CN111967046B - Self-adaptive access control method for big data resources - Google Patents

Self-adaptive access control method for big data resources Download PDF

Info

Publication number
CN111967046B
CN111967046B CN202010828504.8A CN202010828504A CN111967046B CN 111967046 B CN111967046 B CN 111967046B CN 202010828504 A CN202010828504 A CN 202010828504A CN 111967046 B CN111967046 B CN 111967046B
Authority
CN
China
Prior art keywords
access
service
judgment
access control
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010828504.8A
Other languages
Chinese (zh)
Other versions
CN111967046A (en
Inventor
陈性元
杜学绘
王娜
刘敖迪
任志宇
单棣斌
王文娟
秦若熙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202010828504.8A priority Critical patent/CN111967046B/en
Publication of CN111967046A publication Critical patent/CN111967046A/en
Application granted granted Critical
Publication of CN111967046B publication Critical patent/CN111967046B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/284Lexical analysis, e.g. tokenisation or collocates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • Computer Hardware Design (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a big data resource-oriented self-adaptive access control method, which comprises the following steps: based on the ABAC model, a business constraint-based adaptive access control model AACM-BC is constructed by introducing business constraint and user intention; based on AACM-BC, the entity attribute information and access control strategy information involved in the access control process are managed in the preparation stage; the judgment, response and execution of the access request are carried out in the execution stage; and performing conventional permission judgment based on logic calculation, if the judgment result is access prohibition, directly returning judgment response of the access prohibition, and if the judgment result is access permission, performing LSTM-based service permission judgment, wherein the result of the service permission judgment is the final result of the permission judgment. The invention can effectively solve the problems existing in the prior art in the access control of the big data resources.

Description

Self-adaptive access control method for big data resources
Technical Field
The invention relates to the technical field of big data resource access, in particular to a big data resource-oriented self-adaptive access control method.
Background
In recent years, with the continuous development of emerging technologies such as cloud computing, internet of things and the like, the new technologies generate massive data resources in production and life of people, a big data era has been fortuitously arrived, social changes brought by big data have been deeply considered in the aspects of production and life, the data has become a mobile asset treasury, huge social and economic values can be created by analyzing and utilizing the big data resources, the larger the data quantity is, the more the sources are, the larger the generated value is, however, the big data also faces a severe safety challenge while bringing new development opportunities, unauthorized sharing of the big data brings huge safety threats to the data of users, and the realization of safe and controllable circulation and sharing of the big data resources is a precondition and a basis for application and development of the big data,
as an important means for protecting data security, an access control technology can manage user permissions to enable a legal user to access corresponding resources in a system according to the permissions owned by the legal user, and prohibit unauthorized access to data by an illegal user, thereby effectively guaranteeing data security and normal operation of a business system, and therefore, an effective access control measure is urgently needed to protect security and controllable sharing of a big data resource, but the big data resource has the characteristics of large data volume, strong dynamics, wide sources and the like, so that a management scene of the big data is more complex, security requirements become more diverse, a traditional static access control technology is difficult to apply, and the following challenges exist in current big data access control: in the existing access control method, the policy management is inseparable from the specific application scene, and the security manager needs to manually make an access control policy according to the professional knowledge, so that the protection of the data resources is realized, and in a closed environment, the manual policy management facing limited data resources is safe and feasible, but in an open large data environment, the manual policy management facing massive and dynamically-changed data resources is labor-intensive, so that the workload is huge and the implementation is difficult;
the access control strategy of the multi-source converged large data resource is difficult to accurately describe, which provides a challenge for the implementation of fine-grained access control, the large data resource has low value density, the core value of the large data resource is not in a single data resource, but in the analysis result obtained after analyzing and utilizing mass data has higher value density, and simultaneously, the mass data has the characteristics of multi-source convergence and cooperative sharing, which increases the difficulty of access control strategy formulation and authorization management, leads to more and more serious phenomena of over-authorization and under-authorization, and how to judge the problem of 'which users are allowed to access which resources' is a very professional and very difficult to accurately describe under the background of the large data, therefore, in order to maintain the availability of the system, the systems often adopt over-authorization, in addition, due to the complexity of the big data and the application thereof, some new access requirements are not considered by security management personnel in advance, and in order to better protect the resource security, the phenomenon that the user authorization is insufficient is increased.
Disclosure of Invention
In view of the above, the present invention provides a big data resource-oriented adaptive access control method, which provides a new solution for automatic and intelligent big data access control based on a service constraint adaptive access control model AACM-BC, and can adapt to service requirements between entities, and in addition, a double-layer authority decision structure is designed to give consideration to different big data resource access control requirements, and also give consideration to security and availability of resources, thereby effectively solving the problems existing in the prior art in big data resource access control.
The invention provides a big data resource-oriented self-adaptive access control method, which comprises the following steps:
constructing an adaptive access control model AACM-BC based on business constraints by introducing the business constraints and user intentions based on the ABAC model, wherein the AACM-BC comprises: the method comprises the following steps of a policy enforcement point PEP, an attribute authority AA, a policy management point PAP and an access decision point ADP, wherein the attribute authority AA comprises: intrinsic Attribute authority AA I And a service attribute authority AA B The access decision point ADP includes: a policy decision point PDP and a service decision point BDP;
managing entity attribute information and access control policy information involved in an access control process in a preparation stage based on the AACM-BC;
the judgment, response and execution of the access request are carried out in the execution stage;
and performing conventional permission judgment based on logic calculation, if the judgment result is access prohibition, directly returning judgment response of the access prohibition, and if the judgment result is access permission, performing LSTM-based service permission judgment, wherein the result of the service permission judgment is the final result of the permission judgment.
Preferably, the management of the entity attribute information and the access control policy information involved in the access control process in the preparation stage based on the AACM-BC includes:
in the initial authorization stage, setting an access control strategy based on the inherent attribute information of the user;
and in the service authorization stage, service authorization is realized by dynamically granting service attributes to the main user.
Preferably, the determining, responding and executing of the access request in the execution stage includes:
receiving an original access request NAR (resource allocation request) sent by a user to a specific resource through the PEP;
analyzing semantics of a main body, resources and operation attributes in the NAR through the PEP, generating a processed access request AAR according to attribute information obtained by the AA, and sending the AAR to the ADP;
querying the PAP through the ADP for a set of access control policies associated with the requested large data resources;
performing access control conventional judgment by the PDP according to a policy set, and when the judgment result is that access is allowed, continuously sending the AAR to the BDP;
after receiving the AAR, the BDP calculates the service similarity according to the authorization service attribute of the main body in the AAR and the service attribute of the accessed resource;
and when the calculation result is similar service, the judgment result is access permission, and when the calculation result is non-similar service, the judgment result is access prohibition.
Preferably, the conventional permission decision based on logic calculation includes:
and when the attribute information related in the access request AAR meets the logic constraint in the access control strategy, responding to the access request AAR according to the strategy mark meeting the strategy, wherein the response result is PERMITT or DENY, and when the access request AAR does not have a strategy matched with the access request AAR, the response result is UNKNOWN.
Preferably, the LSTM-based service permission decision includes:
and respectively converting the main body service attribute set and the resource service attribute set into a word vector form for expression through the PDP, calculating the similarity between the main body and the resource service attribute set based on the PD-LSTM neural network, and outputting a judgment result according to the similarity calculation result.
In summary, the present invention discloses a big data resource-oriented adaptive access control method, which first constructs an adaptive access control model AACM-BC based on business constraints and user intentions based on an ABAC model, wherein the AACM-BC includes: the method comprises the following steps of a policy enforcement point PEP, an attribute authority AA, a policy management point PAP and an access decision point ADP, wherein the attribute authority AA comprises: intrinsic Attribute authority AA I And business attribute authoritative AA B The access decision point ADP includes: a policy decision point PDP and a service decision point BDP; based on AACM-BC in preparation stageManaging entity attribute information and access control strategy information related in the access control process; the judgment, response and execution of the access request are carried out in the execution stage; and performing conventional permission judgment based on logic calculation, if the judgment result is access prohibition, directly returning judgment response of the access prohibition, and if the judgment result is access permission, performing service permission judgment based on the LSTM, wherein the result of the service permission judgment is the final result of the permission judgment. The invention provides a new solution for automatic and intelligent big data access control based on the self-adaptive access control model AACM-BC with service constraint, and can self-adapt to the service requirement between entities.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of an embodiment of a big data resource-oriented adaptive access control method disclosed in the present invention;
FIG. 2 is a diagram of an AACM-BC access control framework disclosed in the present invention;
FIG. 3 is a flowchart illustrating a permission determination disclosed in the present invention;
FIG. 4 is a flow chart of a LSTM-based business privilege algorithm disclosed in the present invention;
FIG. 5 is a diagram of a structure of an LSTM memory cell according to the present invention;
FIG. 6 is a diagram of an LSTM neural network architecture according to the present disclosure;
FIG. 7 is a schematic diagram of the decision accuracy of the training set and the test set disclosed in the present invention;
FIG. 8 is a plot of the Loss values of the training set and the test set disclosed herein;
FIG. 9 is a schematic diagram illustrating the comparison of the decision accuracy of different phase similarity calculation methods disclosed in the present invention;
FIG. 10 is a schematic diagram illustrating a comparison of different similarity calculation methods for determining the Loss value according to the present invention;
FIG. 11 is a schematic time delay diagram of conventional permission decisions under different policy scales disclosed in the present invention;
fig. 12 is a schematic time delay diagram of service permission decision under different policy scales disclosed in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
According to fig. 1 to fig. 6, the present embodiment provides an adaptive access control method for big data resources, which may include the following steps:
s101, constructing a self-adaptive access control model AACM-BC based on business constraint by introducing the business constraint and user intention based on the ABAC model, wherein the AACM-BC comprises: the method comprises the following steps of a policy enforcement point PEP, an attribute authority AA, a policy management point PAP and an access decision point ADP, wherein the attribute authority AA comprises: intrinsic Attribute authority AA I And business attribute authoritative AA B The access decision point ADP includes: a strategy decision point PDP and a service decision point BDP;
firstly, introducing a service attribute concept into a classical ABAC model, realizing a double-layer hybrid access control structure formed by entity inherent attributes and service attributes, and proposing an adaptive access control model AACM-BC based on service constraints, as shown in FIG. 2, wherein the inherent attributes are used for describing inherent constraint information of entity access control and comprise various types of subject attributesProperty: role, department, job, gender, age, credit; resource attribute: security level, risk, owner, creation time; an environmental attribute; the service attribute is used for describing service constraint information contained in the main body and the resource, and comprises a main body service attribute and a resource service attribute, wherein the main body service attribute is used for describing relevant service resource characteristics which can be accessed by the main body, and the resource service attribute is used for describing service characteristics of the resource; the method specifically comprises the following steps: introducing service constraint and user intention on the basis of an ABAC model, wherein the service constraint is determined by the service attribute of a resource, the user intention is determined by the service attribute authorized to a subject, and the AACM-BC comprises a strategy execution point PEP; the attribute authority AA is divided into inherent attribute authority AA I Business attribute authoritative AA B (ii) a Policy management point PAP; accessing a decision point ADP, wherein the decision point ADP is divided into a strategy decision point PDP and a service decision point BDP;
s102, managing entity attribute information and access control strategy information related in the access control process based on AACM-BC in a preparation stage;
the access control work flow of AACM-BC is divided into a preparation stage and an execution stage. The preparation stage manages entity attribute information and access control policy information involved in the access control process, and comprises two authorization stages of initial authorization and service authorization: in the initial authorization stage, a security manager sets an access control strategy of the system according to inherent attribute information of a user, the user accesses resources based on the initial authorization, but the initial authorization is based on the inherent attribute information of the user, including roles, units, positions and sexes, which are relatively long-term and static for general users, and the access control granularity is too coarse according to the inherent attribute information, so that service authorization is dynamically performed after the initial authorization stage, and fine-grained and service-adaptive access control is realized; in the service authorization stage, different types of service resources are described by different types of service attributes, and service authorization is realized by dynamically granting the service attributes to the main user;
s103, judging, responding and executing the access request in the execution stage;
the execution phase carries out the judgment, response and execution of the access request: the PEP receives an original access request NAR for a specific resource sent by a user, analyzes the semantics of a main body, the resource and an operation attribute in the NAR, generates a processed access request AAR according to attribute information obtained by the AA, and sends the AAR to the ADP; ADP inquires an access control strategy set related to the requested big data resource from PAP, PDP carries out access control conventional judgment according to the strategy set, when the judgment result is access prohibition, the judgment result is directly sent back to PEP, and when the judgment result is access permission, AAR is continuously sent to BDP; after receiving the AAR, the BDP calculates the service similarity according to the authorized service attribute of the subject in the AAR and the service attribute of the accessed resource, when the calculation result is similar service, the judgment result is allowed to access, and when the calculation result is non-similar service, the judgment result is forbidden to access, and the judgment result is sent back to the PEP; the PEP takes corresponding access operation to the user according to the access control response result of the ADP;
and S104, performing conventional permission judgment based on logic calculation, directly returning judgment response of the prohibited access if the judgment result is the prohibited access, and performing service permission judgment based on the LSTM if the judgment result is the allowable access, wherein the result of the service permission judgment is the final result of the permission judgment.
As shown in fig. 3, a conventional permission decision based on logic calculation is first performed, if the decision result is no access, a decision response of no access is directly returned, if the decision result is no access, the service permission decision based on LSTM is continuously performed, and the result of the service permission decision is the final end of the permission decision.
Specifically, during the conventional permission determination, in the AACM-BC, the conventional permission determination based on the logic calculation is processed by the PDP module, the policy flag sign of the access control policy formulated based on the intrinsic attribute of the entity is a binary flag of permat or DENY, when the attribute information related to the access request AAR satisfies the logic constraint in the access control policy, the access request AAR is responded according to the policy flag satisfying the policy, the response result is permat or DENY, when the access request AAR does not have a policy matching therewith, it is indicated that the policy and the attribute information are insufficient, the response determination cannot be performed on the access request, and the response result is UNKNOWN, therefore, there are three permission determination results of permat, der, and UNKNOWN in the AACM-BC, the association attribute set related to the access request AAR is represented by ATTR _ setaccp, ATTR _ setaccp represents the association attribute set related to the access control policy, for a particular access request, the conventional permission Decision is expressed in the form:
Decision(ATTR_SET AR ,ATTR_SET ACP )→{PERMIT,DENY,UNKNOWN} (1)
the authority judgment is realized by calculating the logic implication relation between ATTR _ SETAR and ATTR _ SETACP, when all the inherent attributes in ATTR _ SETAR accord with the constraint conditions of the strategy attributes in ATTR _ SETACP, namely
Figure BDA0002635809170000081
Then there are:
Decision(ATTR_SET AR ,ATTR_SET ACP )=ACP.sign (2)
when the inherent attributes in ATTR _ SETAR can not all meet the constraint condition of the policy attributes in ATTR _ SETACP, i.e.
Figure BDA0002635809170000082
Then there are:
Decision(ATTR_SET AR ,ATTR_SET ACP )=UNKNOWN (3);
the algorithm flow is as follows: traversing the strategies in the access control strategy set, judging the AAR according to the strategies to obtain three strategy judgment RESULT sets PERMIT _ RESULT, DENY _ RESULT and UNKNOWN _ RESULT, wherein RESULT represents an authority judgment RESULT, when only a single judgment RESULT PERMIT or DENY exists, returning a corresponding RESULT PERMIT or DENY, and when the judgment RESULT simultaneously contains PERMIT and DENY or the judgment RESULT is UNKNOWN, returning UNKNOWN.
Specifically, when the service authority is judged, as shown in fig. 4, in AACM-BC, the LSTM-based service authority judgment is processed by a BDP model, the subject service attribute set and the resource service attribute set are respectively converted into a Word vector form based on a Word2Vec model to be expressed, whether the service constraint condition is in accordance with the text semantic similarity matching problem in the semantic analysis is converted, the similarity between the subject and the resource service attribute set is calculated based on a PD-LSTM neural network, and a judgment result is output according to the similarity calculation result, wherein, as shown in fig. 6, the PD-LSTM neural network model is composed of two neural networks LSTMs processing the subject service attribute and LSTMR processing the resource service attribute, the input of each network is a set composed of service attributes, the LSTMs and the LSTMR have the same model weight parameter, the PD-LSTM model uses the LSTM to read the Word vector representing each service attribute, and using the final hidden hfinal state of the LSTM as the vector representation of each service attribute set, and finally, using the similarity between the hidden representation hfinal for predicting the service semantic similarity;
the method comprises the following specific steps: the LSTM is a long-term and short-term memory network, a neural network can realize the memory of long-term sequence information without debugging complex hyper-parameters by introducing a memory cell structure, each cell structure comprises 4 layers of neural networks, as shown in figure 5, the LSTM realizes the deletion and enhancement of stored information in memory cells by using a 'gate' structure, and the core composition of the LSTM comprises a storage state C t Output gate O t And input gate i t And forget to remember the door f t ,O t Determining how the current memory state affects other memory cells, i t And f t Determines information to be discarded based on the current network state, and controls the information input into the memory cells,
Figure BDA0002635809170000091
represents the candidate value, h t-1 Representing the input at the previous moment, x t Representing the input at the current moment, C t-1 Represents the memory state at the previous time, σ represents the Sigmoid function, and tanh represents the tanh function.
The update formula of the LSTM network at time t is as follows (4) - (9):
Figure BDA0002635809170000092
Figure BDA0002635809170000093
Figure BDA0002635809170000101
Figure BDA0002635809170000102
Figure BDA0002635809170000103
Figure BDA0002635809170000104
in addition, the first and second substrates are,
Figure BDA0002635809170000105
as a weight matrix, b f 、b i 、b c 、b O Is a bias vector;
LSTM maps the service attribute set of an entity from a vector space with a variable length sequence and a length of M to a multidimensional vector space VN with a length of N, wherein M is the dimension of a word vector, N is the longest allowed attribute number, and the service attribute set of each entity is expressed as a sequence attr of the word vector 1 ,attr 2 ,…,attr n This sequence is passed to the LSTM, which updates the hidden state information at each sequence index by equations (4) - (9), the final hidden state h of the final coded representation of the entity service attribute set as a model final ∈V N For a given set of subject and resource business attributes, a predefined business privilege decision function is applied
Figure BDA0002635809170000106
And applying to the LSTM representation of the objects, deducing the similarity of the business attribute constraint between the main body and the resource by using the similarity of the business attribute representation space, and judging the business authority based on the similarity, wherein the formula (7) is a similarity calculation formula:
Figure BDA0002635809170000107
security and usability analysis
(1) And (3) authority promotion attack: the authority promotion attack refers to the attack that under the condition that a system access control mechanism normally operates, an attacker obtains an unauthorized system higher access authority through an obtained lower authority. If the authority promotion attack is realized in AACM-BC, an attacker is required to have access capability of the resource Data1 after the calculation of the business authority similarity based on the LSTM neural network, the business attribute of the Data1 is different from the business attribute of the attacker, and the attacker is considered to have the authority promotion attack after the calculation of the business authority similarity based on the business attribute of the Data1 and the business attribute of the Data resource Data2 which cannot be accessed by other attackers, and the result is that the Data2 can be accessed. However, this situation is not established in the AACM-BC model, the service attribute of the user is set by the security administrator when the user receives a corresponding service access request, the service attribute of the user cannot be changed by the access resource, and the only way for changing the service attribute of the user is granted by the security administrator. After the service requirement of the user is completed, the system can automatically withdraw the service attribute of the user and cancel the access authority of the user to the related service resource. Under the condition of acquiring the lower authority of the system, an attacker cannot change own service attribute information, and cannot access other service data. Therefore, an authority elevation attack cannot be implemented in the AACM-BC model.
(2) Attribute forgery attack: the attribute forgery attack refers to an attack that attackers obtain extra resource access capability by forging entity attribute information. In AACM-BC, entity attribute information (including inherent attributes and service attributes) is uniformly managed by a trusted attribute authority AA through an attribute certificate, and during the process of resolving an access request, an attribute query request needs to be sent to the attribute authority to ensure the correctness of the entity attributes. The change of the attribute information of the main body must be approved by a security administrator, while the generation of the attribute information of the entity can be only performed by the setting of the security administrator or an automatic generation technology, and an attacker cannot forge the attribute.
(3) And (4) safety guarantee: the AACM-BC model manages the authority of the user based on a double-layer authority judgment structure of entity inherent attributes and service attributes. The service attribute does not expand the authority basically based on the authority given to the user by the entity inherent attribute, but reduces the authority of the user for realizing finer-grained and more accurate access control. The service attribute restricts that the user can only access the resources related to the corresponding service, and the problems that the resource authority granularity is difficult to divide under the condition of big data and the authorization process of the user is rigid are solved. Therefore, the introduction of business constraint is considered to further improve the security of the system on the basis of the classical ABAC model.
(4) Usability analysis: in AACM-BC, the security administrator only needs to give the user a service attribute set related to the user service, and the authorization operation of the user is completed. The administrator does not need to maintain all resource information which can be accessed by the user, and the efficiency of authority management is greatly improved. Meanwhile, through calculation of business similarity, the system can automatically judge whether the user has the capability of accessing corresponding resources, the access control mode is very consistent with the characteristic that mass resources need to be effectively shared and utilized in a big data environment, and the problem that the authority of the mass resources is difficult to effectively manage is solved. The method can effectively improve the efficiency of analyzing and utilizing the related big data resources under the specific business background, and can improve the usability of the data resources on the premise of ensuring the safety of the data resources.
In the following, simulation experiments were carried out on a Tensorflow1.12 platform to evaluate the effectiveness of the proposed method.
The software and hardware environment of the experiment was as follows: the operating system is Win 1064 bits, the CPU is Intel (R) core (TM) i7-8750H @2.21GHz, the GPU is GeForce GTX 1050Ti Max-Q, and the memory size is 16 GB. The method is used for carrying out simulation experiments on the basis of a text semantic similarity data set issued by the SNLI project of Stanford university, and the data set comprises more than 36 ten thousand pieces of experiment data marked with text similarity. In the simulation experiment, data in a data set is randomly divided, and a training set composed of 30 ten thousand pieces of data, a verification set composed of 3 ten thousand pieces of data, and a test set composed of 3 ten thousand pieces of data are obtained. Furthermore, an access control policy set having policy sizes of 500, 1000, 1500, 2000, 2500, 3000, 3500, and 4000 is constructed to perform performance testing, the policy set including 100 items of body attributes, 1000 items of resource attributes, and 10 items of action attribute information, and the maximum number of attribute data describing the same body, resource, and action is limited to 4 (based on the attribute information, the maximum achievable distinguishable body size is 1004, the resource size is 10004, and the action size is 104).
In order to evaluate the performance and effect of the access control technology provided by the invention, verification is carried out through 3 experiments of service permission judgment accuracy and Loss value evaluation, comparison of different similarity distance calculation methods and comparison of permission judgment efficiencies of different strategy scales.
(1) And evaluating the service permission judgment accuracy and the Loss value. As shown in fig. 7 and 8, the performance of the service permission decision model obtained based on LSTM training tends to be stable after Epoch reaches 20, and an accuracy of 82.46% and a loss value of 0.0641 can be achieved in the test data set, and the requirement for access control service permission decision under a large data condition can be basically met.
(2) And comparing different similarity distance calculation methods. As shown in fig. 9 and fig. 10, the influence of the similarity distance calculation methods for four different service attributes, namely the euclidean distance, the normalized euclidean distance, the manhattan distance, and the cosine distance, on the decision performance is compared. According to experimental results, the Euclidean distance, the normalized Euclidean distance and the Manhattan distance can achieve a better judgment effect, wherein the actual judgment effect achieved by adopting the Euclidean distance is optimal, and the model adopting the cosine distance cannot be fitted in the training process. Wherein, table 1 shows different similarity distance calculation methods.
TABLE 1 different similarity distance calculation methods
Figure BDA0002635809170000131
(3) And comparing the authority judgment efficiencies of different strategy scales. Fig. 11 and fig. 12 are the cases of time delay required for conventional permission decision and business permission decision under the condition that the policy sizes are 500, 1000, 1500, 2000, 2500, 3000, 3500 and 4000, respectively. As can be seen from fig. 10, the overhead of the conventional permission decision is proportional to the size of the policy, and increases significantly as the size of the policy increases. As can be seen from fig. 12, the overhead of the service right decision is not much related to the policy size. This is mainly because the conventional permission decision needs to perform logical calculation on the access request AR and all policies in the policy set, so the increase of the policy scale has a large impact on the conventional decision delay overhead. The business authority judgment can be realized only by inputting the business attribute information of the main body and the business attribute information of the resources into a judgment engine based on the LSTM, and the judgment can be completed without carrying out logic calculation with all strategies in a strategy set, so that the time delay cost of the business authority judgment is not greatly influenced by the increase of the strategy scale, and the method is suitable for a large data scene with mass data resources.
In conclusion, the invention improves the ABAC model, introduces the concept of business attributes to constrain the business behaviors of the entity, provides the self-adaptive access control model AACM-BC based on business constraints, realizes a double-layer mixed access control structure consisting of the inherent attributes of the entity and the business attributes, can realize access control more relevant to the fine granularity of big data resources and business intents, can carry out automatic and intelligent strategy management according to the similarity between the main body and the business attributes of the resources, effectively improves the utilization rate of the big data resources on the premise of ensuring the safety of the big data resources, realizes a conventional authority judgment algorithm facing the inherent attributes of the entity and based on logic calculation, makes authority judgment based on the logic relation between the main body and the inherent attributes of the resources, and can accurately ensure the safety of the resources, meanwhile, the invention realizes an entity service attribute-oriented LSTM neural network-based service authority judgment algorithm, and the algorithm uses the LSTM neural network to calculate the similarity between the main service attribute set and the resource service attribute set so as to make an authority judgment, thereby effectively improving the availability of the user to the related service resources.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (4)

1. A big data resource-oriented adaptive access control method is characterized by comprising the following steps:
constructing an adaptive access control model AACM-BC based on business constraints by introducing the business constraints and user intentions based on the ABAC model, wherein the AACM-BC comprises: the method comprises the following steps of a policy enforcement point PEP, an attribute authority AA, a policy management point PAP and an access decision point ADP, wherein the attribute authority AA comprises: intrinsic Attribute authority AA I And business attribute authoritative AA B The access decision point ADP includes: a policy decision point PDP and a service decision point BDP;
managing entity attribute information and access control policy information involved in an access control process in a preparation stage based on the AACM-BC;
the judgment, response and execution of the access request are carried out in the execution stage;
performing conventional permission judgment based on logic calculation, if the judgment result is access prohibition, directly returning judgment response of the access prohibition, and if the judgment result is access permission, performing service permission judgment based on the LSTM, wherein the result of the service permission judgment is the final result of the permission judgment;
the decision, response and execution of the access request in the execution stage comprises:
receiving an original access request NAR (resource allocation request) sent by a user to a specific resource through the PEP;
analyzing semantics of a main body, resources and operation attributes in the NAR through the PEP, generating a processed access request AAR according to attribute information obtained by the AA, and sending the AAR to the ADP;
querying the PAP through the ADP for a set of access control policies associated with the requested large data resources;
performing access control conventional judgment by the PDP according to a policy set, and when the judgment result is that access is allowed, continuously sending the AAR to the BDP;
after receiving the AAR, the BDP calculates the service similarity according to the authorization service attribute of the main body in the AAR and the service attribute of the accessed resource;
and when the calculation result is similar service, the judgment result is access permission, and when the calculation result is non-similar service, the judgment result is access prohibition.
2. The method according to claim 1, wherein the managing of the entity attribute information and the access control policy information involved in the access control process during the preparation phase based on the AACM-BC comprises:
in the initial authorization stage, setting an access control strategy based on the inherent attribute information of the user;
and in the service authorization stage, service authorization is realized by dynamically granting service attributes to the main user.
3. The method of claim 1, wherein the conventional permission decision based on logic computation comprises:
the strategy mark of the access control strategy formulated by the PDP based on the entity inherent attribute is a binary mark of PERMIT or DENY, when the attribute information related in the access request AAR meets the logic constraint in the access control strategy, the access request AAR is responded according to the strategy mark meeting the strategy, the response result is PERMIT or DENY, and when the access request AAR does not have the strategy matched with the access request AAR, the response result is UNKNOWN.
4. The method of claim 3, wherein the LSTM-based traffic permission decision comprises:
and respectively converting the main body service attribute set and the resource service attribute set into a word vector form for expression through the PDP, calculating the similarity between the main body and the resource service attribute set based on the PD-LSTM neural network, and outputting a judgment result according to the similarity calculation result.
CN202010828504.8A 2020-08-17 2020-08-17 Self-adaptive access control method for big data resources Active CN111967046B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010828504.8A CN111967046B (en) 2020-08-17 2020-08-17 Self-adaptive access control method for big data resources

