CN112101452B

CN112101452B - Access right control method and device

Info

Publication number: CN112101452B
Application number: CN202010961897.XA
Authority: CN
Inventors: 杜学绘; 陈性元; 王娜; 刘敖迪; 任志宇; 单棣斌; 王文娟; 秦若熙
Original assignee: Information Engineering University of PLA Strategic Support Force
Current assignee: Information Engineering University of PLA Strategic Support Force
Priority date: 2020-09-14
Filing date: 2020-09-14
Publication date: 2023-12-22
Anticipated expiration: 2040-09-14
Also published as: CN112101452A

Abstract

The application provides a control method and device of access rights, wherein the method comprises the following steps: under the condition that a user access request is received, converting resource access information in the user access request into a vector; inputting the vector into a judgment system to obtain a judgment result of whether the user is allowed to access a preset resource library; the decision system at least comprises a pre-trained decision model; the judgment model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set. By adopting the method and the device for judging the user access request, the time consumed in the judging process can be shortened.

Description

Access right control method and device

Technical Field

The present disclosure relates to the field of network security, and in particular, to a method and an apparatus for controlling access rights.

Background

The continuous development of novel information technologies such as big data, the Internet of things and cloud computing brings great convenience to the production and life of people. However, many new challenges are brought to the data protection of people, and various security accidents are frequent. Therefore, how to effectively realize the protection of the data resources is a precondition of data application and sharing. The access right control of the resource can protect the resource to a certain extent.

At present, the control method of the access authority comprises the following steps: and judging the access authority and executing the resource access operation according to the access authority judgment result. The access right judging process comprises the following steps: under the condition that a user access request is received, matching access control strategies matched with the user access request from a preset access control strategy set to obtain to-be-processed access control strategies, and respectively carrying out preset logic operation on each to-be-processed access control strategy and the user access request to obtain a judgment result.

In practice, because the access control policy set includes a large number of access control policies, a process of matching the access control policies to be processed and performing a preset logic operation on each access control policy to be processed and the user access request respectively consumes a long time, so that the existing access right judging process consumes a long time.

Disclosure of Invention

The application provides a control method and device of access rights, and aims to solve the problem that the judgment process of the access rights consumes long time.

In order to achieve the above object, the present application provides the following technical solutions:

the application provides a control method of access rights, which comprises the following steps:

Under the condition that a user access request is received, converting resource access information in the user access request into a vector;

inputting the vector into a judgment system to obtain a judgment result of whether the user is allowed to access a preset resource library; the decision system at least comprises a pre-trained decision model; the judgment model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set.

Optionally, the preset machine learning model is a plurality of random forest models built in advance; the data sets include training data sets and test data sets; any one of the access control policies included in the training data set and the test data set includes: sample information and sample tag information;

a process for training a preset machine learning model with a preset access control strategy as a dataset, comprising:

converting each access control strategy in the training data set and the test data set into a vector respectively to obtain a vector of the training data set and a vector of the test data set; any vector of the access control strategies carries sample information and sample label information of the access control strategies;

Respectively training the plurality of random forest models according to the vector of the training data set and sample label information contained in the vector to obtain a plurality of trained random forest models;

determining random forest models with the number of first target vectors of the training data set being greater than a preset number from the plurality of trained random forest models to obtain candidate random forest models; the first target vector is a vector, corresponding to the judgment result in the vector of the training data set, consistent with the corresponding sample label information;

respectively training the candidate random forest models according to the vectors of the test training data set and sample label information contained in the vectors to obtain trained candidate random forest models;

determining a random forest model with the maximum total number of second target vectors of the test training set from the trained candidate random forest models to obtain the judgment model; the second target vector is a vector, corresponding to the judgment result in the vector of the test training set, consistent with the corresponding sample label information.

Optionally, before said converting each access control policy in said training data set and said test data set into a vector, respectively, the method further comprises:

Taking the training data set and the test data set as target data sets respectively, performing the following operations:

balancing the number of access control policies of which the sample tag information represents access permission and the sample tag information represents access prohibition in the target data set to obtain balanced access control policies;

extracting features of the balanced access control strategy to obtain extracted features of the access control strategy;

performing feature dimension reduction on the extracted features of the access control strategy to obtain dimension reduced features of the access control strategy;

the converting each access control policy in the dataset into a vector respectively specifically includes:

and respectively converting the dimensionality reduced features of each access control strategy into vectors.

Optionally, training the plurality of random forest models according to the vector of the training dataset and sample tag information contained in the vector, to obtain a plurality of trained random forest models, including:

respectively training the plurality of random forest models by adopting a random forest method according to the vector of the training data set and sample label information contained in the vector to obtain a plurality of trained random forest models;

The training is carried out on the candidate random forest models according to the vector of the test training data set and sample label information contained in the vector, so as to obtain trained candidate random forest models, and the method comprises the following steps:

and training the candidate random forest models by adopting the random forest method according to the vector of the test training data set and sample label information contained in the vector, so as to obtain trained candidate random forest models.

Optionally, the decision system includes a plurality of decision models; the structure between any of the decision models is a parallel structure, a cascade structure or a conditional structure.

Optionally, after the inputting the vector into the decision system to obtain a decision result of whether to allow the user to access the preset resource library, the method further includes:

and feeding back the resource accessed by the user access request under the condition that the judgment result indicates that the resource is allowed to be accessed.

The application also provides a control device of the access right, which comprises:

the conversion module is used for converting the resource access information in the user access request into a vector under the condition that the user access request is received;

the input module is used for inputting the vector into the judgment system to obtain a judgment result of whether the user is allowed to access a preset resource library; the decision system at least comprises a pre-trained decision model; the judgment model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set.

the apparatus further comprises:

the training module is used for training a preset machine learning model by taking a preset access control strategy as a data set, and comprises the following steps:

the training module is specifically configured to convert each access control policy in the training data set and the test data set into a vector respectively, so as to obtain a vector of the training data set and a vector of the test data set; any vector of the access control strategies carries sample information and sample label information of the access control strategies;

Optionally, the method further comprises:

the execution module is used for respectively taking the training data set and the test data set as target data sets before each access control strategy in the training data set and the test data set is respectively converted into vectors, and executing the following operations:

The training module is configured to convert each access control policy in the dataset into a vector, and includes:

the training module is specifically configured to convert the dimension reduced features of each access control policy into vectors respectively.

Optionally, the training module is configured to train the plurality of random forest models according to the vector of the training dataset and sample tag information contained in the vector, to obtain a plurality of trained random forest models, and includes:

the training module is specifically configured to train the plurality of random forest models by adopting a random forest method according to the vector of the training data set and sample label information contained in the vector, so as to obtain a plurality of trained random forest models;

the training module is configured to train the candidate random forest models according to the vector of the test training data set and sample tag information contained in the vector, to obtain trained candidate random forest models, and includes:

the training module is specifically configured to train the candidate random forest models by using the random forest method according to the vector of the test training data set and sample tag information contained in the vector, so as to obtain trained candidate random forest models.

According to the access right control method and device, under the condition that a user access request is received, resource access information in the user access request is converted into a vector; and inputting the vector into a judgment system to obtain a judgment result of whether the user is allowed to access the preset resource library.

The decision system at least comprises a decision model which is trained in advance, and the decision model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set, so that the decision process of the user access request is converted into a classification process of the machine learning model. On one hand, the process from the process of receiving the vector to the process of outputting the decision result by the decision model (machine learning model) which completes training in the application only needs to calculate the input vector according to the parameters which complete training. The method has the advantages that the method does not need to match the access control strategies to be processed from the massive access control strategies, and does not need to perform preset logic calculation on each access control strategy to be processed and the user access request; on the other hand, the calculation speed of the decision model for completing training is higher.

In summary, the time consumed in the process of determining the user access request according to the present application can be shortened.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic diagram of a training process of a preset machine learning model according to an embodiment of the present disclosure;

FIG. 2 is a flow chart of training the random forest model by using a random forest method according to an embodiment of the present application;

FIG. 3 is a flowchart of a method for controlling access rights disclosed in an embodiment of the present application;

fig. 4 (a) is a schematic diagram of a cascade structure according to an embodiment of the present disclosure;

FIG. 4 (b) is a schematic diagram of a parallel structure according to an embodiment of the present disclosure;

FIG. 4 (c) is a schematic diagram of a conditional structure disclosed in an embodiment of the present application;

FIG. 5 is a schematic diagram showing performance indexes of different authority judging methods according to embodiments of the present application;

FIG. 6 is a schematic diagram of model delay required to train and update a permission decision engine based on different methods according to an embodiment of the present application;

FIG. 7 is a schematic diagram showing a comparison of right decision time of different methods disclosed in the embodiments of the present application;

fig. 8 is a schematic diagram of conventional right decision delay under different policy scales disclosed in the embodiment of the present application;

fig. 9 is a schematic structural diagram of an access right control device provided in an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

Some key concepts related to the embodiments of the present application are described, where the key concepts include: attributes, attribute tuples, access control policies, user access requests, and permission decisions. Wherein,

the Attribute (Attribute) is used for describing characteristic information of an entity participating in the authority access control process, is composed of an Attribute name and an Attribute value, can comprise four types of attributes, and can be expressed as four tuples (S, R, O, E). Wherein S represents a subject attribute for describing attribute information (such as roles, sexes, etc.) possessed by a user access request initiator; r represents a resource attribute for describing attribute information (such as name, security level, etc.) of a resource that can be accessed; o represents an operational attribute to describe various operational behavior (e.g., read, write, etc.) of the subject on the resource; e denotes an environment attribute for describing environment constraint information (e.g., time, place, etc.) when access rights control occurs.

An Attribute Tuple (Attribute Tuple) is a collection of specific category attributes that characterize an access rights control entity, and is an embodiment of a dynamic assignment relationship of attributes, and can be expressed as X-tuple= { a1, a2, … an }, X E { S, R, O, E }.

The access control policy (Access Control Policy) is a rule of the principal accessing the resource and a concrete implementation of the principal on the resource authorization behavior, and can be expressed as five-tuple acp= (S-tuple, R-tuple, O-tuple, E-tuple, sign), where Sign E { permission, dense } indicates that access is allowed or forbidden. S-tuple, R-tuple, O-tuple is an essential property tuple, cannot be null. E-tuple is an optional property tuple, which may be null.

A user Access Request (Access Request) is a description of the visitor to a resource, the accessed resource, and the requested operation, and may be represented as a triplet ar= (S-tuple, R-tuple, O-tuple). In practice, the user access request at least includes a body attribute, a resource attribute, and an operation attribute.

The permission decision (Permission Decision) is a decision response to a user access request to allow or prohibit access to a corresponding resource in a given access control policy evaluation environment, and may be expressed as a mapping function: decision: AR→ { permission }.

In the embodiment of the application, a machine learning model is built in advance, and training is performed on the machine learning model to obtain a decision model, wherein the decision model is equivalent to a mapping function. At least one judgment model forms a judgment system, and the judgment system is used for processing resource access information contained in a user access request to obtain a judgment result.

In this embodiment, taking a preset machine learning model as an example of a random forest model, where the random forest model includes a plurality of CART decision trees, and the structure of the CART decision trees is in the prior art, which is not described herein again.

In an embodiment of the present application, the data set for training the random forest model includes a training data set and a test data set. The training data set and the test data set respectively comprise a plurality of preset access control strategies. Any one of the access control policies may be a five-tuple, where the five-tuple includes a permission result (permission or prohibition) indicated by the access control policy, and in this embodiment, the permission result in the access control policy is referred to as sample tag information. The information in the five-tuple of the access control policy except the authority result is referred to as sample information.

Fig. 1 is a training process of a preset machine learning model according to an embodiment of the present application, which may include the following steps:

s101, respectively taking a training data set and a test data set as target data sets, and preprocessing.

In this embodiment, the process of preprocessing the target data set may include the following steps A1 to A3:

a1, balancing the number of access control strategies of which the sample label information represents access permission and the sample label information represents access prohibition in the target data set, and obtaining the balanced access control strategies.

In practice, the target data set is an unbalanced data set, i.e. there is a large gap between the number of access control policies indicating that access is allowed and the number of access control policies indicating that access is prohibited. For example, the number ratio is about 16:1.

In the process of training the machine learning model by adopting the data set, since the data set comprises two access control strategies for indicating access permission and access prohibition, the judgment result output by the machine learning model can be biased to the permission result indicated by the access control strategy with a large number of types in the data set, so that the accuracy of the judgment result obtained by the trained machine learning model in practical application is low. To avoid this problem, that is, to make the result of the trained machine learning model decision have higher accuracy, in this embodiment, the number of two types of access control policies in the target data set is balanced so that the number of two types of access control policies after balancing is the same.

Optionally, in practice, an adaptive integrated oversampling method (Adaptive Synthetic Sampling Approach, ADASYN) may be used to balance the target data set, and the specific process may include the following steps B1 to B3:

b1, calculating the unbalance degree of the target data set.

In this step, the manner in which the imbalance of the target data set is calculated is as shown in the following formula (1):

wherein m is _s Representing the number of first-class access control strategies, m _l Representing the number of access control policies of the second type. Wherein the first type of access control policy represents a low total number of types of access control policies in the target dataset. The second type of access control policy represents a type of access control policy that has a greater total number in the target dataset.

And B2, calculating the access control strategies to be synthesized of each first type of access control strategy.

In this step, a calculation formula of a difference between the first type access control policy and the second type access control policy in the target data set is shown in the following formula (2).

GN＝α·(m _l -m _s ),α∈[0,1] (2)

Where GN represents the difference between the first type of access control policy and the second type of access control policy.

As can be seen from equation (2), in the case of α=1, GN is equal to the difference in the total number of two types of access control policies, which indicates the number of first type of access control policies that need to be supplemented for the first type of access control policies.

In this step, the access control policies that are required to be supplemented for each of the first class access control policies are determined. The specific calculation principle may include: f neighbors of each first type access control policy are calculated by using the Euclidean distance, wherein the number of the access control policies belonging to the second type in the f neighbors can be represented by Nl. And (3) calculating according to the formula (3), the formula (4) and the formula (5): the number of first-class access control policies that need to be supplemented for each first-class access control policy.

Wherein gn _i Representing the number of first type access control policies corresponding to the i-th first type access control policy that need to be supplemented.

B3, generating a supplementary first-type access control strategy aiming at each first-type access control strategy.

Specifically, among k neighbors around each first type access control policy, one first type access control policy is selected, and a supplementary first type access control policy is generated by using formula (6).

s _i ＝x _i +β·(x _zi -x _i ),β∈[0,1] (6)

Wherein x is _i Represents the i first class access control policy, x _zi Representing a selected first type of access control policy, s _i Representing a complementary first type of access control policy.

A2, extracting features of the balanced access control strategy to obtain extracted features of the access control strategy.

In this step, the feature extracted from the balanced access control policy is a feature composed of attribute elements contained in the access control policy.

A3, carrying out feature dimension reduction on the extracted features of the access control strategy to obtain dimension reduced features of the access control strategy.

In this embodiment, in order to make the training process efficient, in this step, feature dimension reduction is performed on the extracted feature of the access control policy, and for convenience of description, the result obtained by dimension reduction is referred to as a dimension-reduced feature of the access control policy.

Alternatively, in this embodiment, chi-square checking may be employedAnd (3) performing feature dimension reduction on the extracted features of the access control strategy in a verification mode, wherein a specific feature dimension reduction calculation formula is a formula (7). Wherein, chi square test is a test of chi ² A common hypothesis testing method based on distribution is often used to compare the observed data to what is expected from the hypothesis. Specifically, the extracted features of the access control strategy can be subjected to scoring sorting through chi-square inspection, features with the top ranking are selected to realize feature dimension reduction, features with good judgment effect are selected, and efficient training and classification are realized.

Where t represents the presence or absence of the relevant feature, c represents the rights decision result, N represents the actual observed value, E represents the expected value, et represents whether a specific corresponding feature is present (present as 1, absent as 0), ec represents the specific rights decision result (allowed as 1, rejected as 0), E10 represents the presence of the corresponding feature t and the rights decision result c=0.

S102, converting the dimensionality reduced features of each access control strategy into vectors respectively.

Optionally, in this step, the reduced-dimension feature of each access control policy may be converted into a vector represented by a One-hot encoded One-hot attribute form, where a specific conversion process is a prior art, and will not be described herein. In this embodiment, for convenience of description, for any access control policy, a vector obtained by converting the reduced-dimension feature of the access control policy is referred to as a vector of the access control policy.

It should be noted that, in practice, S101 is not a necessary step, in which case, the operation that S102 needs to perform is to convert each access control policy in the data set into a vector. For convenience of description, for any one access control policy, a vector obtained by converting the access control policy is referred to as a vector of the access control policy. In this embodiment, since any one of the access control policies includes sample information and sample tag information, the vector of any one of the access control policies carries the sample information and sample tag information of the one of the access control policies.

And S103, respectively training the plurality of random forest models according to the vector of the training data set and sample label information contained in the vector to obtain a plurality of trained random forest models.

Optionally, in this embodiment, a random forest method may be used to train the plurality of random forest models according to the vector of the training data set and the sample tag information contained in the vector, so as to obtain a plurality of trained random forest models.

Taking any random forest model as an example, a process of training the random forest model by adopting a random forest method is shown in fig. 2, wherein a specific training process is described in the embodiment corresponding to fig. 2, and is not described herein again.

S104, determining random forest models with the number of first target vectors of the training data set larger than the preset number from the plurality of trained random forest models, and obtaining candidate random forest models.

In this embodiment, taking any trained random forest model as an example, the first target vector refers to: and in the vectors of the training data set, the trained random forest model outputs vectors with corresponding judgment results consistent with corresponding sample label information.

The purpose of this step is: from a plurality of trained random forest models, a random forest model with a good judgment effect is determined, and for convenience of description, the determined random forest model is called a candidate random forest model.

And S105, training the candidate random forest models according to the vectors of the test training data set and sample label information contained in the vectors, and obtaining trained candidate random forest models.

In this embodiment, the candidate random forest models may be trained by using a random forest method according to the vector of the test training data set and the sample tag information included in the vector, so as to obtain trained candidate random forest models.

Taking any one candidate random forest model as an example, the principle of training the candidate random forest model by adopting a random forest method is the same as the principle of training the random forest model by adopting the random forest method, and the description is omitted here.

S106, determining a random forest model with the maximum total number of second target vectors of the test training set from the trained candidate random forest models, and obtaining a judgment model.

In this embodiment, taking any trained candidate random forest model as an example, the second target vector refers to: and in the vectors of the test training set, the trained candidate random forest model outputs a vector with the corresponding judgment result consistent with the corresponding sample label information.

In the step, a trained candidate random forest model is determined, and the determined random forest model is used as a judgment model.

In this embodiment, taking a training process for any random forest model as an example, a training process for the random forest model by using a random forest method is described. Among them, random Forest (RF), also called Random decision Forest, is a popular integrated learning method, which can be used to build a prediction model to solve classification and regression problems. The integrated learning method obtains better prediction results by training a plurality of learning models. The random forest model is a complete forest consisting of a plurality of random uncorrelated CART decision trees (classification and regression tree), i.e. one random forest model comprises a plurality of CART decision trees.

Fig. 2 is a training process for a random forest model according to an embodiment of the present application, which may include: the vector (Sample) of the training data set is sampled repeatedly with a substitution based on a boottrap method, the training data set is divided into k training sub-data sets, which can be represented as { sub-set 1, sub-set 2, … sub-k-1, sub-set }, and the number of vectors of the training data set and the number of vectors of the training sub-data set are both N. Wherein the value of k is the number of CART decision trees included in the random forest model. I.e. one CART decision tree corresponds to one training sub-data set.

In this embodiment, for any CART decision tree, each vector in the corresponding training sub-data set is input into the CART decision tree, where the process of calculating the decision result by the CART decision tree for each input vector is the same. For convenience of description, this embodiment is presented by taking any CART decision tree as an example, and may specifically include: m features are randomly extracted from the attribute features of the vector. And selecting 1 optimal feature from the extracted m features by the node, and applying the optimal feature to the node for splitting operation. And in the remaining m-1 features, the newly generated tree node performs one-step splitting based on the GINI value until the leaf node of the tree cannot continue splitting.

In this embodiment, in any training process, for k CART decision trees in the random forest model, each CART decision tree outputs a decision result, which may be expressed as a decision result (T _i ). Wherein if the decision result indicates that access is allowed, then decision result (T _i ) =1; if the decision indicates that access is prohibited, then decision result (T _i )＝0。

In the embodiment, the decision result of the random forest model is obtained by aggregating the decision results of all decision trees in the random forest model, and the aggregation calculation mode is shown in a formula (8).

Where Vote (x) represents the aggregate result of the random forest model obtained during the training process.

In practice, the decision result output by the random forest model can be obtained through the formula (9).

Wherein Permission (request) represents the decision result output by the random forest model in a training process. Wherein, if Permission (request) =1, it is determined that the user is allowed to access the corresponding resource; otherwise, the user is prohibited from accessing.

In practice, the CART decision tree makes the data purer through the splitting of the nodes, and the output result thereof is closer to the true value. For classification problems, the purity of nodes in the tree is evaluated using the value of the GINI system GINI of the data set, and the method of calculating GINI value is shown in the following formula (10) and formula (11):

the larger the GINI value, the worse the splitting mode effect, so the attribute of the minimum GINI value of the child node is selected as the splitting basis, and the classification tree can be minimized.

In addition, to reduce the occurrence of overfitting, CART decision trees implement pruning of trees based on Cost complexity pruning (Cost-Complexity Pruning, CCP) methods to reduce the complexity of the tree. And CCP selects a non-leaf node with the minimum surface error rate gain value of the node, deletes left and right sub-nodes of the non-leaf node, and if the surface error rate gain values of a plurality of non-leaf nodes are the same, selects the non-leaf node with the largest number of sub-nodes in the non-leaf node for pruning. The calculation formula of the surface error rate gain value is shown in the following formula (12).

Wherein R (t) represents the error cost of the leaf node, R (t) =r (t) ·p (t), R (t) is the error rate of the node, and p (t) is the data node duty cycle; r (T) represents the error cost of the subtree,r _i (t) is the error rate of the child node, p _i (t) is the data node duty cycle of node i; n (T) represents the number of subtree nodes.

Fig. 3 is a control method of access rights provided in an embodiment of the present application, which may include the following steps:

s301, under the condition that a user access request is received, converting resource access information in the user access request into a vector.

In this step, the user access request includes resource access information, where the resource access information includes at least: a body attribute, a resource attribute, and an operation attribute. The present embodiment does not limit the specific content of the resource access information.

In this step, the resource access request may be converted into a vector represented in the form of a One-hot attribute of the One-hot code. The specific implementation process of the conversion is the prior art, and is not described herein.

S302, inputting the vector into a judgment system to obtain a judgment result of whether the user is allowed to access a preset resource library.

In this embodiment, the decision system at least includes a pre-trained decision model, where the decision model is a decision model obtained by training in the corresponding embodiment of fig. 1.

In practice, for a complex business flow of authority access control in a distributed and open environment, the machine learning model for completing training provided in this embodiment supports multiple flexible deployment modes, so as to form a decision system, and through the decision system, the performance of authority access decision can be further improved.

In this embodiment, the decision system may include a plurality of decision models, and specifically, a structural relationship between the plurality of decision models in the decision system may be any one of three preset structures. Wherein, three kinds of structures of predetermineeing include: cascade structure, parallel structure and conditional structure. Wherein.

Cascade structure (Cascade architecture): the decision models representing the inside of the combined authority decision structure are sequentially called and executed according to the time sequence relation, and the structure is shown in fig. 4 (a). The cascade structure can be suitable for the scene that cross-domain data resource access is required among different organizations, the different organizations train to obtain respective judgment models DE aiming at access control strategies in respective safety domains, and users can access corresponding cross-domain resources only when judgment results of all the domain judgment models DE are allowed.

Parallel structure (Concurrent architecture): the decision models in the combined authority decision structure can be executed in parallel and synchronously, and no decision dependency relationship exists between the decision models, and the structure is shown in fig. 4 (b). The decision models are the same, the parallel structure can improve the efficiency of authority decision by shunting massive concurrent access requests, and the reliability of a decision system can be improved due to the fact that a plurality of redundant decision models exist, and single-point faults can be prevented.

Conditional Structure (Condition architecture): according to the conditional constraint of the combined right decision structure, a corresponding decision model is executed, the structure of which is shown in fig. 4 (c). Different judgment models can be flexibly selected according to the requirements of different service interaction conditions, and the judgment models are mutually independent, so that the flexible execution capacity of the judgment structure is improved.

S303, feeding back the resource indicated by the resource access request under the condition that the judgment result indicates that the resource is allowed to be accessed.

In the step, the judgment system extracts resources accessed by the user access request from a preset resource library and outputs the extracted resources.

In order to verify the effect achieved by the examples of the present application, the following experiments were performed. Wherein experiments were performed using the a company's real access control policy set. The access control policy set includes more than 32000 pieces of real access control policy information, wherein the real access control policy set includes 10 kinds of different user attribute information, and the specific information is shown in table 1.

Table 1 dataset description

/>

And carrying out data balance processing on the experimental data set, and carrying out random division on the data to obtain a training data set consisting of 80% access control strategy data and a test data set consisting of 20% access control strategy data. In addition, in order to effectively compare with the traditional authority access control method needing to traverse the access control strategy to be processed, access control strategy sets with the access control strategy scales of 1000, 2000, 3000, 4000, 5000, 6000, 7000 and 8000 are respectively constructed to perform performance comparison test.

The software and hardware environment of the experiment is as follows: the operating system is Win10 bits, the CPU is Intel (R) Core (TM) i7-8750H@2.21GHz,GPU is GeForce GTX 1050Ti Max-Q, the memory size is 16GB, and the Python version is 3.6.

In this embodiment, the evaluation index of the test result is mainly evaluating the authority decision result of the access control policy, where the evaluation index may include: accuracy, precision, recall, and F1 value. Wherein, definition of confusion matrix of right judgment result is as follows in table 2:

TABLE 2 confusion matrix for privilege decisions

Wherein TP (D) _PP’ ) Representing the number of samples that are correctly decided to be allowed to access; FN (D) _PD’ ) Representing the number of samples that were erroneously decided to be access-prohibited; FP (D) _DP’ ) Representing the number of samples that were erroneously decided to be allowed to be accessed; TN (D) _DD’ ) Representing the number of samples that are correctly decided to be access-prohibited.

The evaluation index calculating method comprises the following steps:

accuracy (Accuracy), which is the ratio of the number of samples to the total number of samples with correct prediction decision, is expressed as the following formula (13):

accuracy (Precision), which indicates the ratio of the number of samples allowed for the correct decision result to the number of samples allowed for the predicted decision result, in the predicted decision result, is expressed as the following equation (14):

recall (Recall), which indicates the ratio of the number of samples allowed for the correct decision in the predicted decision to the number of samples allowed for access in the real case, is a measure of coverage, and the formula is shown as follows (15):

the F1 value (F-Measure), which is a weighted harmonic mean of the precision and recall, is given by the following formula (16):

to evaluate the performance of the method proposed in the examples of the present application, the following 3 experiments were designed: comparison of AUC values (Area under the Curve) of different methods before and after data set balancing, comparison of performance indexes of different machine learning methods, and comparison of authority judgment time of different methods.

Comparison of AUC values for different methods before and after dataset equilibration:

the experimental results are shown in table 3, and it can be seen from the results of table 3 that the performance of each method is generally poor before the data set is balanced, wherein the LR and support vector machine SVM methods are basically unable to make accurate and effective decision response. However, the performance of each method is generally improved after the data set balancing, the feature extraction and the feature dimension reduction treatment, wherein the authority judgment method based on the random forest provided by the embodiment of the application can reach the optimal AUC value of 0.975.

Table 3 AUC values for different methods

Comparison of performance indexes of different machine learning methods:

under the condition of selecting the same characteristics, accuracy, precision, recall and F-Measure values of different authority judging methods are compared, and as shown in an experimental result shown in fig. 5, compared with Lightgbm, LR, KNN, SVM, DT, the method provided by the embodiment of the application has better comprehensive authority judging performance. In addition, the time required for training and updating by different methods has an important influence on the dynamic and timely updating of the system access control strategy. Therefore, model training and updating time delay required by authority decision engines based on different methods are also tested. The test results are shown in table 4 below.

As shown in fig. 6, the model training time of the Lightgbm and KNN methods is highest, and the training time of other methods is similar.

Table 4 comparison of the performance of the different methods

Method	Lightgbm	LR	RF	KNN	SVM	DT
							Accuracy	0.863	0.897	0.926	0.902	0.899	0.917
Precision	0.858	0.892	0.934	0.928	0.892	0.933
							Recall	0.871	0.905	0.916	0.872	0.909	0.899
F-Measure	0.864	0.898	0.925	0.899	0.911	0.916

Comparison of different method decision times:

as shown in fig. 7 and 8, the conventional authority assessment method based on logic operation shows a positive correlation relationship between the decision delay and the size of the policy scale. Along with the increase of the scale of the access control strategy, the authority judging time is also obviously increased, and no matter the size of the strategy, the authority judging time basically tends to be stable and unchanged as long as the attribute type is unchanged. Compared with other methods, the method provided by the embodiment of the application has the advantages that the required judgment time is stabilized at about 0.115s, the overall performance is better, and experimental results show that the scheme provided by the embodiment of the application can reach about 92.6% of right judgment accuracy in a test data set, the judgment time is stabilized at about 0.115s, the method has better right judgment performance, and the real-time requirement of high concurrent access control request response can be met.

The embodiment of the application has the following beneficial effects:

the beneficial effects are as follows:

according to the embodiment of the application, the permission judgment problem is converted into the machine learning classification problem of whether access is allowed or not, so that the operation of an access control system is not influenced by the policy scale and the entity quantity, and the permission judgment efficiency is effectively improved.

The beneficial effects are as follows:

in the process of carrying out authority judgment, the judgment model trained by the embodiment of the application can make judgment response only according to the resource access information in the user access request to obtain a judgment result, does not need to carry out communication interaction with the access control strategy set, and can realize privacy protection on sensitive strategy information. Therefore, the security risk of the system being attacked can be reduced, and the efficient judgment of the user access authority under the environment of massive strategies can be safely realized.

The beneficial effects are as follows:

the training completion judgment model provided by the embodiment of the application can support the deployment of the distributed combination authority judgment process in an open environment.

Fig. 9 is a control device for access rights provided in the embodiment of the present application, which may include: a conversion module 901, and an input module 902, wherein,

the conversion module 901 is configured to convert, when a user access request is received, resource access information in the user access request into a vector.

The input module 902 is configured to input the vector into the decision system to obtain a decision result of whether to allow the user to access the preset resource library; the decision system at least comprises a pre-trained decision model; the judgment model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set.

Optionally, the preset machine learning model is a plurality of random forest models constructed in advance; the data sets include training data sets and test data sets; any one of the access control policies included in the training data set and the test data set includes: sample information and sample tag information;

the apparatus may further include:

the training module is specifically used for respectively converting each access control strategy in the training data set and the test data set into vectors to obtain vectors of the training data set and vectors of the test data set; the vector of any one access control policy carries sample information and sample tag information of the access control policy.

Training a plurality of random forest models according to the vector of the training data set and sample label information contained in the vector to obtain a plurality of trained random forest models;

determining random forest models with the number of first target vectors of the training data set being greater than the preset number from a plurality of trained random forest models to obtain candidate random forest models; the first target vector is a vector, of which the corresponding judgment result in the vector of the training data set is consistent with the corresponding sample label information;

Training the candidate random forest models according to the vectors of the test training data set and sample label information contained in the vectors, so as to obtain trained candidate random forest models;

determining a random forest model with the maximum total number of second target vectors of the test training set from the trained candidate random forest models to obtain a judgment model; the second target vector is a vector, of which the corresponding judgment result in the vector of the test training set is consistent with the corresponding sample label information.

Optionally, the apparatus may further include:

the execution module is used for respectively taking the training data set and the test data set as target data sets before respectively converting each access control strategy in the training data set and the test data set into vectors, and executing the following operations:

balancing the number of access control policies of which the sample tag information represents access permission and the sample tag information represents access prohibition in the target data set to obtain balanced access control policies; extracting features of the balanced access control strategy to obtain extracted features of the access control strategy; performing feature dimension reduction on the extracted features of the access control strategy to obtain dimension reduced features of the access control strategy;

Optionally, the training module is configured to train the plurality of random forest models according to the vector of the training data set and sample tag information contained in the vector, to obtain a plurality of trained random forest models, and includes:

the training module is specifically used for training the plurality of random forest models respectively by adopting a random forest method according to the vector of the training data set and sample label information contained in the vector to obtain a plurality of trained random forest models;

the training module is used for respectively training the candidate random forest models according to the vector of the test training data set and sample label information contained in the vector to obtain trained candidate random forest models, and comprises the following steps:

the training module is specifically configured to respectively train the candidate random forest models by adopting a random forest method according to the vector of the test training data set and sample label information contained in the vector, so as to obtain trained candidate random forest models.

Alternatively, the decision system may comprise a plurality of decision models, wherein the structure between any one of the decision models is a parallel structure, a cascade structure or a conditional structure.

Optionally, the apparatus may further include:

the feedback module is configured to, after the input module 902 inputs the vector into the decision system to obtain a decision result of whether to allow the user to access the preset resource library, feedback the resource accessed by the user access request if the decision result indicates that the user is allowed to access the resource.

The functions described in the methods of the present application, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computing device readable storage medium. Based on such understanding, a portion of the embodiments of the present application that contributes to the prior art or a portion of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method for controlling access rights, comprising:

inputting the vector into a judgment system to obtain a judgment result of whether the user is allowed to access a preset resource library; the decision system at least comprises a pre-trained decision model; the judgment model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set;

The preset machine learning model is a plurality of random forest models which are built in advance; the data sets include training data sets and test data sets; any one of the access control policies included in the training data set and the test data set includes: sample information and sample tag information;

the training is performed on the plurality of random forest models according to the vector of the training data set and sample label information contained in the vector, so as to obtain a plurality of trained random forest models, including:

training each random forest model of the plurality of random forest models as follows:

Dividing a training data set of a target random forest model into k training sub-data sets, wherein the k training sub-data sets are represented as { Subset1, subset2, … Subset-1, subset }, the vector of the training data set and the vector number of the training sub-data sets of the target random forest model are both N, the value of k is the number of CART decision trees included in the target random forest model, the k training sub-data sets respectively correspond to the k CART decision trees, and the target random forest model is any random forest model in the plurality of random forest models;

respectively inputting vectors in the training sub-data set corresponding to each CART decision tree in the k CART decision trees into the k CART decision trees;

the process of judging the vectors in the training sub-data set corresponding to each CART decision tree in the k CART decision trees by the k CART decision trees specifically comprises the following steps:

randomly extracting m features from the attribute features of the vector, selecting an optimal feature from the m features, applying the optimal feature to a target node for splitting operation, generating a tree node for a target CART decision, and splitting the tree node for the target CART decision in the remaining m-1 features based on the GINI value until the tree node for the target CART decision cannot continue splitting;

Obtaining a decision result output by each CART decision tree in the k CART decision trees, wherein the decision result is expressed as a decision result (T) _i ) Wherein if the decision result indicates that access is allowed, then decision result (T _i ) =1; if the decision result indicates that access is prohibited, then decision result (T _i )＝0；

Aggregating the judgment results output by each CART decision tree in the k CART decision trees to obtain the judgment result of the target random forest model, wherein the aggregation calculation mode is shown in a formula (8),

vote (x) represents an aggregation result obtained by the target random forest model in the training process;

obtaining a judgment result output by the target random forest model through a formula (9);

wherein Permission (request) represents a decision result output by the target random forest model in a training process, wherein if Permission (request) =1, a user is allowed to access a resource; otherwise, prohibiting the user from accessing the resource;

using the GINI value of the data set's keni system to evaluate the purity of each tree node in the k CART decision trees, the method of calculating the GINI value is shown in the following formula (10) and formula (11):

the k CART decision trees realize tree pruning based on a Cost complexity pruning (Cost-Complexity Pruning, CCP) method to reduce tree complexity, the Cost complexity pruning selects a non-leaf node with the minimum surface error rate gain value in tree nodes in each of the k CART decision trees, left and right child nodes of the non-leaf node are deleted, and if the minimum surface error rate gain values of a plurality of non-leaf nodes are the same, the non-leaf node with the maximum number of child nodes in the non-leaf node is selected for pruning; the calculation formula of the surface error rate gain value is shown in the following formula (12),

Wherein R (t) represents the error cost of the leaf node, R (t) =r (t) ·p (t), R (t) is the error rate of the leaf node, and p (t) is the data node duty cycle; r (T) represents the error cost of the subtree,r _i (t) is the error rate of the child node, p _i (t) is the data node duty cycle of node i; n (T) represents the number of subtree nodes; determining random forest models with the number of first target vectors of the training data set being greater than a preset number from the plurality of trained random forest models to obtain candidate random forest models; the first target vector is a vector, corresponding to the judgment result in the vector of the training data set, consistent with the corresponding sample label information;

respectively training the candidate random forest models according to the vectors of the test data set and the training data set and sample label information contained in the vectors to obtain trained candidate random forest models;

determining a random forest model with the maximum total number of second target vectors of the test data set and the training data set from the trained candidate random forest models, and obtaining the judgment model; the second target vector is a vector, corresponding to the judgment result in the vector of the test training set, consistent with the corresponding sample label information;

Before said converting each access control policy in said training data set and said test data set into a vector, respectively, further comprises:

the specific process of balancing the target data set comprises the following steps of B1 to B3:

b1, calculating the unbalance degree of a target data set;

the manner in which the imbalance of the target data set is calculated is shown in the following equation (1):

wherein m is _s Representing the number of first-class access control strategies, m _l Representing the number of the second type of access control policies; the first type of access control policies represent a type of access control policies with a small total number in a target data set; the second type of access control policy represents a type of access control policy with a large total number in the target dataset;

b2, calculating the access control strategies to be synthesized of each first type of access control strategy;

in this step, a calculation formula of a difference value between the first type access control policy and the second type access control policy in the target data set is shown in the following formula (2);

GN＝α·(m _l -m _s ),α∈[0,1] (2)

Wherein GN represents a difference between the first type access control policy and the second type access control policy;

as can be seen from equation (2), in the case of α=1, GN is equal to the difference in the total number of two types of access control policies, which indicates the number of first type of access control policies that need to be complemented for the first type of access control policies;

determining access control strategies which are required to be supplemented for each first type of access control strategy respectively; the specific calculation principle comprises the following steps: f neighbors of each first type access control strategy are calculated by using Euclidean distance, wherein the number of the access control strategies belonging to the second type in the f neighbors adopts N _l A representation; and (3) calculating according to the formula (3), the formula (4) and the formula (5): the number of first-class access control policies that need to be supplemented for each first-class access control policy;

wherein gn _i Representing the number of first type access control policies corresponding to the i first type access control policies and needing to be supplemented;

b3, generating a supplementary first-class access control strategy aiming at each first-class access control strategy;

specifically, selecting one first type access control strategy from k adjacent areas around each first type access control strategy, and generating a supplementary first type access control strategy by adopting a formula (6);

s _i ＝x _i +β·(x _zi -x _i ), β∈[0,1] (6)

Wherein x is _i Represents the i first class access control policy, x _zi Representing a selected first type of access control policy, s _i Representing a supplemental first type of access control policy;

the characteristic dimension reduction calculation formula is as follows (7):

wherein t represents the existence or non-existence of related features, c represents the authority judgment result, N represents the actual observed value, E represents the expected value, E _t Indicating whether or not a particular corresponding feature appears, with the appearance being 1, the absence being 0, e _c Representing a specific authority judgment result, wherein the permission is 1, and the rejection is 0;

2. The method of claim 1, wherein the decision system comprises a plurality of decision models; the structure between any of the decision models is a parallel structure, a cascade structure or a conditional structure.

3. The method according to any one of claims 1-2, further comprising, after said inputting said vector into a decision system to obtain a decision whether to allow a user to access a preset repository:

4. An access right control device, characterized by comprising:

the input module is used for inputting the vector into the judgment system to obtain a judgment result of whether the user is allowed to access a preset resource library; the decision system at least comprises a pre-trained decision model; the judgment model is obtained by training a preset machine learning model by taking a preset access control strategy as a data set;

the apparatus further comprises:

Wherein R (t) represents the error cost of the leaf node, R (t) =r (t) ·p (t), R (t) is the error rate of the leaf node, and p (t) is the data node duty cycle; r (T) represents the error cost of the subtree,r _i (t) is the error rate of the child node, p _i (t) is the data node duty cycle of node i; n (T) represents the number of subtree nodes;

b1, calculating the unbalance degree of a target data set;

wherein m is _s Representing the number of first-class access control strategies, m _l Representing the number of the second type of access control policies; the first type of access control policies represent a type of access control policies with a small total number in a target data set; the second type of access control policy indicates that the total number in the target data set is moreIs a class of access control policies;

GN＝α·(m _l -m _s ),α∈[0,1] (2)

s _i ＝x _i +β·(x _zi -x _i ),β∈[0,1] (6)

the characteristic dimension reduction calculation formula is as follows (7):

5. The apparatus of claim 4, wherein the training module configured to train the plurality of random forest models according to the vector of the training dataset and sample tag information included in the vector, respectively, to obtain a plurality of trained random forest models, comprises: