CN112235298B - Data security classification dynamic access control method and device and electronic equipment - Google Patents

Data security classification dynamic access control method and device and electronic equipment Download PDF

Info

Publication number
CN112235298B
CN112235298B CN202011096230.4A CN202011096230A CN112235298B CN 112235298 B CN112235298 B CN 112235298B CN 202011096230 A CN202011096230 A CN 202011096230A CN 112235298 B CN112235298 B CN 112235298B
Authority
CN
China
Prior art keywords
lattice
node
access
grid
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011096230.4A
Other languages
Chinese (zh)
Other versions
CN112235298A (en
Inventor
王栋
杨珂
秦日臻
王合建
李达
玄佳兴
王焕娟
陈连栋
程凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Blockchain Technology Beijing Co ltd
State Grid Digital Technology Holdings Co ltd
State Grid Corp of China SGCC
State Grid Hebei Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Original Assignee
State Grid Blockchain Technology Beijing Co ltd
State Grid Corp of China SGCC
State Grid Hebei Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
State Grid E Commerce Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Blockchain Technology Beijing Co ltd, State Grid Corp of China SGCC, State Grid Hebei Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd, State Grid E Commerce Co Ltd filed Critical State Grid Blockchain Technology Beijing Co ltd
Priority to CN202011096230.4A priority Critical patent/CN112235298B/en
Publication of CN112235298A publication Critical patent/CN112235298A/en
Application granted granted Critical
Publication of CN112235298B publication Critical patent/CN112235298B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data security classification dynamic access control method, a device and electronic equipment, wherein the method comprises the following steps: obtaining at least one attribute information of each of the accessed object and the accessed object; acquiring a first grid node corresponding to the access object in a grid structure according to the attribute information of the access object; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object; obtaining an access control result at least according to the respective node distribution positions of the first grid node and the second grid node, wherein the access control result represents whether the access object has the right to access the accessed object; and at least adjusting the node distribution position of the first grid node in the grid structure according to at least the access control result.

Description

Data security classification dynamic access control method and device and electronic equipment
Technical Field
The present application relates to the field of data security technologies, and in particular, to a method and an apparatus for hierarchical dynamic access control of data security, and an electronic device.
Background
Under the novel business application scene of the power internet of things, massive sensitive data and information are stored in the cloud, the safe life cycle of the data also exceeds the traditional network safety category, and huge safety risks exist. Once sensitive data is stolen, tampered and abused, the risk of violating the law exists, so that important data of enterprises and privacy protection of customers need to be strengthened, and corresponding access control mechanisms are established.
However, in practice, as the access control proceeds, the authority of accessing the object may change, thereby causing a defect of low accuracy in the access control of the access object.
Therefore, a technical solution for accurately controlling access to an access object is needed.
Disclosure of Invention
In view of the above, the present application provides a method, an apparatus and an electronic device for controlling hierarchical dynamic access of data security, which includes:
a data security hierarchical dynamic access control method, the method comprising:
obtaining at least one attribute information of each of the accessed object and the accessed object;
acquiring a first grid node corresponding to the access object in a grid structure according to the attribute information of the access object; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes;
obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object;
obtaining an access control result at least according to the respective node distribution positions of the first grid node and the second grid node, wherein the access control result represents whether the access object has the right to access the accessed object;
and at least adjusting the node distribution position of the first grid node in the grid structure according to at least the access control result.
Preferably, the method for obtaining a first lattice node corresponding to the access object in the lattice structure according to the attribute information of the access object includes:
according to the attribute information, acquiring a data security level parameter corresponding to the access object as an operation data object and an identity trust level parameter corresponding to the access object as an operation user object;
processing at least the data security level parameter and the identity trust level parameter to obtain a right value of the access object;
and obtaining a first lattice node corresponding to the access object in the lattice structure according to the authority value.
Preferably, the method at least processes the data security level parameter and the identity trust level parameter to obtain the access object permission value, and includes:
obtaining respective weight values corresponding to the data security level parameter and the identity trust level parameter and a forbidden sub-value for the access object to access;
and calculating the data security level parameter, the identity trust level parameter, the weight value and the time value to obtain the access object authority value.
Preferably, the above method, obtaining a first lattice node corresponding to the access object in the lattice structure according to the authority value, includes:
searching a target layer matched with the authority value in the lattice structure, wherein the target layer comprises a plurality of lattice nodes, and statistical parameters formed by the lattice nodes in the target layer correspond to the authority value;
and in the target layer, obtaining a first lattice node corresponding to the access object.
Preferably, the above method, wherein the statistical parameter formed by the lattice nodes included in the target layer corresponds to the authority value, includes: a mean parameter and/or a variance parameter between the weight values of lattice nodes contained in the target layer matches the weight values;
or, the statistical parameters formed by the lattice nodes included in the target layer correspond to the authority values, and include: the value range formed by the respective authority values of the lattice nodes included in the target layer matches the authority value of the access object.
Preferably, the method for obtaining an access control result according to at least the respective node distribution positions of the first lattice node and the second lattice node includes:
under the condition that the layer of the first lattice node in the lattice structure is higher than the layer of the second lattice node in the lattice structure, obtaining an access control result representing that the access object has the right to access the accessed object;
under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is greater than or equal to the authority value of the second grid node, obtaining an access control result representing that the access object has the authority to access the accessed object;
and under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is smaller than the authority value of the second grid node, obtaining an access control result representing that the access object does not have the authority for accessing the accessed object.
Preferably, the method at least adjusts a node distribution position of the first lattice node in the lattice structure according to at least the access control result, and includes:
and under the condition that the access control result represents that the access object does not have the right of accessing the accessed object, exchanging the node distribution positions of the first grid node and the second grid node in the grid structure.
In the foregoing method, preferably, after exchanging the node distribution positions of the first lattice node and the second lattice node in the lattice structure, the method further includes:
monitoring whether a layer meeting a merging rule exists in the lattice structure; the merge rule includes: the statistical parameters formed by the layers with respect to the contained lattice nodes are the same;
and merging the layers meeting the merging rule in the lattice structure under the condition that the layers meeting the merging rule exist in the lattice structure.
A data security hierarchy dynamic access control apparatus, the apparatus comprising:
an attribute obtaining unit, configured to obtain at least one attribute information of each of the access object and the accessed object;
a node obtaining unit, configured to obtain, according to the attribute information of the access object, a first lattice node corresponding to the access object in a lattice structure; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; according to the attribute information of the accessed object, a second grid node corresponding to the accessed object in the grid structure is obtained;
a result obtaining unit, configured to obtain an access control result according to at least respective node distribution positions of the first lattice node and the second lattice node, where the access control result represents whether the access object has a right to access the accessed object;
and the node adjusting unit is used for adjusting at least the node distribution position of the first lattice node in the lattice structure at least according to the access control result.
An electronic device, comprising:
a memory for storing an application program and data generated by the application program running;
a processor for executing the application to implement: obtaining at least one attribute information of each of the accessed object and the accessed object; acquiring a first grid node corresponding to the access object in a grid structure according to the attribute information of the access object; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object; obtaining an access control result at least according to the respective node distribution positions of the first grid node and the second grid node, wherein the access control result represents whether the access object has the right to access the accessed object; and at least adjusting the node distribution position of the first grid node in the grid structure according to at least the access control result.
According to the above scheme, in the data security hierarchical dynamic access control method, device and electronic device provided by the present application, by obtaining the attribute information of the access object and the accessed object, the first lattice node corresponding to the access object in the lattice structure and the second lattice node corresponding to the accessed object can be obtained according to the attribute information, and then the access control result is obtained according to the node distribution positions of the first lattice node and the second lattice node in the lattice structure, so as to determine whether the access object has the right to access the accessed object, and at the same time, the node distribution position of the lattice node in the lattice structure can be adjusted according to the access control result, so that the node distribution position of the lattice node corresponding to the access object changes when a new access request occurs, and accordingly, the obtained access control result also changes correspondingly, therefore, dynamic access control is realized, and the accuracy of the access control is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a flowchart of a data security hierarchical dynamic access control method according to an embodiment of the present application;
FIG. 2 is an exemplary diagram of a lattice structure in an embodiment of the present application;
fig. 3 and fig. 4 are partial flow charts of a data security classification dynamic access control method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a data security hierarchical dynamic access control apparatus according to a second embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to a third embodiment of the present application;
fig. 7 is a schematic lattice structure diagram of a security access control scenario applicable to the power internet according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a flowchart of an implementation of a data security hierarchical dynamic access control method provided in an embodiment of the present application is shown, where the method is applied to an electronic device capable of data processing, such as a computer or a server. The technical scheme in the embodiment is mainly used for realizing dynamic access control so as to improve the accuracy of the access control.
Specifically, the method in this embodiment may include the following steps:
step 101: at least one attribute information of each of the accessed object and the accessed object is obtained.
The access object may be understood as an object such as a device or a person accessing the access object, and the attribute information of the access object may include any one or more items of attribute information of an identity attribute, a time attribute, a space attribute, a time attribute, a behavior attribute, and the like, where the identity attribute refers to an identity attribute such as a person type or a device identifier of the access object, the time attribute refers to an attribute such as a current time of accessing, the space attribute refers to a space attribute such as a geographic location, a network location, or a device where the access object is located, and the behavior attribute refers to an attribute such as an object behavior of the access object.
The accessed object may be understood as an object such as data or equipment (or a person) serving as an access target, and the attribute of the accessed object may also include any one or more items of attribute information of an identity attribute, a time attribute, a space attribute, a time attribute, a behavior attribute, and the like, where the identity attribute refers to an identity attribute such as a data identifier or an equipment identifier serving as the access target, the time attribute refers to an attribute such as the current time of being accessed, the space attribute refers to a space attribute such as a geographic location, a network location, or a device where the accessed object is located, and the behavior attribute refers to an attribute such as an object behavior of the accessed object.
Specifically, in this embodiment, after receiving an access request for accessing the accessed object from the access object, the attribute information of each of the access object and the accessed object may be searched in the database, and the attribute information may be one item or multiple items in the above description.
Step 102: and acquiring a first lattice node corresponding to the access object in the lattice structure according to the attribute information of the access object.
Wherein the lattice nodes in the lattice structure are based on the distribution of the authority values corresponding to the lattice nodes, for example, the lattice nodes with the authority values in the same value range are in the same layer of the lattice structure, and the lattice nodes with the authority values in different value ranges are in different layers, thereby forming a multi-layer lattice structure with each layer containing a plurality of lattice nodes, as shown in fig. 2, the authority values of the lattice nodes in different layers are different; or the variance vector or the mean vector formed by the weight values of the lattice nodes in the same layer in the lattice structure meets the corresponding condition.
Specifically, in this embodiment, the attribute value of the attribute information point of the access object may be calculated or processed through a specific cost function, so as to obtain the authority value of the access object, and then the first lattice node corresponding to the access object in the lattice structure is obtained according to the authority value, where the first lattice node corresponds to the layer and the position in the layer in the lattice structure, that is, the node distribution position.
Step 103: and obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object.
Specifically, in this embodiment, the attribute value of the attribute information point of the accessed object may be calculated or processed through a specific cost function, so as to obtain the weight value of the accessed object, and then, the corresponding second lattice node of the accessed object in the lattice structure is obtained according to the weight value, where the second lattice node corresponds to the layer and the position in the layer in the lattice structure, that is, the node distribution position.
It should be noted that the execution sequence of step 102 and step 103 is not limited by the sequence in the drawing, and step 103 may be executed first and then step 102 is executed, or may be executed simultaneously, and different technical solutions are all within the scope of the present application.
Step 104: and obtaining an access control result at least according to the respective node distribution positions of the first grid node and the second grid node.
And the access control result represents whether the access object has the right to access the accessed object.
Specifically, in this embodiment, the access control result may be obtained by the difference or the relative position between the node distribution positions of the first lattice node and the second lattice node in the lattice structure.
Based on this, when the access control result represents that the access object has the right to access the accessed object, the access object is allowed to access the accessed object, such as data reading or data modification and other access operations; and when the access result indicates that the access object does not have the right of accessing the accessed object, the access object is not allowed to access the accessed object.
Step 105: and at least adjusting the node distribution position of the first grid node in the grid structure according to at least the access control result.
In this embodiment, whether to adjust the lattice node in the lattice structure may be determined according to a result of whether the access object has the right to access the access object in the access control result, which may specifically include adjusting the first lattice node, and may also include adjusting the first lattice node and the second lattice node at the same time.
Therefore, the node position of the lattice node in the lattice structure changes, and when the access request is received again, the node distribution position of the first lattice node corresponding to the access object changes, and accordingly, the obtained access control result also changes, thereby realizing dynamic access control.
It can be known from the foregoing solutions that, in a data security hierarchical dynamic access control method provided in this embodiment of the present application, by obtaining attribute information of an access object and an accessed object, a first lattice node corresponding to the access object in a lattice structure and a second lattice node corresponding to the accessed object can be obtained according to the attribute information, and then, an access control result is obtained according to node distribution positions of the first lattice node and the second lattice node in the lattice structure, so as to determine whether the access object has an access right to the accessed object, and at the same time, the node distribution positions of the lattice nodes in the lattice structure can be adjusted according to the access control result, so that when a new access request occurs, the node distribution positions of the lattice nodes corresponding to the access object change, and accordingly, the obtained access control result also changes correspondingly, therefore, dynamic access control is realized, and the accuracy of the access control is improved.
In one implementation manner, when obtaining the corresponding first lattice node of the access object in the lattice structure according to the attribute information of the access object in step 102, the following may be implemented, as shown in fig. 3:
step 301: and according to the attribute information, acquiring a data security level parameter corresponding to the access object as an operation data object and an identity trust level parameter corresponding to the access object as an operation user object.
For example, in the present embodiment, the corresponding data security level parameter s is determined according to the data content, the data source, the data application, and other attributes of the operation data object, and for example, the four data security levels are respectively characterized by parameter values of 0 to 3. In this embodiment, the identity trust level parameter c of the operation user object may be determined according to attribute information, such as the identity attribute, the time attribute, the behavior attribute, and the space attribute, of the operation user object, for example, the four identity trust level parameters are represented by parameter values of 0 to 3.
It should be noted that, when the access object is an operation data object, the identity trust level parameter may be null, and when the access object is an operation user object, the data security level parameter may be null.
Step 302: and at least processing the data security level parameter and the identity trust level parameter to obtain the access object authority value.
In this embodiment, the data security level parameter and the identity trust level parameter may be calculated by using a preset function or algorithm, so as to obtain the access object permission value.
Specifically, in step 302, a weight value corresponding to each of the data security level parameter and the identity trust level parameter and a forbidden number of times of access of the access object may be obtained, where the weight value includes a weight value of the data security level parameter and a weight value of the identity trust level parameter, and the number of times may be represented by t, that is, a statistical value of times of the access object has been forbidden in the historical access control; and then, calculating the data security level parameter, the identity trust level parameter, the weight value and the frequency value to obtain the access object weight value. For example, the data security level parameter, the identity trust level parameter, the weight value and the number value may be calculated by using a specified function, such as a cost function, so as to obtain a right value of the access object, which may be understood as a reputation value of the access object, and is denoted by f.
Step 303: and obtaining a first lattice node corresponding to the access object in the lattice structure according to the authority value.
Specifically, in this embodiment, the authority value may be compared with a statistical parameter formed by a lattice node of each layer in the lattice structure to determine a layer corresponding to the access object in the lattice node and a first lattice node corresponding to the access object in the layer.
For example, in this embodiment, a target layer that matches the authority value of the access object may be first searched in the lattice structure, where the target layer includes a plurality of lattice nodes, and a statistical parameter formed by the lattice nodes included in the target layer corresponds to the authority value, and then, a first lattice node corresponding to the access object is obtained in the target layer.
The statistical parameters formed by the lattice nodes included in the target layer correspond to the authority values, and may be: the mean parameter and/or variance parameter between the weight values of the lattice nodes contained in the target layer match the weight values, for example, after the access object is added as a new node into the target layer, the mean vector or variance vector obtained by the weight values of the lattice nodes contained in the target layer does not change or changes little;
or, the statistical parameter formed by the lattice nodes included in the target layer corresponds to the authority value, and may be: the respective authority values of the lattice nodes included in the target layer form a value range that matches the authority value of the access object. For example, the authority value of the access object is in a value range formed by the respective authority values of the lattice nodes included in the target layer.
In one implementation, when the corresponding second lattice node of the accessed object in the lattice structure is obtained according to the attribute information of the accessed object in step 103, the following may be implemented, as shown in fig. 4:
step 401: and according to the attribute information, acquiring a data security level parameter corresponding to the accessed object as the operation data object and an identity trust level parameter corresponding to the accessed object as the operation user object.
For example, in the present embodiment, the corresponding data security level parameter s is determined according to the data content, the data source, the data application, and other attributes of the operation data object, and for example, the four data security levels are respectively characterized by parameter values of 0 to 3. In this embodiment, the identity trust level parameter c of the operation user object may be determined according to attribute information, such as the identity attribute, the time attribute, the behavior attribute, and the space attribute, of the operation user object, for example, the four identity trust level parameters are represented by parameter values of 0 to 3.
It should be noted that, when the accessed object is an operation data object, the identity trust level parameter may be null, and when the accessed object is an operation user object, the data security level parameter may be null.
Step 402: at least the data security level parameter and the identity trust level parameter are processed to obtain a permission value of the accessed object.
In this embodiment, the data security level parameter and the identity trust level parameter may be calculated by using a preset function or algorithm, so as to obtain the authority value of the accessed object.
Specifically, in step 402, a weight value corresponding to each of the data security level parameter and the identity trust level parameter and a number of times that access of the accessed object is prohibited may be obtained, where the weight value includes a weight value of the data security level parameter and a weight value of the identity trust level parameter, and the number of times may be represented by t, that is, a number of times statistical value that the accessed object is prohibited in the historical access control; and then, calculating the data security level parameter, the identity trust level parameter, the weight value and the time value to obtain the weight value of the accessed object. For example, the data security level parameter, the identity trust level parameter, the weight value and the number value may be calculated by using a specified function, such as a cost function, to obtain a right value of the accessed object, which may be understood as a reputation value of the accessed object, and is denoted by f.
Step 403: and obtaining a second lattice node corresponding to the accessed object in the lattice structure according to the authority value.
Specifically, in this embodiment, the authority value may be compared with a statistical parameter formed by a lattice node of each layer in the lattice structure to determine a layer corresponding to the accessed object in the lattice node and a second lattice node corresponding to the accessed object in the layer.
For example, in this embodiment, a target layer that matches the authority value of the accessed object may be first searched in the lattice structure, where the target layer includes a plurality of lattice nodes, and a statistical parameter formed by the lattice nodes included in the target layer corresponds to the authority value, and then, in the target layer, a first lattice node corresponding to the accessed object is obtained.
The statistical parameters formed by the lattice nodes included in the target layer correspond to the authority values, and may be: the mean parameter and/or variance parameter between the weight values of the lattice nodes contained in the target layer match the weight values, for example, after the accessed object is added as a new node into the target layer, the mean vector or variance vector obtained by the weight values of the lattice nodes contained in the target layer does not change or changes little;
or, the statistical parameter formed by the lattice nodes included in the target layer corresponds to the authority value, and may be: the respective authority values of the lattice nodes included in the target layer form a range of values that matches the authority value of the accessed object. For example, the authority value of the accessed object is in a value range formed by the respective authority values of the lattice nodes included in the target layer.
In an implementation manner, when the access control result is obtained according to at least the respective node distribution positions of the first grid node and the second grid node in step 104, the following manner may be specifically implemented:
under the condition that the layer of the first lattice node in the lattice structure is higher than the layer of the second lattice node in the lattice structure, obtaining an access control result representing that the access object has the right to access the accessed object;
under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is greater than or equal to the authority value of the second grid node, obtaining an access control result representing that the access object has the authority to access the accessed object;
and under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is smaller than the authority value of the second grid node, obtaining an access control result representing that the access object does not have the authority for accessing the accessed object.
Based on this, when at least the node distribution position of the first lattice node in the lattice structure is adjusted according to at least the access control result in step 105, the following specific method may be implemented:
and under the condition that the access control result represents that the access object does not have the access right to the accessed object, determining that the accessed object has higher right than the access object, and exchanging the node distribution positions of the first grid node and the second grid node in the grid structure.
After the lattice nodes are switched, the variance vector and the mean vector formed by the lattice nodes contained in each layer are correspondingly changed.
Based on this, after the node distribution positions of the first lattice node and the second lattice node in the lattice structure are exchanged, in this embodiment, whether a layer meeting a merge rule exists in the lattice structure may also be monitored; wherein the merge rule comprises: the statistical parameters formed between layers with respect to the included lattice nodes are the same, for example, the lattice node weights are the same or the variance vector and the mean vector are the same, and then, if there is a layer satisfying the merge rule in the lattice structure, the layers satisfying the merge rule in the lattice structure are merged.
Referring to fig. 5, a schematic structural diagram of a data security hierarchical dynamic access control apparatus provided in the second embodiment of the present application is shown, where the apparatus may be configured in an electronic device capable of performing data processing, such as a computer or a server. The technical scheme in the embodiment is mainly used for realizing dynamic access control so as to improve the accuracy of the access control.
Specifically, the apparatus in this embodiment may include the following units:
an attribute obtaining unit 501, configured to obtain at least one attribute information of each of the access object and the accessed object;
a node obtaining unit 502, configured to obtain, according to the attribute information of the access object, a first lattice node corresponding to the access object in a lattice structure; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; according to the attribute information of the accessed object, a second grid node corresponding to the accessed object in the grid structure is obtained;
a result obtaining unit 503, configured to obtain an access control result according to at least the respective node distribution positions of the first lattice node and the second lattice node, where the access control result represents whether the access object has a right to access the access object;
a node adjusting unit 504, configured to adjust at least a node distribution position of the first lattice node in the lattice structure according to at least the access control result.
It can be known from the foregoing solution that, in the data security hierarchical dynamic access control apparatus based on the zero trust model provided in the second embodiment of the present application, by obtaining the attribute information of the access object and the accessed object, the first lattice node corresponding to the access object in the lattice structure and the second lattice node corresponding to the accessed object can be obtained according to the attribute information, and then, the access control result is obtained according to the node distribution positions of the first lattice node and the second lattice node in the lattice structure, so as to determine whether the access object has the right to access the accessed object, and at the same time, the node distribution position of the lattice node in the lattice structure can be adjusted according to the access control result, so that when a new access request occurs, the node distribution position of the lattice node corresponding to the access object changes, and accordingly, the obtained access control result also changes correspondingly, therefore, dynamic access control is realized, and the accuracy of the access control is improved.