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010828504.8A CN111967046B (en) 2020-08-17 2020-08-17 Self-adaptive access control method for big data resources

Publications (2)

Publication Number Publication Date
CN111967046A CN111967046A (en) 2020-11-20
CN111967046B true CN111967046B (en) 2022-08-30

Family

ID=73389235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010828504.8A Active CN111967046B (en) 2020-08-17 2020-08-17 Self-adaptive access control method for big data resources

Country Status (1)

Country Link
CN (1) CN111967046B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800413B (en) * 2021-02-26 2024-03-15 上海派拉软件股份有限公司 Authority information pushing method, device, equipment and storage medium
CN113836572B (en) * 2021-08-03 2024-05-31 许昌学院 Self-adaptive access control safety execution method oriented to man-machine object fusion space

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017134265A1 (en) * 2016-02-05 2017-08-10 Institut Pasteur Use of inhibitors of adam12 as adjuvants in tumor therapies
CN111461237A (en) * 2020-04-03 2020-07-28 中国电子科技集团公司第三十研究所 QPSO-based ABAC model for optimizing K-Means

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017134265A1 (en) * 2016-02-05 2017-08-10 Institut Pasteur Use of inhibitors of adam12 as adjuvants in tumor therapies
CN111461237A (en) * 2020-04-03 2020-07-28 中国电子科技集团公司第三十研究所 QPSO-based ABAC model for optimizing K-Means

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
基于属性和RBAC的混合扩展访问控制模型;熊厚仁 等;《计算机应用研究》;20160731;第33卷(第7期);第2162-2169页 *
基于属性的访问控制策略模型;程相然等;《计算机工程》;20100830(第15期);第137-139页 *
工业产品服务系统需求模型构建研究;赵馨智;《制造业自动化》;20160625(第06期);第11-17页 *

Also Published As

Publication number Publication date
CN111967046A (en) 2020-11-20

Similar Documents

Publication Publication Date Title
Xu et al. An efficient privacy‐enhanced attribute‐based access control mechanism
An et al. Hypergraph clustering model-based association analysis of DDOS attacks in fog computing intrusion detection system
Khambhammettu et al. A framework for risk assessment in access control systems
CN110348238B (en) Privacy protection grading method and device for application
CN111967046B (en) Self-adaptive access control method for big data resources
CN105653725A (en) MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields
CN103795688A (en) Attribute-based fuzzy access control calculation method
EP3805962B1 (en) Project-based permission system
Fall et al. Risk adaptive authorization mechanism (RAdAM) for cloud computing
WO2021188199A1 (en) Efficient retrieval and rendering of access-controlled computer resources
Xie et al. Adaptive Access Control Model of Vehicular Network Big Data Based on XACML and Security Risk.
Martinelli et al. Too long, did not enforce: A qualitative hierarchical risk-aware data usage control model for complex policies in distributed environments
Wang et al. A trust and attribute-based access control framework in internet of things
Ding et al. A risk adaptive access control model based on Markov for big data in the cloud
Yang et al. Research on way of evaluating cloud end user behavior's credibility based on the methodology of multilevel fuzzy comprehensive evaluation
Sun et al. Security Attitude Prediction Model of Secret‐Related Computer Information System Based on Distributed Parallel Computing Programming
CN110717192B (en) Big data security oriented access control method based on Key-Value accelerator
CN112822004A (en) Belief network-based targeted privacy protection data publishing method
CN114282591A (en) Dynamic security level real-time division method, terminal equipment and storage medium
Chen et al. Mobile internet access control strategy based on trust perception
Jünemann et al. Data outsourcing simplified: Generating data connectors from confidentiality and access policies
Asmawi et al. XTrust: A Severity-Aware Trust-Based Access Control for Enhancing Security Level of Xml Database from Insider Threats
CN116208430B (en) Access control system and method based on multi-attribute game
Li Access control strategy based on trust under cloud computing platform
Li et al. Multidimensional correlation hierarchical differential privacy for medical data with multiple privacy requirements

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant