social multipliers and the demand for school quality
Xiao Determinants of salary growth in Shenzhen, China: An analysis of formal education, on-the-job training, and adult education with a three-level model
Bessent et al. An application of mathematical programming to assess productivity in the Houston independent school district
Natividade-Jesus et al. A multicriteria decision support system for housing evaluation
O'Brien The urban commons: How data and technology can rebuild our communities
CN111222661A (en) Urban planning implementation effect analysis and evaluation method
CN114003586A (en) Construction method of intelligent education big data platform
Williams et al. Mapping good work: The quality of working life across the occupational structure
Goodspeed Digital knowledge technologies in planning practice: from black boxes to media for collaborative inquiry
Napoli et al. Forms and functions of the real estate market of Palermo (Italy). Science and knowledge in the cluster analysis approach
CN110751378A (en) Nuclear facility decommissioning scheme evaluation method and system
Hajduk The smartness profile of selected European cities in urban management–A comparison analysis
Fix How the rich are different: Hierarchical power as the basis of income size and class
US20220200839A1 (en) Systems and methods for improving smart city and smart region architectures
CN110334116B (en) Optimal object granularity determination method based on multi-granularity decision system
US20120254056A1 (en) Institutional financial aid analysis
Bradford et al. Information in an industrial culture: Walter A. Shewhart and the evolution of the control chart, 1917–1954
Akgüç et al. Occupation–Education Mismatch of Immigrant Women in Europe
CN113901287A (en) College entrance examination aspiration filling system
Mike Okumu et al. Labour productivity in African manufacturing: Does the level of skills development matter?
Liang et al. Human capital and the re‐employment of retrenchment labor in urban China
KR101133023B1 (en) System for managing curriculums using codes of research fields and recording medium storing program for executing method of the same in computer
Zhang et al. Prediction of the Development Scale of Vocational Education Using Markov Algorithm and Countermeasures
Scott The accessible city: Employment opportunities in time and space

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant