CN114567489A - Dynamic access control method based on service body - Google Patents
Dynamic access control method based on service body Download PDFInfo
- Publication number
- CN114567489A CN114567489A CN202210200138.0A CN202210200138A CN114567489A CN 114567489 A CN114567489 A CN 114567489A CN 202210200138 A CN202210200138 A CN 202210200138A CN 114567489 A CN114567489 A CN 114567489A
- Authority
- CN
- China
- Prior art keywords
- user
- service
- attribute
- business
- trust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 230000007246 mechanism Effects 0.000 claims abstract description 35
- 238000011156 evaluation Methods 0.000 claims abstract description 27
- 238000013475 authorization Methods 0.000 claims abstract description 22
- 238000013507 mapping Methods 0.000 claims description 13
- 239000000126 substance Substances 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000011423 initialization method Methods 0.000 claims description 6
- 238000012854 evaluation process Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 24
- 230000006872 improvement Effects 0.000 description 9
- 235000019580 granularity Nutrition 0.000 description 4
- 238000000926 separation method Methods 0.000 description 4
- 101100517651 Caenorhabditis elegans num-1 gene Proteins 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The invention provides a dynamic access control method based on a service body, which relates to the technical field of system access control and comprises the following steps: abstracting the service system to obtain an initial service body BEInit(ii) a User sends access request to service system, initial service body BEInitThe user attribute obtaining method obtains the user attribute to obtain the complete service body
The trust evaluation method in the service body evaluates the trust level of the user according to the user attribute; a trust judgment mechanism in a service body judges the trust level of a user and the security level attribute value of a service system of the service body; and if the user trust level is higher than the business system security level attribute value of the business body, allowing the user to continue accessing. The invention realizes flexible, quick and safe access control authorization in an open and complex super application system environment by introducing a service body concept and carrying out access control based on the service body.
Description
Technical Field
The invention relates to the technical field of system access control, in particular to a dynamic access control method based on a service body.
Background
The super application system combines and integrates a plurality of business services, realizes the integration of business systems and is convenient for people and enterprises. Meanwhile, since there are many service systems in the super application system, access control operations will frequently occur, and there may be a correlation between the service systems, so that operations on the service systems in the whole access control process will become complicated, the access efficiency is low, and direct interaction with the service system data will be performed in the access process, and there is a hidden danger in terms of data security.
Disclosure of Invention
Aiming at the problems, the invention provides a dynamic access control method based on a service body, which realizes the separation of a service system and data thereof in the access control process by introducing the concept of the service body, ensures the security of the data in the access authorization process and improves the efficiency of user access control.
In order to achieve the above object, the present invention provides a dynamic access control method based on a service body, including:
abstracting the service system to obtain an initial service body BEInit;
The user sends an access request to the service system, and the initial service body BEInitThe user attribute obtaining method obtains the user attribute to obtain the complete service body
The trust evaluation method in the service body evaluates the user trust level according to the user attribute;
a trust judgment mechanism in the service body judges the user trust level and the service system security level attribute value of the service body;
and if the user trust level is higher than the business system security level attribute value of the business body, allowing the user to continue accessing.
As a further improvement of the invention, the super application system comprises a plurality of service system modules, and each service system module is abstracted respectively to correspondingly obtain an initial service body BEInit;
User is directed to the service systemWhen the system sends out the access request, the initial service body BEInitThe user request acquisition method receives the access request for processing and acquires access request information;
according to the service system information in the access request information and the initial service body BE of the corresponding service system moduleInitAnd establishing a mapping relation.
As a further refinement of the present invention, the business is an abstract description of a complex of the business system and the user, including attributes, methods, and mechanisms;
the attributes comprise service body ID attributes, service system attributes and user attributes, and the service system attributes comprise security levels;
the method comprises a service body initialization method, a user request acquisition method, a user attribute acquisition method and a trust evaluation method;
the mechanism comprises a trust judgment mechanism and an access control mechanism.
As a further improvement of the present invention, the service body initialization method abstracts the service system into a structure of a service body, and obtains the service system attribute of the service system and adds the service system attribute to the structure of the service body to obtain an initial service body BEInit。
As a further improvement of the present invention, the trust evaluation method in the service body dynamically evaluates the user trust level according to the user attribute; the method comprises the following steps:
taking a user credibility grade attribute value in the user attributes as a historical credibility value of the user;
evaluating the spatiotemporal attributes in the user attributes to obtain spatiotemporal trust values of the user;
and integrating the historical trust value and the spatiotemporal trust value to obtain the user trust level.
As a further improvement of the present invention, in the dynamic evaluation process of the user trust level, the historical trust value is directly given during the first evaluation, and the subsequent historical trust value of the user is calculated according to the user trust level, and the formula is as follows:
uht=0.5*CT
the space-time attributes comprise time, addresses and context, the space-time trust value of the user is calculated according to the association degree of each space-time attribute and the system security, and the formula is as follows:
the calculation formula of the user trust level is as follows:
CT=α×uht+β×st(α+β=1)
wherein the content of the first and second substances,
uht, st and CT respectively represent a historical trust value, a space-time trust value and a user trust level of the user;
rel represents the correlation degree of each spatiotemporal attribute and the system security;
w represents the weight occupied by each spatio-temporal attribute;
n represents the number of spatiotemporal attributes;
alpha and beta respectively represent the weight occupied by the user historical trust value and the space-time attribute trust value in the system.
As a further improvement of the present invention, the service body further includes an access authorization mechanism, and the user request acquisition method further acquires operation type information when processing the access request;
when the user is allowed to continue accessing, the access authorization mechanism acquires the user attribute and the service body ID attribute to obtain the operation authority range of the user in the service system;
and if the operation type in the user request is within the operation authority range, authorizing access.
As a further improvement of the invention, according to the incidence relation among different service system modules in the super application system, the service bodies have authority inheritance relation;
the sub-service inherits the authority of the corresponding unique parent service and can also have additional authority.
As a further improvement of the present invention, the service body further comprises a relevance method, and the relevance between two service bodies is calculated according to the relevance method;
and if the association degree of one business body and the other business body is more than 0.5, the two business bodies have an inheritance relationship.
As a further improvement of the present invention, the association degree of the two business bodies is calculated by the business system attributes corresponding to the two business bodies, and the formula is as follows:
wherein the content of the first and second substances,
am represents a service system attribute set of the service body m;
an represents a business system attribute set of the business body n;
|Am∩Anl represents the number of the service body m and the service body n with the same attribute;
|Am∪Anand | represents the number of all attributes owned by service m and service n.
Compared with the prior art, the invention has the beneficial effects that:
the invention abstractly describes the service system and the access user information as a service body, and can realize the access control of the user based on the user attribute and the service system security level through a trust evaluation method and a trust judgment mechanism in the service body, namely, the separation of the access control process and the service system data is realized, the data security in the access authorization process is ensured, and the quick access control of the service system is realized.
Aiming at a modularized business system, the invention abstractly describes the business system into a modularized initial business body BEInitSetting user request obtaining method in service body, obtaining user access request information in time when user initiates access request, mapping to corresponding initial service body BE according to user access request informationInitFlexible configuration of service body is realized, and access control is more convenientThe processing is rapid and accurate.
The invention dynamically evaluates the user attribute in the user access process, evaluates the user trust level according to the user attribute obtained by dynamic evaluation, and further compares the user trust level with the security level attribute value of the service system in the service body, thereby ensuring the dynamic timeliness and reliability of information in the access control process.
According to the method and the device, the attributes of the access users are automatically acquired through the user attribute acquisition method in the business body, and the credible evaluation efficiency of the access users is improved.
The invention combines the access control method based on the attribute to divide the access authority into fine granularity, and sets an access control mechanism in the service body to realize the fine granularity access requirement of the access user.
The method for setting the association degree in the service body can calculate the association degree between the service bodies of each module, and ensure that the service bodies have inheritance relationship according to the association degree, thereby simplifying the authority management work of the service bodies and improving the flexibility of the access authorization process.
Drawings
FIG. 1 is a flowchart of a dynamic access control method based on a service entity according to an embodiment of the present invention;
fig. 2 is a detailed flowchart of a dynamic access control method based on a service body according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an access control model based on a service body according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the attached drawing figures:
the invention provides a dynamic access control method based on a service body, which introduces a service body concept and defines the service body, wherein the specific content of the service body comprises the following steps:
business Entity (Business Entity) is abstract description of complex of Business system and access user, and is data structure composed of attribute, method and mechanism through Business definition, and it implements quick access authorization of Business system by executing a series of methods and mechanisms. Namely:
Business_Entity={Attributes,Methods,Mechanisms}
(1) the attribute is a characteristic expression of the service body, and mainly comprises an ID attribute, a service system attribute and a user attribute, wherein the ID attribute is a unique identification attribute of the service body, the service system attribute is a static attribute in the service body and is an abstract attribute of the service system, an attribute value of the service system is kept unchanged, the value of the attribute value is generated along with the generation of the service body and disappears along with the disappearance of the service body, and the attribute value mainly comprises an owner, a right and a security level; the user attribute obtained in the service body is dynamic, and the value of the user attribute is dynamically obtained by a user attribute obtaining method in the service body in the user access control process, and mainly comprises identity, time, address, context, content and trust level. Expressed as:
Attribute{
String BeId;
String BusAttr[]={Permission,Owner,SaftyLevel};
String UserAttr[]={Identity,Time,Address,TrustLevel,Content};
}
(2) the method comprises a service body initialization method, a user request acquisition method, a user attribute acquisition method, a trust evaluation method and an association degree method:
business body initialization method
Firstly, initializing the service body, namely abstracting the service system into the service body BEInitObtaining the attribute of the related service system to form the service body BEInitAnd the initialization is completed.
Inputting: BsAttr
And (3) outputting: BEInit
GetBsAttr(<Permission,Owner,SafetyLevel>)→<<Permission,value>,<Owner,value>,<SafetyLevel,value>>
InitBE(<<Permission,value>,<Owner,value>,<SafetyLevel,value>>)→BEInit
Method for obtaining user request
The user Request obtaining method receives an Original Access Control Request (OACR) sent by a user, processes the Request and obtains related information, wherein U, OP and BS respectively represent the user, the operation type and the service system.
Inputting: OACR
And (3) outputting: parameter values in OACR
<U,OP,BS>→OACR
GetRequest(OACR)→<<U,value>,<OP,value>,<BS,value>>
Method for obtaining user attribute
When user and service BEInitAfter the mapping is completed, the service body BE is activatedInitThe user attribute obtaining method obtains the user attribute and the attribute value, mainly including identity, time, address, trust level and content, and finally forms the service body
Inputting: UserAttr
And (3) outputting: UserAtttrValue
<Identity,Time,Address,TrustLevel,Content>→UserAttr
GetUserAttr(UserAttr)→<<Identity,value>,<Time,value>,<Address,value>,<TrustLevel,value>,<Content,value>>
Trust evaluation method
The Trust evaluation method Trust improves the efficiency of the Trust evaluation of the access user, and dynamically evaluates the access user according to the related attribute value obtained by the access attribute of the user. The description of trust evaluation comprises two parts, namely a user historical trust value uht, and the user historical trust value is determined according to the obtained attribute value of the user trust level; and the space-time trust value st refers to the trust value after time, address and context are evaluated. The final composite confidence value CT is expressed as
CT=α×uht+β×st(α+β=1)
And alpha and beta represent the weight occupied by the user historical trust value and the spatio-temporal attribute trust value in the system.
The first time the user history trust value is directly assigned, the subsequent user history trust value is calculated according to CT, uht ═ 0.5 × CT.
The calculation of the space-time attribute trust value is calculated through each evaluation factor in the space-time attribute, the association degree of each evaluation factor and the system security is represented by rel, w represents the proportion of each evaluation factor, and the calculation of the space-time attribute is represented as
Where n represents the number of evaluation factors.
Method of degree of association
The representation form of the business system is modularized, so that the mapped business bodies are also modularized, the business systems have inheritance association relationship, and the business bodies correspondingly have the relationship. And consistency detection can be performed according to the relation, the relation between the business bodies is verified for many times, and the accuracy of the relation between the business bodies is ensured. The similarity between service m and service n can be calculated by the following formula:
wherein Am and An respectively represent business entity m and business entity nBusiness system feature attribute set, | Am∩AnI represents the number of business m and business n with the same characteristic attribute, and Am∪AnAnd | represents the number of all the characteristic attributes owned by service m and service n. When S isJaccard(m,n)>When the time is 0.5, the association degree between the two service bodies is large, and the service bodies have inheritance relation. Meanwhile, the calculation of the association degree can also be used for consistency check, and the accuracy of the relation between the business bodies is ensured.
The code for calculating the Jaccard coefficient is as follows.
Inputting: featureAttr1, featureAttr2
And (3) outputting: sJ
// calculating the number of identical attributes
featureAttr1.retainAll(featureAttr2)→featureAttr1
featureAttr1.size()→Num1
V/count all attributes
featureAttr1.addAll(featureAttr2)→featureAttr1
featureAttr1.size()→Num2
V/calculating Jaccard coefficient
SJ=Num1/Num2
(3) The mechanism comprises a trust judgment mechanism and an access authorization mechanism
Trust decision mechanism
In the service body mechanism, the trust judgment mechanism realizes the trust level judgment between the user and the service body, and completes the first step based on the service body access control. In the process, mapping is carried out by comparing user trust level with service system security level, and the trust degree of access user is evaluated in the service body trust evaluation method to obtain corresponding trust value, thereby forming the service body
The attribute of the medium service system has a security level attribute, the trust value of the access user is compared with the security level of the service system, and if the trust value is higher than the security level, the access user can proceedCarrying out next access; otherwise, access is denied.
② access authorization mechanism
Fine-grained access control decisions: due to the complexity of the network, the diversity of users, the confusion of the hierarchical inheritance relationship of the service body layer, and the management requirements of the authority and the service body are refined to meet the fine-grained access requirements of the access users on the service system resources based on the limiting conditions of environment, operation, context and the like, therefore, the flexible access control decision mechanism of the service body is configured, and the fine-grained access requirements of the access users can be more effectively solved.
And after the trust judgment mechanism module judges whether the user can continue to access, the access authorization mechanism module is executed, the related attributes are obtained by combining the access control scheme based on the attributes, the fine-grained authority judgment is carried out, and finally the access control request is completed. UA and BeId represent user attribute and service ID attribute, respectively.
<UA∩BeId>→Request
Access(Request)→Authority Refinement
(4) Relationships between business bodies, business bodies and users and authorities
Firstly, business bodies have an inheritance relationship, the business bodies can inherit other business bodies, and child business bodies can possess or be associated with different authorities while possessing father business body authorities to form all authorities of the child business bodies, wherein one business body can only inherit one business body; the inheritance relationship of the service body simplifies the authority management work to a certain extent, reflects the system relevance among the service systems and the flexibility in the authorization process.
The user and the service body are in many-to-many relationship, and one user can correspond to a plurality of servicesOne service body can also correspond to a plurality of users. Is described as
The business body and the authority are in many-to-many relationship, one business body corresponds to multiple authorities, and one authority can correspond to multiple business bodies. Is described as
As shown in fig. 1 and 2, the dynamic access control method based on service body of the present invention includes the steps of:
s1, initializing the service system to obtain initial service body BEInit;
Wherein the content of the first and second substances,
the representation form of the service system in the super application system is modularized and comprises a plurality of service system modules, and when the service system is abstracted, the initial service body BE is obtained corresponding to each service system moduleInit;
Namely:
s2, user sends out access request, initial service body BEInitThe user attribute obtaining method obtains the user attribute to obtain the complete service body
Wherein the content of the first and second substances,
(1) when the user sends out the access request, the initial service body BEInitThe user request acquisition method receives the access request for processing, and acquires the user, the operation type and the service system information;
expressed as:
(2) initial service body BE according to service system information and corresponding moduleInitEstablishing a mapping relation, triggering a GetUserAttr function for acquiring user attribute information in a service body, acquiring service system attributes by using the GetBSAttr function, abstracting a service system into a service body structure through an initBE function, and adding the service system attributes into the service body structure to acquire an initial service body BEInitConstructing an abstract data structure compounded by an access user and a business system;
expressed as:
s3, evaluating the trust level of the user by the trust evaluation method in the service body according to the user attribute; expressed as:
wherein the content of the first and second substances,
according to the user trust level attribute value in the user attribute, taking the user trust level attribute value as a historical trust value of the user;
evaluating the spatiotemporal attributes in the user attributes to obtain spatiotemporal trust values of the user;
and integrating the historical trust value and the spatiotemporal trust value to obtain the user trust level.
In particular, the method comprises the following steps of,
in the dynamic evaluation process of the user trust level, the historical trust value is directly given during the first evaluation, the subsequent user trust value is obtained by calculation according to the user trust level, and the formula is as follows:
uht=0.5*CT
the spatiotemporal attributes comprise time, addresses and context, the spatiotemporal trust value of the user is calculated according to the association degree of each spatiotemporal attribute and the system security, and the formula is as follows:
the calculation formula of the user trust level is as follows:
CT=α×uht+β×st(α+β=1)
wherein the content of the first and second substances,
uht, st and CT respectively represent a historical trust value, a space-time trust value and a user trust level of the user;
rel represents the correlation degree of each spatiotemporal attribute and the system security;
w represents the weight occupied by each spatio-temporal attribute;
n represents the number of spatiotemporal attributes;
alpha and beta respectively represent the weight occupied by the user historical trust value and the space-time attribute trust value in the system.
S4, comparing and judging the user trust level and the safety level of the service system by the trust judgment mechanism in the service body, if the user trust level is higher than the safety level of the service system, allowing the user to continue accessing, otherwise refusing the access.
Expressed as:
and S5, when the user is allowed to access, further performing fine-grained access control decision.
Wherein the content of the first and second substances,
the service body also comprises an access authorization mechanism, and the user request acquisition method acquires the operation type information when processing the access request;
when the user is allowed to continue accessing, the access authorization mechanism acquires the user attribute and the service body ID attribute to obtain the operation authority range of the user in the service system;
and if the operation type in the user request is within the operation authority range, authorizing the access.
Namely: UA and BeId respectively represent user attribute and service ID attribute.
<UA∩BeId>→Request
Access(Request)→Authority Refinement
The dynamic access control method based on the service body can BE represented by a model (BE-BAC) shown in figure 3, introduces the concept of the service body as abstract description of a complex of a service system and an access user, realizes the mapping relation of user-service body-authority, completes quick authorization and realizes dynamic, quick and safe access control.
The BE-BAC model comprises the main elements of users, service bodies, service systems, operations, relationships, sessions, constraints and the like, and is specifically defined as follows:
users (Users, U): the access subject has some attributes and requests to access the entity of the service system resource, the attributes of the access user mainly include: identity, time, address, context, content, trust level. These attributes are used for the authorization process.
Business System (BS): the access object refers to an object for accessing user operation, and the accessed resource entity also has attributes, including: owner, authority, security level (security level). These attributes are also used in the authorization process.
Service Entity (BE): the abstract description of the service system and the user is composed of attributes, methods and mechanisms, and dynamic, quick and fine-grained access authorization is realized.
Operation (Operation, OP): and operations, such as reading, writing, deleting and the like, performed by the user on the access object.
Permissions (Permissions): the method is characterized in that the method is used for accessing the privilege of a user for operating the business system resources and can access the business system object resources or perform certain authorized qualification of operation.
Constraint (Limit): and the method is characterized in that the method carries out limitation in a session process, a user-business body mapping process, a business body-object mapping process and the like, and mainly comprises a cardinal number constraint, an attribute conflict constraint, a space-time constraint, a responsibility separation constraint, a minimum authority principle, a data abstraction principle and the like.
Attributes (Attributes): an element for identifying entities such as access users, business systems, etc. is defined as a binary < Attribute, Value >, where UA refers to user Attribute, OA refers to operation Attribute, BA refers to business body Attribute, EA refers to environment Attribute, and current environment state where access occurs.
Session (SES): and establishing mapping of corresponding relation between the user and the set formed by the module service bodies.
User-Business Entity Mapping (UBM): and establishing an association relationship between the user and the service body through the session, acquiring the attribute of the access user, and establishing a complete service body structure.
Business Entity-rights Mapping (BPM): and realizing the corresponding relation between the service body and the authority, and finishing the access authorization process.
The invention has the advantages that:
(1) the business system and the access user information are abstractly described as a business body, and the access control to the user can be realized based on the user attribute and the security level of the business system through a trust evaluation method and a trust judgment mechanism in the business body, so that the separation of the access control process and the business system data is realized, the data security in the access authorization process is ensured, and the quick access control of the business system is realized.
(2) For a modular business system, the business system is abstractly described as a modular initial business body BEInitSetting user request obtaining method in service body, obtaining user request access request information in time when user initiates access request, and mapping to corresponding initial service body BE according to service system module in user access request informationInitThe flexible configuration of the service body is realized,and the access control is faster and more accurate.
(3) And dynamically evaluating the user attribute in the user access process, evaluating the user trust level according to the user attribute obtained by dynamic evaluation, and further comparing the user trust level with the security level attribute value of the service system in the service body, thereby ensuring the dynamic timeliness and reliability of information in the access control process.
(4) The attribute of the access user is automatically acquired by the user attribute acquisition method in the service body, so that the credible evaluation efficiency of the access user is improved.
(5) And by combining an access control method based on attributes, the access authority is divided into fine granularities, and meanwhile, an access control mechanism is arranged in the service body, so that the fine granularity access requirement of an access user is met.
(6) The association degree method is set in the business body, the association degree between the business bodies of each module can be calculated, and the relation between the business bodies can be obtained according to the association degree, so that the authority management work of the business bodies can be simplified, and the flexibility of the access authorization process is improved.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A dynamic access control method based on service body is characterized by comprising the following steps:
abstracting the service system to obtain an initial service body BEInit;
The user sends an access request to the service system, and the initial service body BEInitThe user attribute obtaining method obtains the user attribute to obtain the complete service body
The trust evaluation method in the service body evaluates the user trust level according to the user attribute;
a trust judgment mechanism in the service body judges the user trust level and the service system security level attribute value of the service body;
and if the user trust level is higher than the business system security level attribute value of the business body, allowing the user to continue accessing.
2. The dynamic access control method of claim 1, wherein:
the super application system comprises a plurality of service system modules, wherein each service system module is abstracted respectively to obtain an initial service body BE correspondinglyInit;
When the user sends the access request to the service system, the initial service body BEInitThe user request acquisition method receives the access request for processing and acquires access request information;
according to the service system information in the access request information and the initial service body BE of the corresponding service system moduleInitAnd establishing a mapping relation.
3. The dynamic access control method of claim 2, wherein: the business body is an abstract description of a complex of the business system and the user, and comprises attributes, methods and mechanisms;
the attributes comprise service body ID attributes, service system attributes and user attributes, and the service system attributes comprise security levels;
the method comprises a service body initialization method, a user request acquisition method, a user attribute acquisition method and a trust evaluation method;
the mechanism includes a trust judgment mechanism.
4. The dynamic access control method of claim 3, wherein: the business body initialization method abstracts the business system into the structure of the business body, acquires the business system attribute of the business system and adds the business system attribute into the structure of the business body to obtainGet initial service body BEInit。
5. The dynamic access control method of claim 1, wherein: the trust evaluation method in the service body dynamically evaluates the user trust level according to the user attribute; the method comprises the following steps:
taking the user trust level attribute value in the user attribute as the historical trust value of the user;
evaluating the spatiotemporal attributes in the user attributes to obtain spatiotemporal trust values of the user;
and integrating the historical trust value and the spatiotemporal trust value to obtain the user trust level.
6. The dynamic access control method of claim 5, wherein: in the dynamic evaluation process of the user trust level, the historical trust value is directly given during the first evaluation, the historical trust value of the user is obtained by calculation according to the user trust level, and the formula is as follows:
uht=0.5*CT
the space-time attributes comprise time, addresses and context, the space-time trust value of the user is calculated according to the association degree of each space-time attribute and the system security, and the formula is as follows:
the calculation formula of the user trust level is as follows:
CT=α×uht+β×st(α+β=1)
wherein the content of the first and second substances,
uht, st and CT respectively represent a historical trust value, a space-time trust value and a user trust level of the user;
rel represents the correlation degree of each spatiotemporal attribute and the system security;
w represents the weight occupied by each spatio-temporal attribute;
n represents the number of spatiotemporal attributes;
alpha and beta respectively represent the weight occupied by the user historical trust value and the space-time attribute trust value in the system.
7. The dynamic access control method of claim 3, wherein: the service body also comprises an access authorization mechanism, and the user request acquisition method also acquires operation type information when processing the access request;
when the user is allowed to continue accessing, the access authorization mechanism acquires the user attribute and the service body ID attribute to obtain the operation authority range of the user in the service system;
and if the operation type in the user request is within the operation authority range, authorizing access.
8. The dynamic access control method of claim 7, wherein: according to the incidence relation among different service system modules in the super application system, the service bodies have authority inheritance relation;
the child service inherits the authority of the corresponding unique parent service and can also have additional authority.
9. The dynamic access control method of claim 8, wherein: the business body also comprises a correlation method, and the correlation between the two business bodies is calculated according to the correlation method;
and if the association degree of one business body and the other business body is more than 0.5, the two business bodies have an inheritance relationship.
10. The dynamic access control method of claim 9, wherein: calculating the association degree of the two business bodies according to the business system attributes corresponding to the two business bodies, wherein the formula is as follows:
wherein the content of the first and second substances,
am represents a service system attribute set of the service body m;
an represents a business system attribute set of the business body n;
|Am∩Anl represents the number of the service body m and the service body n with the same attribute;
|Am∪Anand | represents the number of all attributes owned by service m and service n.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210200138.0A CN114567489B (en) | 2022-03-02 | 2022-03-02 | Dynamic access control method based on service body |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210200138.0A CN114567489B (en) | 2022-03-02 | 2022-03-02 | Dynamic access control method based on service body |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114567489A true CN114567489A (en) | 2022-05-31 |
| CN114567489B CN114567489B (en) | 2023-09-15 |
Family
ID=81715319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210200138.0A Active CN114567489B (en) | 2022-03-02 | 2022-03-02 | Dynamic access control method based on service body |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114567489B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060136999A1 (en) * | 2004-12-16 | 2006-06-22 | Martin Kreyscher | Trust based relationships |
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
| US20150222606A1 (en) * | 2012-09-21 | 2015-08-06 | Nokia Corporation | Method and apparatus for providing access control to shared data based on trust level |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN105282160A (en) * | 2015-10-23 | 2016-01-27 | 绵阳师范学院 | Credibility-based dynamic access control method |
| US20200013062A1 (en) * | 2018-07-06 | 2020-01-09 | At&T Intellectual Property I, L.P. | Services for entity trust conveyances |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
-
2022
- 2022-03-02 CN CN202210200138.0A patent/CN114567489B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060136999A1 (en) * | 2004-12-16 | 2006-06-22 | Martin Kreyscher | Trust based relationships |
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
| US20150222606A1 (en) * | 2012-09-21 | 2015-08-06 | Nokia Corporation | Method and apparatus for providing access control to shared data based on trust level |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN105282160A (en) * | 2015-10-23 | 2016-01-27 | 绵阳师范学院 | Credibility-based dynamic access control method |
| US20200013062A1 (en) * | 2018-07-06 | 2020-01-09 | At&T Intellectual Property I, L.P. | Services for entity trust conveyances |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
Non-Patent Citations (1)
| Title |
|---|
| 范运东;吴晓平;石雄;: "基于信任值评估的云计算访问控制模型研究", 信息网络安全, no. 07 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114567489B (en) | 2023-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6256737B1 (en) | System, method and computer program product for allowing access to enterprise resources using biometric devices | |
| US7305562B1 (en) | System, method and computer program product for an authentication management infrastructure | |
| US7483896B2 (en) | Architecture for computer-implemented authentication and authorization | |
| CN110941856A (en) | Data differential privacy protection sharing platform based on block chain | |
| US20220321364A1 (en) | System and Method to Facilitate an Account Protection Check Through Blockchain | |
| CN113642409A (en) | Face anonymization system and method and terminal | |
| CN114567489B (en) | Dynamic access control method based on service body | |
| WO2001065375A1 (en) | System, method and computer program product for an authentication management infrastructure | |
| CN113051603A (en) | Cloud service interaction method combining cloud computing and information digitization and big data platform | |
| US11086643B1 (en) | System and method for providing request driven, trigger-based, machine learning enriched contextual access and mutation on a data graph of connected nodes | |
| Wang et al. | A trust and attribute-based access control framework in internet of things | |
| Jagadamba et al. | Adaptive context-aware access control model for ubiquitous learning environment | |
| Covington et al. | Parameterized authentication | |
| US20220321562A1 (en) | System and Method to Facilitate an Account Protection Check for Sets of Credentials | |
| Wood et al. | Access control mechanisms for a network operating system | |
| Alese et al. | A User Identity Management System for Cybercrime Control | |
| US20230315878A1 (en) | Information Security Through Facial Recognition In Control Centers | |
| CN104504317B (en) | A kind of access control system user authorization query asks the fast solution method of problem | |
| US20220224688A1 (en) | System and Method to Facilitate an Account Protection Check for Sets of Credentials | |
| CN109547460B (en) | Identity alliance-oriented multi-granularity joint identity authentication method | |
| US20210234854A1 (en) | Confidence broker system | |
| Chandramouli | Implementation of multiple access control policies within a CORBASEC framework | |
| Booysen et al. | Classification of objects for improved access control | |
| Sodiya et al. | Components-Based Access Control Architecture. | |
| Bensoussan et al. | A trust-score-based access control in assured information sharing systems: An application of financial credit risk score models |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240430 Address after: Room 5033, 5th Floor, Shandong Digital Industry Building, No. 28-1 Jingqi Road, Shizhong District, Jinan City, Shandong Province, 250001 Patentee after: Jinan Rongtu Information Technology Co.,Ltd. Country or region after: China Address before: 276000 west side of north section of Industrial Road, Lanshan District, Linyi, Shandong Patentee before: LINYI University Country or region before: China |