In one implementation manner, when the node obtaining unit 502 obtains the corresponding first lattice node of the access object in the lattice structure according to the attribute information of the access object, the following manner may be used: according to the attribute information, acquiring a data security level parameter corresponding to the access object as an operation data object and an identity trust level parameter corresponding to the access object as an operation user object; processing at least the data security level parameter and the identity trust level parameter to obtain a right value of the access object; and obtaining a first lattice node corresponding to the access object in the lattice structure according to the authority value.
In one implementation manner, when the node obtaining unit 502 obtains the corresponding second lattice node of the accessed object in the lattice structure according to the attribute information of the accessed object, the following manner may be used: according to the attribute information, acquiring a data security level parameter corresponding to the accessed object as an operation data object and an identity trust level parameter corresponding to the accessed object as an operation user object; processing at least the data security level parameter and the identity trust level parameter to obtain a permission value of the accessed object; and obtaining a second grid node corresponding to the accessed object in the grid structure according to the authority value.
In an implementation manner, when at least processing the data security level parameter and the identity trust level parameter to obtain the authority value of the access object, the node obtaining unit 502 is specifically configured to: obtaining respective weight values corresponding to the data security level parameter and the identity trust level parameter and a forbidden sub-value for the access object to access; and calculating the data security level parameter, the identity trust level parameter, the weight value and the time value to obtain the access object authority value.
In an implementation manner, when the node obtaining unit 502 obtains the first lattice node corresponding to the access object in the lattice structure according to the authority value, specifically configured to: searching a target layer matched with the authority value in the lattice structure, wherein the target layer comprises a plurality of lattice nodes, and statistical parameters formed by the lattice nodes in the target layer correspond to the authority value; and in the target layer, obtaining a first lattice node corresponding to the access object.
Optionally, the statistical parameter formed by the lattice nodes included in the target layer corresponds to the weight value, and includes: a mean parameter and/or a variance parameter between the weight values of lattice nodes contained in the target layer matches the weight values;
or, the statistical parameters formed by the lattice nodes included in the target layer correspond to the authority values, and include: the value range formed by the respective authority values of the lattice nodes included in the target layer matches the authority value of the access object.
In one implementation, the result obtaining unit 503 is specifically configured to:
under the condition that the layer of the first lattice node in the lattice structure is higher than the layer of the second lattice node in the lattice structure, obtaining an access control result representing that the access object has the right to access the accessed object;
under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is greater than or equal to the authority value of the second grid node, obtaining an access control result representing that the access object has the authority to access the accessed object;
and under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is smaller than the authority value of the second grid node, obtaining an access control result representing that the access object does not have the authority for accessing the accessed object.
Based on this, the node adjusting unit 504 is specifically configured to: and under the condition that the access control result represents that the access object does not have the right of accessing the accessed object, exchanging the node distribution positions of the first grid node and the second grid node in the grid structure.
In addition, the node adjusting unit 504 is further configured to, after exchanging the node distribution positions of the first lattice node and the second lattice node in the lattice structure: monitoring whether a layer meeting a merging rule exists in the lattice structure; the merge rule includes: the statistical parameters formed by the layers with respect to the contained lattice nodes are the same; and merging the layers meeting the merging rule in the lattice structure under the condition that the layers meeting the merging rule exist in the lattice structure.
It should be noted that, for the specific implementation of each unit in the present embodiment, reference may be made to the corresponding content in the foregoing, and details are not described here.
Referring to fig. 6, a schematic structural diagram of an electronic device according to a third embodiment of the present application is provided, where the electronic device may be an electronic device capable of performing data processing, such as a computer or a server. The technical scheme in the embodiment is mainly used for realizing dynamic access control so as to improve the accuracy of the access control.
Specifically, the electronic device in this embodiment may include the following structure:
a memory 601 for storing an application program and data generated by the application program;
a processor 602 configured to execute the application to implement: obtaining at least one attribute information of each of the accessed object and the accessed object; acquiring a first grid node corresponding to the access object in a grid structure according to the attribute information of the access object; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object; obtaining an access control result at least according to the respective node distribution positions of the first grid node and the second grid node, wherein the access control result represents whether the access object has the right to access the accessed object; and at least adjusting the node distribution position of the first grid node in the grid structure according to at least the access control result.
It can be known from the foregoing solution that in the electronic device provided in the third embodiment of the present application, by obtaining the attribute information of the access object and the accessed object, the first lattice node corresponding to the access object in the lattice structure and the second lattice node corresponding to the accessed object can be obtained according to the attribute information, and then, the access control result is obtained according to the node distribution positions of the first lattice node and the second lattice node in the lattice structure, so as to determine whether the access object has the right to access the accessed object, and at the same time, the node distribution position of the lattice node in the lattice structure can be adjusted according to the access control result, so that when a new access request occurs, the node distribution position of the lattice node corresponding to the access object changes, and accordingly, the obtained access control result also changes correspondingly, thereby implementing dynamic access control, thereby improving the accuracy of access control.
It should be noted that, the specific implementation of the processor in the present embodiment may refer to the corresponding content in the foregoing, and is not described in detail here.
By taking the security access control of the power internet of things as an example, the technical scheme of the application can realize a 'zero trust' based power internet of things security protection system, and unified identity access control and authority management are carried out by taking a zero trust network security architecture as a reference, so that identity authentication between power internet of things equipment and service is realized. And performing dynamic authority control according to the environment attribute and the access attribute of the equipment. In order to define the data range of the Internet of things, the supervision category of an industry governing department is determined from the industry perspective, the responsibility of a data security subject is implemented from the enterprise perspective, a data security protection boundary is determined from the protection perspective, the protection measure strength and granularity of the responsibility subject are determined, and differential grading security protection is implemented. The technical content in the present application is presented in blocks as follows:
(1) and constructing a data security level division strategy for power business application.
Firstly, from a data attribute dimension, based on the disclosure and secret-related degrees of power service data, the power internet of things zero-trust application scene requirement is combined, the power internet of things zero-trust application scene requirement is divided into 4 security levels, and data, internal data, sensitive data, secret data and private data are respectively disclosed. The data is classified into specific levels according to the conditions satisfied by the data. Data which can be transmitted between an entity and a non-entity user is public data, and data used in the entity is internal data; data related to entity business and information security are sensitive data, and data related to company production and core systems are confidential and private data. The data level is determined based on the data content, the data source and the data application, and different encryption modes are adopted for different levels of data. For example, data generated from a company core business system and data related to important index parameters of a company are encrypted in a form of digital certificate encryption and other encryption modes with higher security; public data acquired by external public resources are encrypted in a low-security form such as password authentication. The method not only ensures that the data value is fully mined, but also more limited resources of a company are used for analyzing, judging and protecting important data, and the safety and reliability of the data are ensured. The service data can be unconditionally shared, and the data can be completely open and can be rated as a first-level security level; for data inside the service system, the data can be circulated and shared inside the service system, and can be rated as a security level two level; data related to secrecy or data which can be transmitted on the network only after the data needs means such as encryption and the like can be rated as three levels of security level; the data is related to personal secrets, entity secrets, or the data leakage can cause the leakage of personal privacy and the leakage of entity privacy, and the data can be rated as a fourth level of security.
(2) And constructing a trust degree control level division strategy facing data.
Secondly, from the data access control dimension, the internet of things computing environment has requirements on openness, distribution, sharing and dynamics of access control, so that trust among nodes in the internet of things computing environment cannot be established only by means of static data level attributes, and the characteristics of access authority computing itself must be fully considered. And analyzing the relation between different data levels and the access control of the service system, and establishing a data access control division strategy.
In an electric power internet of things interaction scene, on one hand, a dynamic access control strategy based on attributes is adopted to perform self-adaptive fine-grained access control authorization on services, applications and data, wherein a multi-source data access control strategy (organization-level security strategy and rule, multi-dimensional attribute of an accessor, multi-dimensional attribute of an access target, environment attribute and behavior abnormality evaluation) is established by taking identity attributes as main parts, access authority is evaluated, and the trust level of the access authority is obtained.
On the other hand, a zero trust network relies on many attributes of network activity to analyze the risk of a current access request, unlike the static security policies used by traditional networks. These attributes may be temporal attributes (e.g., a user's access request is more suspicious outside a normal active time window), spatial attributes (e.g., a user initiates an access request from a different geographic location than the last access), or even behavioral attributes (e.g., a user attempts to access a resource that normally should not be accessed). Taking these details of the access request into account and analysis scope, a fine-grained authorization decision can be made for the access request.
(3) And constructing a dynamic security policy model based on a two-dimensional policy system.
On the basis of the two dimensions (data grade and trust access control system), a dynamic access control strategy model is further designed, and the safe joint management under different electric power internet of things zero trust scenes is realized. The essence of zero trust security is the transition of the access control paradigm from traditional network-centric to identity-centric access control. The necessity of the transformation is that the entity boundary is being broken and the internal and external networks cannot be distinguished, and the invention uses the lightweight virtualization technology to construct the non-formal model and the formal model so as to solve the problems of data isolation and hierarchical authority control in the zero trust environment and realize the security of the computing environment.
In the space-time trust space of the dynamic policy control model, as data zero trust is a linear relation, both a time domain and a space domain can form a basic node or a control grid (grid for short) of a trust control space, and the grid represents a credit authority value of an entity in the trust space and an authority level hierarchy of the entity. Thus, under certain conditions, an access control lattice can be constructed from the formed domain (time, space, reputation). The lattices are layered: lower layer, middle upper layer, upper layer. The grid itself is a data structure, and the similar definition structure level can perform authority mapping on the grid. If the middle and lower layer elements have smaller authority, only data access with low security level can be carried out.
By flexibly defining a reputation function, permission mapping can be performed on a permission database according to a grid coordinate space (grids can adopt hierarchical distance measurement, and movement between the grids represents permission authorization), so that elements at the lower layer in the grids have smaller permission, and therefore, under the condition that communication is unstable in movement of a zero-trust internet of things network node, a node access policy can be switched to the permission with the minimum reputation value at the lower layer in an access grid, at this time, the access policy can be called as "pessimistic authorization", namely the permission of (time0, space0, reputations 0) in fig. 7), and a dynamic access control model is constructed by using space-time access grid nodes in fig. 7, wherein each node is time, space and reputation, and the pessimistic authorization only has the minimum permission, so the pessimistic authorization is safe. Similarly, optimistic grants, i.e. the time-n, space-n, and replay-n rights in fig. 7, may be designed for access control requirements of different strengths, and compromise grants, which are the infimum rights of the space-time reputation domain, may also be designed, where optimistic grants may better improve data access control frequency but are not secure. For example, a user may be classified as an optimistic authorization when he or she needs to access usage data a high number of times. Optimistic, pessimistic, and compromise authorizations transform dynamic policies into pseudo-static policies, making such policies applicable to dynamically changing zero-trust environments.
The access right control model based on space-time zero trust and taking the access grid as the core forms the key point of the technical scheme of the application, and in the application, an adaptive decision algorithm is designed to maintain the reputational value, namely the right value, of the unit node.
In the application, F can be used for representing a space-time trust access grid node set, specifically
Figure GDA0002921138630000192
The representation contains sets of access bins from i-1 to i-l. fi represents the ith access grid operation security reputation value (which may also represent the ith grid node). G ═ Gi { i ═ 1., k } represents a set of access grid categories designed according to the demand of the power internet of things, which can be distinguished by colors in fig. 7, and for grid fi, it is represented by a quadruple (si, ci, ai, ti). Wherein si represents the data security level (index s) corresponding to the access grid operation data object; ci represents the access grid itself trust control security level (index c); ai represents the weight proportion of the access lattice between s and c; where ti represents the number of times "access right failed" is calculated, and the value of access lattice is calculated.
Also, for classification Gi, it can be represented by a binary set (mi, vi). Where mi represents the reputational mean vector of the access lattice in class Gi. vi denotes a variance vector of access lattice in Gi. Consider first a two-way dynamic rights update operation: when the security access reputation fi in the class Gp needs to be exchanged with the security access reputation fj in the class Gq, the mean vector of Gp and Gq changes, and the calculation formula is shown as formulas (1) and (2):
Figure GDA0002921138630000191
Figure GDA0002921138630000201
wherein lpIndicating the number of trellis nodes in the class Gp. lqIndicating the number of trellis nodes in the class Gq. Similarly, the variance vector of the classes Gp and Gq also changes, and the calculation formula is as follows (3) and (4):
Figure GDA0002921138630000202
Figure GDA0002921138630000203
another more common operation is a generic merge operation. For example: the interaction of the small-range nodes of the classes Gp and Gq is locally similar, and the full-range nodes are the same, in this case, the combination of the classes Gp and Gq into a uniform color can be realized through dynamic reputational calculation, and how to combine the classes Gp and Gq, the mean vector and the variance vector of the combined access right class will change, and the calculation formulas are as follows (5) and (6):
Figure GDA0002921138630000204
Figure GDA0002921138630000205
through the design of the reputational dynamic classification algorithm, on one hand, two-level classification authorities can be effectively utilized, and on the other hand, dynamic classification and authority measurement can be performed on grid nodes and access authority classes to which the grid nodes belong, so that a kernel function of the dynamic access control model is formed, and the core innovation of the application is fully embodied.
Therefore, the method for classifying the data access control levels and the method for classifying the novel service data of the power internet of things based on the zero trust model are realized. And further, a dynamic access control strategy model based on space-time trust and access lattice technology under a zero trust environment is realized.
Specifically, a two-level security system of the power internet of things data level and the access control level is designed according to multi-source multi-attribute data attributes, fine-grained and hierarchical data classification protection measures are provided from management, technology and other dimensions, classification supervision responsibilities are implemented correspondingly, relevant factors such as safety and weight are fully considered, a dynamic access control model and a dynamic kernel function which take a space-time access grid as a node are designed on the basis, dynamic adjustment of authority authentication is achieved, and the actual application effect is verified to meet the requirement of rapid business updating iteration under the scene of the power internet of things.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A method for hierarchical dynamic access control of data security, the method comprising:
obtaining at least one attribute information of each of the accessed object and the accessed object;
calculating the authority value of the access object according to the attribute information of the access object, and obtaining a first lattice node corresponding to the access object in a lattice structure according to the authority value; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; the grids represent the credit authority value of any entity user in the trust space and the belonged authority level hierarchy; the lattice nodes with the authority values in the same value range are positioned in the same layer of the lattice structure, the lattice nodes with the authority values in different ranges are positioned in different layers, and a multi-layer lattice structure with a plurality of lattice nodes in each layer is formed;
obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object;
obtaining an access control result at least according to respective node distribution positions of the first grid node and the second grid node, wherein the access control result represents whether the access object has the right to access the accessed object, and the node distribution positions indicate the layer of the grid nodes in the grid structure and the positions of the grid nodes in the layer;
and adjusting at least the node distribution position of the first grid node in the grid structure according to at least the access control result, wherein the node distribution positions of the first grid node and the second grid node in the grid structure are exchanged under the condition that the access control result represents that the access object does not have the right to access the accessed object.
2. The method according to claim 1, wherein calculating the authority value of the access object according to the attribute information of the access object, and obtaining the corresponding first lattice node of the access object in the lattice structure according to the authority value comprises:
according to the attribute information, acquiring a data security level parameter corresponding to the access object as an operation data object and an identity trust level parameter corresponding to the access object as an operation user object;
processing at least the data security level parameter and the identity trust level parameter to obtain a right value of the access object;
and obtaining a first lattice node corresponding to the access object in the lattice structure according to the authority value.
3. The method of claim 2, wherein processing at least the data security level parameter and the identity trust level parameter to obtain the access object permission value comprises:
obtaining respective weight values corresponding to the data security level parameter and the identity trust level parameter and a forbidden sub-value for the access object to access;
and calculating the data security level parameter, the identity trust level parameter, the weight value and the time value to obtain the access object authority value.
4. The method of claim 2, wherein obtaining a corresponding first lattice node of the access object in a lattice structure according to the permission value comprises:
searching a target layer matched with the authority value in the lattice structure, wherein the target layer comprises a plurality of lattice nodes, and statistical parameters formed by the lattice nodes in the target layer correspond to the authority value;
and in the target layer, obtaining a first lattice node corresponding to the access object.
5. The method of claim 4, wherein the statistical parameters formed by the lattice nodes included in the target layer correspond to the weight values, and wherein the statistical parameters comprise: a mean parameter and/or a variance parameter between the weight values of lattice nodes contained in the target layer matches the weight values;
or, the statistical parameters formed by the lattice nodes included in the target layer correspond to the authority values, and include: the value range formed by the respective authority values of the lattice nodes included in the target layer matches the authority value of the access object.
6. The method of claim 2, wherein obtaining access control results according to at least respective node distribution positions of the first grid node and the second grid node comprises:
under the condition that the layer of the first lattice node in the lattice structure is higher than the layer of the second lattice node in the lattice structure, obtaining an access control result representing that the access object has the right to access the accessed object;
under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is greater than or equal to the authority value of the second grid node, obtaining an access control result representing that the access object has the authority to access the accessed object;
and under the condition that the first grid node and the second grid node are in the same layer in the grid structure and the authority value of the first grid node is smaller than the authority value of the second grid node, obtaining an access control result representing that the access object does not have the authority for accessing the accessed object.
7. The method of claim 1, wherein after exchanging the node distribution locations of the first grid node and the second grid node in the grid structure, the method further comprises:
monitoring whether a layer meeting a merging rule exists in the lattice structure; the merge rule includes: the statistical parameters formed by the layers with respect to the contained lattice nodes are the same;
and merging the layers meeting the merging rule in the lattice structure under the condition that the layers meeting the merging rule exist in the lattice structure.
8. An apparatus for hierarchical dynamic access control of data security, the apparatus comprising:
an attribute obtaining unit, configured to obtain at least one attribute information of each of the access object and the accessed object;
the node obtaining unit is used for calculating the authority value of the access object according to the attribute information of the access object and obtaining a first grid node corresponding to the access object in a grid structure according to the authority value; the lattice nodes in the lattice structure are distributed based on the authority values corresponding to the lattice nodes; according to the attribute information of the accessed object, a second grid node corresponding to the accessed object in the grid structure is obtained; the grids represent the credit authority value of any entity user in the trust space and the belonged authority level hierarchy; the lattice nodes with the authority values in the same value range are positioned in the same layer of the lattice structure, the lattice nodes with the authority values in different ranges are positioned in different layers, and a multi-layer lattice structure with a plurality of lattice nodes in each layer is formed;
a result obtaining unit, configured to obtain an access control result according to at least respective node distribution positions of the first lattice node and the second lattice node, where the access control result represents whether the access object has a right to access the accessed object, and the node distribution positions indicate a layer where lattice nodes are located in the lattice structure and positions of the lattice nodes in the layer;
and the node adjusting unit is used for adjusting at least the node distribution position of the first lattice node in the lattice structure according to at least the access control result, wherein the node distribution positions of the first lattice node and the second lattice node in the lattice structure are exchanged under the condition that the access control result represents that the access object does not have the right of accessing the accessed object.
9. An electronic device, comprising:
a memory for storing an application program and data generated by the application program running;
a processor for executing the application to implement: obtaining at least one attribute information of each of the accessed object and the accessed object; calculating the authority value of the access object according to the attribute information of the access object, and obtaining a first lattice node corresponding to the access object in a lattice structure according to the authority value; the grid nodes in the grid structure are distributed based on authority values corresponding to the grid nodes, wherein the grids represent credit authority values of any entity user in the trust space and the authority level levels of the entity user; the grids represent the credit authority value of any entity user in the trust space and the belonged authority level hierarchy; the lattice nodes with the authority values in the same value range are positioned in the same layer of the lattice structure, the lattice nodes with the authority values in different ranges are positioned in different layers, and a multi-layer lattice structure with a plurality of lattice nodes in each layer is formed; obtaining a second grid node corresponding to the accessed object in the grid structure according to the attribute information of the accessed object; obtaining an access control result at least according to respective node distribution positions of the first grid node and the second grid node, wherein the access control result represents whether the access object has the right to access the accessed object, and the node distribution positions indicate the layer of the grid nodes in the grid structure and the positions of the grid nodes in the layer; and adjusting at least the node distribution position of the first grid node in the grid structure according to at least the access control result, wherein the node distribution positions of the first grid node and the second grid node in the grid structure are exchanged under the condition that the access control result represents that the access object does not have the right to access the accessed object.
CN202011096230.4A 2020-10-14 2020-10-14 Data security classification dynamic access control method and device and electronic equipment Active CN112235298B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011096230.4A CN112235298B (en) 2020-10-14 2020-10-14 Data security classification dynamic access control method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011096230.4A CN112235298B (en) 2020-10-14 2020-10-14 Data security classification dynamic access control method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN112235298A CN112235298A (en) 2021-01-15
CN112235298B true CN112235298B (en) 2022-03-01

Family

ID=74112685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011096230.4A Active CN112235298B (en) 2020-10-14 2020-10-14 Data security classification dynamic access control method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN112235298B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113507462B (en) * 2021-07-05 2023-02-17 中国联合网络通信集团有限公司 Zero-trust data monitoring and early warning method, device, system and storage medium
CN113905109B (en) * 2021-12-08 2022-03-22 深圳竹云科技有限公司 Zero trust network data transmission method, device, equipment and computer storage medium
CN115242529B (en) * 2022-07-26 2023-07-25 国网智能电网研究院有限公司 Data security sharing system
CN115361186B (en) * 2022-08-11 2024-04-19 哈尔滨工业大学(威海) Zero trust network architecture for industrial Internet platform
CN118590216B (en) * 2024-08-02 2024-09-27 杭州海康威视数字技术股份有限公司 Data security sharing and content management and control method, device and system based on zero trust

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104168268A (en) * 2014-07-24 2014-11-26 广东电网公司电力科学研究院 Power grid object access control device capable of realizing safety configuration and access of power grid model data
CN110502918A (en) * 2019-07-09 2019-11-26 杭州电子科技大学 A kind of electronic document access control method and system based on classification safety encryption
CN111191210A (en) * 2019-12-10 2020-05-22 未鲲(上海)科技服务有限公司 Data access right control method and device, computer equipment and storage medium
CN111488598A (en) * 2020-04-09 2020-08-04 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9769124B2 (en) * 2012-09-21 2017-09-19 Nokia Technologies Oy Method and apparatus for providing access control to shared data based on trust level

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104168268A (en) * 2014-07-24 2014-11-26 广东电网公司电力科学研究院 Power grid object access control device capable of realizing safety configuration and access of power grid model data
CN110502918A (en) * 2019-07-09 2019-11-26 杭州电子科技大学 A kind of electronic document access control method and system based on classification safety encryption
CN111191210A (en) * 2019-12-10 2020-05-22 未鲲(上海)科技服务有限公司 Data access right control method and device, computer equipment and storage medium
CN111488598A (en) * 2020-04-09 2020-08-04 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN112235298A (en) 2021-01-15

Similar Documents

Publication Publication Date Title
CN112235298B (en) Data security classification dynamic access control method and device and electronic equipment
Kesarwani et al. Development of trust based access control models using fuzzy logic in cloud computing
Sharma et al. Computational offloading for efficient trust management in pervasive online social networks using osmotic computing
Golightly et al. Securing distributed systems: A survey on access control techniques for cloud, blockchain, IoT and SDN
CN117131484A (en) Dynamic encryption method, system, computer equipment and storage medium
Krautsevich et al. Risk-aware usage decision making in highly dynamic systems
Singh et al. ITrust: identity and trust based access control model for healthcare system security
Alkhresheh et al. DACIoT: Dynamic access control framework for IoT deployments
Bandara et al. Skunk—A blockchain and zero trust security enabled federated learning platform for 5G/6G network slicing
Vijayalakshmi et al. A priority-based approach for detection of anomalies in ABAC policies using clustering technique
Ullah et al. TCloud: a dynamic framework and policies for access control across multiple domains in cloud computing
Alayda et al. A novel hybrid approach for access control in cloud computing
De Benedictis et al. Toward the adoption of secure cyber digital twins to enhance cyber-physical systems security
Khan et al. Fuzzy User Access Trust Model for Cloud Access Control.
Merlec et al. SC-CAAC: A Smart Contract-Based Context-Aware Access Control Scheme for Blockchain-Enabled IoT Systems
Hussain et al. Federated Zero Trust Architecture using Artificial Intelligence
Wang et al. A trust and attribute-based access control framework in internet of things
US9647844B2 (en) Governed placement of data analytic results
Yuan et al. A fine-grained access control method based on role permission management
Menaka et al. An Enhancement Role and Attribute Based Access Control Mechanism in Big Data.
Sun et al. Trust Based lot Access Control Using Blockchain
Yang et al. Smart contract-based distributed access control for smart home
Li Access control strategy based on trust under cloud computing platform
Saha et al. AALMOND: Decentralized Adaptive Access Control of Multi-Party Data Sharing in Industrial Networks
Fathy et al. Security access control research trends

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 100032 room 8018, 8 / F, building 7, Guangyi street, Xicheng District, Beijing

Patentee after: State Grid Digital Technology Holdings Co.,Ltd.

Patentee after: State Grid blockchain Technology (Beijing) Co.,Ltd.

Patentee after: STATE GRID HEBEI INFORMATION & TELECOMMUNICATION BRANCH

Patentee after: STATE GRID HEBEI ELECTRIC POWER Co.,Ltd.

Patentee after: STATE GRID CORPORATION OF CHINA

Address before: 311 guanganmennei street, Xicheng District, Beijing 100053

Patentee before: STATE GRID ELECTRONIC COMMERCE Co.,Ltd.

Patentee before: State Grid blockchain Technology (Beijing) Co.,Ltd.

Patentee before: STATE GRID HEBEI INFORMATION & TELECOMMUNICATION BRANCH

Patentee before: STATE GRID HEBEI ELECTRIC POWER Co.,Ltd.

Patentee before: STATE GRID CORPORATION OF CHINA

CP03 Change of name, title or address