CN113688427A - System for preventing managed data source from being abused based on block chain - Google Patents
System for preventing managed data source from being abused based on block chain Download PDFInfo
- Publication number
- CN113688427A CN113688427A CN202111245401.XA CN202111245401A CN113688427A CN 113688427 A CN113688427 A CN 113688427A CN 202111245401 A CN202111245401 A CN 202111245401A CN 113688427 A CN113688427 A CN 113688427A
- Authority
- CN
- China
- Prior art keywords
- data
- data source
- block chain
- virtual machine
- blockchain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system for preventing a data hosting source from being abused based on a block chain, which comprises a third-party data source, a special virtual machine and a block chain system, wherein the third-party data source is a data service hosted by a data owning main body in a third party; the block chain system is constructed by a data owner body and a data authorized body together, and the data owner body and the data authorized body respectively run block chain nodes on the block chain system; the special virtual machine is managed by the data owner, and further comprises a virtual network adapter and special network communication software, wherein the special network communication software is the only path for the data authorized to access the data source by the data owner, and the virtual network adapter is used for carrying out protocol analysis and passing or intercepting message verification on external network communication of the virtual machine. The method and the system are used for realizing the trusted supervision and recording of the data owner on the use condition of the data source hosted in the third party through the virtual machine technology and the block chain technology.
Description
Technical Field
The invention belongs to the technical field of block chains, and particularly relates to a system for preventing managed data sources from being abused based on block chains.
Background
Currently, many data owners (which may be companies, individuals, and other organizations) host their data and services to the cloud or to third parties, or use data services provided by third parties. Meanwhile, the data owner wants to open a part of inquiry or use authority of the data to other data operators on the controllable premise. However, since the data owner's data is hosted by a third party, the data owner cannot simply and directly monitor the usage of the data. If the third party does not provide the functions of authority management and sub account number, the data owner must directly grant the login credentials with complete authority of the data source to the data operator, so that the data owner has high security risk.
Specifically, assuming that a principal a uses a data source X (e.g., a network disk, various types of enterprise digital management software, database software, etc.) provided by a third party, the principal a wants to authorize all or a part of the data to a principal B for access, and currently, the principal a authorizes the principal B by directly assigning a login or authentication credential of the data source X to the principal B. The following problems mainly exist in the implementation scene: (1) the principal B is difficult to prove the authenticity of data access or operation records of the principal B at the data source X, and the principal B is difficult to obtain the trust of the principal A because the principal B may obtain the data or perform the operation beyond the allowable range of the principal A; (2) when the data source relates to information security, the main body A generally has difficulty in allowing the main body B to directly connect or use the data source to obtain part of the required data, but all processes are handed over to the main body A for auditing or proxy, so that the data sharing efficiency is reduced. (3) Data obtained from data source X is easily copied by subject B to other places beyond the authorized use domain, causing data leakage. To cope with this possibility, subject a has no way to take precautions in advance, except for following the incident.
Disclosure of Invention
In view of the above technical problems, the present invention provides a system for preventing a data source hosted by a third party from being abused based on a blockchain, which is used for implementing trusted supervision and record of the use condition of the data source hosted by a data owner on the third party through a virtual machine technology and a blockchain technology.
In order to solve the technical problems, the invention adopts the following technical scheme:
a system for preventing a data hosting source from being abused based on a block chain comprises a third-party data source, a special virtual machine and the block chain system, wherein the third-party data source hosts a data service of a third party for a data owner; the block chain system is constructed by a data owner body and a data authorized body together, and the data owner body and the data authorized body respectively run block chain nodes on the block chain system; the special virtual machine is managed by the data owner, and further comprises a virtual network adapter and special network communication software, wherein the special network communication software is the only path for the data authorized to access the data source by the data owner, and the virtual network adapter is used for carrying out protocol analysis and passing or intercepting message verification on external network communication of the virtual machine.
In one possible design, the system configuration of the dedicated virtual machine is set by the data owner, and the system configuration comprises the access credential of the data source, the authorization range of the data and the authorization behavior, and is encrypted.
In one possible design, the dedicated virtual machine enables remote access services.
In one possible design, the remote access service is a remote desktop service for Windows.
In one possible design, the remote access service is SSH remote access for Linux.
In one possible design, the dedicated network communication software is a dedicated network browser.
In one possible design, the dedicated network communication software is a dedicated data interface accessor.
In one possible design, configuring the network requests that the virtual network adapter is allowed to pass includes: allowing access to nodes on the blockchain system; allowing the data to be remotely accessed by an authorized subject through a network to connect to the private virtual machine; allowing access to the data source over the network.
In one possible design, after receiving a relevant request, the private network communication software verifies the validity of the operation according to an authorization range and an authorization behavior specified in system configuration; after the verification operation is legal, attaching the credential in the system configuration to the request; and finally, sending the request to the data source through the virtual network adapter.
In one possible design, the virtual network adapter verifies whether the operation is from the private network communication software, if the operation is passed through the verification, the data from the private network communication software is analyzed, accessed content is obtained according to the analysis result, and the accessed content is stored in the blockchain alliance chain in real time.
The invention has the following beneficial effects:
(1) by means of the virtual machine technology and the block chain technology, the use condition of the third-party data source is reliably monitored and recorded without depending on the cooperation of the third-party data source. Due to the fact that effective supervision on the use condition of the third-party data source is achieved, the data sharing is easily achieved by the multiple main bodies, data isolated islands are avoided, and data mobility and data value mining are enhanced.
(2) The data of the data source can be effectively protected from being copied outside the virtual machine in batches, and the data is available but not copied to a certain extent.
(3) The authorization certificate of the data source is hidden in the special network communication software for automatic filling without being directly given to a third party, so that the condition that the authorization certificate is leaked and the data bypasses the special network communication software when being accessed by an authorized subject is avoided, and the data is safer.
(4) Based on the application of the block chain data, the trust cost of both data sharing parties is reduced.
(5) For the data authorized main body, the method has a certain protection effect, and can facilitate self-certification and self-clearing of the data authorized main body on the premise of compliance use.
Drawings
Fig. 1 is a schematic structural diagram of a system for preventing a managed data source from being abused based on a block chain according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a schematic structural diagram of a system for preventing a data hosting source from being abused based on a blockchain according to an embodiment of the present invention is shown, including a third-party data source, a dedicated virtual machine, and a blockchain system, where the third-party data source hosts a data service of a third party for a data owning principal; the block chain system is constructed by a data owner body and a data authorized body together, and the data owner body and the data authorized body respectively run block chain nodes on the block chain system; the special virtual machine is managed by the data owner, and further comprises a virtual network adapter and special network communication software, wherein the special network communication software is the only path for the data authorized to access the data source by the data owner, and the virtual network adapter is used for carrying out protocol analysis and passing or intercepting message verification on external network communication of the virtual machine.
In the embodiment of the present invention, a Virtual Machine (Virtual Machine) refers to a complete computer system that has complete hardware system functions and runs independently, and is simulated by software. The work that can be done in a physical computer can be implemented in a virtual machine. Each virtual machine has an independent CMOS (Complementary Metal Oxide Semiconductor), hard disk and operating system, which are simulated by software, and can operate as if a physical machine is used.
In the embodiment of the present invention, the third-party data source may be a network disk, various enterprise digital management software, database software, and the like, and data of these services is stored on a server of the third party.
In the embodiment of the invention, the special network communication software is the only path for the authorized subject of the data to access the data source, and can be a network browser or a special data interface accessor which directly accesses the data through the API interface of the data source.
In the embodiment of the present invention, the above-set system for preventing the managed data source from being abused based on the block chain needs some initialization settings for normal operation, including:
(1) initializing system configuration: the data owner determines the configuration of the system, and the configuration content comprises access credentials of a data source, the authorization scope and authorization behavior of the data and the like. These configurations are stored in a dedicated virtual machine and appropriately encrypted. The encryption process here may be any mainstream encryption method, and is not particularly expanded here.
(2) Initializing the virtual network adapter: reading and decrypting the relevant configuration from the system configuration; configuring the virtual network adapter to allow only the following network requests to pass through and block all other network requests, including: allowing access to nodes on a blockchain federation chain; allowing the data to be remotely accessed by authorized agents through a network to connect to the private virtual machine; allowing access to the data source over the network.
(3) A remote access capability is enabled in a dedicated virtual machine, including but not limited to Windows 'remote desktop service or Linux' SSH remote access.
(4) The method comprises the steps of utilizing the functions of the operating system of the special virtual machine, shutting down or forbidding necessary authorities, setting necessary firewall rules, forbidding cross-machine file transmission and the like, and preventing a data authorized subject from copying or transmitting required data from the special virtual machine to the outside. Meanwhile, the data authorized subject cannot directly copy the data through any external equipment, and the network transmission is also filtered by the virtual network adapter, so that the data authorized subject cannot lead the data out of the virtual machine without authorization, and the safety of the data is protected.
In the embodiment of the present invention, the initialized system for preventing the managed data source from being abused based on the block chain includes:
A. the data is authorized to be logged into the private virtual machine by the principal through remote access. Because the data authorized subject is accessed in a remote mode, the data cannot be directly copied through any external equipment, and the network is limited by the virtual network adapter, the data authorized subject cannot copy the data to the outside of the virtual machine without authorization, and the safety of the data is protected.
B. The authorized data body is connected to the data source through the special network communication software and performs related operations on the data source, such as data query, data browsing, data deletion, data addition, data modification and the like.
C. After receiving the relevant request, the special network communication software verifies the validity of the operation according to the authorization range and the authorization behavior specified in the system configuration. After the verification operation is legal, the credential in the system configuration is attached to the request, the authorized subject of the data does not directly contact the access credential, so that the access credential is protected, and finally the request is sent to the data source through the virtual network adapter.
D. The virtual network adapter verifies whether the operation is from the special network communication software, analyzes the data from the special network communication software, obtains the accessed content according to the analysis result, and stores the accessed content in the blockchain alliance chain in real time, thereby realizing the credible supervision and recording of the use condition of the third-party data source, and simultaneously realizing the self-certified clearing capability of the authorized main body of the data on the self-operation.
It is to be understood that the exemplary embodiments described herein are illustrative and not restrictive. Although one or more embodiments of the present invention have been described with reference to the accompanying drawings, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the following claims.
Claims (10)
1. A system for preventing a data hosting source from being abused based on a block chain is characterized by comprising a third-party data source, a special virtual machine and a block chain system, wherein the third-party data source hosts a data service of a third party for a data owner; the block chain system is constructed by a data owner body and a data authorized body together, and the data owner body and the data authorized body respectively run block chain nodes on the block chain system; the special virtual machine is managed by the data owner, and further comprises a virtual network adapter and special network communication software, wherein the special network communication software is the only path for the data authorized to access the data source by the data owner, and the virtual network adapter is used for carrying out protocol analysis and passing or intercepting message verification on external network communication of the virtual machine.
2. The blockchain-based system for preventing misuse of a hosted data source of claim 1 wherein the system configuration of the dedicated virtual machine is set by the data owner, including access credentials of the data source, authorization scope and authorization behavior of the data, and the system configuration is encrypted.
3. The block chain based system for preventing misuse of a hosted data source of claim 1 wherein the dedicated virtual machine opens a remote access service.
4. The blockchain-based system for preventing misuse of a hosted data source of claim 3 wherein the remote access service is a remote desktop service for Windows.
5. The blockchain-based system for preventing misuse of a hosted data source of claim 3 wherein the remote access service is SSH remote access by Linux.
6. The blockchain-based system for preventing misuse of a hosted data source of claim 1 wherein the dedicated network communication software is a dedicated network browser.
7. The blockchain-based system for preventing misuse of a hosted data source of claim 1 wherein the dedicated network communication software is a dedicated data interface accessor.
8. The blockchain-based system for preventing misuse of a hosted data source of any of claims 1 to 7 wherein configuring the virtual network adapter to allow network requests to pass comprises: allowing access to nodes on the blockchain system; allowing the data to be remotely accessed by an authorized subject through a network to connect to the private virtual machine; allowing access to the data source over the network.
9. The blockchain-based system for preventing misuse of hosted data sources of claim 8 wherein the private network communication software, upon receiving the request, verifies the validity of the operation based on the scope and behavior of authorization specified in the system configuration; after the verification operation is legal, attaching the credential in the system configuration to the request; and finally, sending the request to the data source through the virtual network adapter.
10. The blockchain-based system for preventing overuse of a hosted data source according to any one of claims 1 to 7, wherein the virtual network adapter verifies whether the operation is from the private network communication software, and if the operation is verified, the virtual network adapter parses the data from the private network communication software, obtains the accessed content according to the parsing result, and stores the accessed content on the blockchain federation chain in real time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111245401.XA CN113688427B (en) | 2021-10-26 | 2021-10-26 | System for preventing managed data source from being abused based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111245401.XA CN113688427B (en) | 2021-10-26 | 2021-10-26 | System for preventing managed data source from being abused based on block chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113688427A true CN113688427A (en) | 2021-11-23 |
| CN113688427B CN113688427B (en) | 2022-03-25 |
Family
ID=78588003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111245401.XA Active CN113688427B (en) | 2021-10-26 | 2021-10-26 | System for preventing managed data source from being abused based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113688427B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105378698A (en) * | 2013-03-11 | 2016-03-02 | 亚马逊技术有限公司 | Automated data center selection |
| CN108933702A (en) * | 2018-08-01 | 2018-12-04 | 长沙龙生光启新材料科技有限公司 | A method of remote service is provided |
| CN112292669A (en) * | 2018-05-04 | 2021-01-29 | 思杰系统有限公司 | System and method for embedded browser |
| CN112527873A (en) * | 2020-11-19 | 2021-03-19 | 成都无右区块链科技有限公司 | Big data management application system based on chain number cube |
-
2021
- 2021-10-26 CN CN202111245401.XA patent/CN113688427B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105378698A (en) * | 2013-03-11 | 2016-03-02 | 亚马逊技术有限公司 | Automated data center selection |
| CN112292669A (en) * | 2018-05-04 | 2021-01-29 | 思杰系统有限公司 | System and method for embedded browser |
| CN108933702A (en) * | 2018-08-01 | 2018-12-04 | 长沙龙生光启新材料科技有限公司 | A method of remote service is provided |
| CN112527873A (en) * | 2020-11-19 | 2021-03-19 | 成都无右区块链科技有限公司 | Big data management application system based on chain number cube |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113688427B (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190334950A1 (en) | Private key operations | |
| US10326756B2 (en) | Management of certificate authority (CA) certificates | |
| US9305163B2 (en) | User, device, and app authentication implemented between a client device and VPN gateway | |
| US8838965B2 (en) | Secure remote support automation process | |
| JP4579969B2 (en) | Method, apparatus and computer program product for sharing encryption key among embedded agents at network endpoints in a network domain | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| US20070143408A1 (en) | Enterprise to enterprise instant messaging | |
| CN106100836B (en) | A kind of method and system of industrial user's authentication and encryption | |
| CN113596009B (en) | Zero trust access method, system, zero trust security proxy, terminal and medium | |
| CN116032533A (en) | Remote office access method and system based on zero trust | |
| CN111107044A (en) | Data security management method and information management platform | |
| KR20190030317A (en) | IoT Security System Based on the BlockChain and Security Method thereof | |
| CN109309645A (en) | A kind of software distribution security guard method | |
| CN102882857A (en) | Client side device, encryption storage device, and remote access method and system | |
| CN114499976B (en) | Data exchange method for realizing cross-network exchange | |
| CN111970232A (en) | Safe access system of intelligent service robot of electric power business hall | |
| CN116192481A (en) | Analysis method for secure communication mechanism between cloud computing server models | |
| KR101858207B1 (en) | System for security network | |
| CN117834218A (en) | Uniform identity authentication method and platform based on zero trust architecture | |
| US11388146B2 (en) | Secure low-latency trapdoor proxy | |
| CN113688427B (en) | System for preventing managed data source from being abused based on block chain | |
| CN111917800B (en) | External authorization system and method based on protocol | |
| US11171786B1 (en) | Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities | |
| He et al. | Research on storage security based on trusted computing platform | |
| CN118427856A (en) | Method for cross-network secure access to database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A system based on blockchain to prevent the abuse of managed data sources Effective date of registration: 20230518 Granted publication date: 20220325 Pledgee: Xiaoshan Branch of Agricultural Bank of China Ltd. Pledgor: Hangzhou Vastchain Technology Co.,Ltd. Registration number: Y2023980041063 |