CN114567489B - Dynamic access control method based on service body - Google Patents
Dynamic access control method based on service body Download PDFInfo
- Publication number
- CN114567489B CN114567489B CN202210200138.0A CN202210200138A CN114567489B CN 114567489 B CN114567489 B CN 114567489B CN 202210200138 A CN202210200138 A CN 202210200138A CN 114567489 B CN114567489 B CN 114567489B
- Authority
- CN
- China
- Prior art keywords
- user
- service
- attribute
- trust
- business
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 100
- 230000007246 mechanism Effects 0.000 claims abstract description 35
- 238000011156 evaluation Methods 0.000 claims abstract description 26
- 238000013475 authorization Methods 0.000 claims abstract description 23
- 230000008569 process Effects 0.000 claims description 29
- 239000004973 liquid crystal related substance Substances 0.000 claims description 18
- 238000013507 mapping Methods 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000011423 initialization method Methods 0.000 claims description 5
- 238000012854 evaluation process Methods 0.000 claims description 3
- 230000006872 improvement Effects 0.000 description 10
- 238000000926 separation method Methods 0.000 description 4
- 101100517651 Caenorhabditis elegans num-1 gene Proteins 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- QVGXLLKOCUKJST-UHFFFAOYSA-N atomic oxygen Chemical compound [O] QVGXLLKOCUKJST-UHFFFAOYSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 229910052760 oxygen Inorganic materials 0.000 description 1
- 239000001301 oxygen Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The application provides a dynamic access control method based on a service body, which relates to the technical field of system access control and comprises the following steps: abstracting the business system to obtain an initial business body BE Init The method comprises the steps of carrying out a first treatment on the surface of the A user sends an access request to a service system, and an initial service body BE Init The method for acquiring the user attribute acquires the user attribute to obtain a complete service bodyThe trust evaluation method in the service body evaluates the trust level of the user according to the user attribute; judging the trust level of the user and the security level attribute value of the service system of the service body by a trust judging mechanism in the service body; and if the user trust level is higher than the service system security level attribute value of the service body, allowing the user to continue to access. The application introduces the concept of the service body, performs access control based on the service body, and realizes flexible, quick and safe access control authorization in an open and complex super application system environment.
Description
Technical Field
The application relates to the technical field of system access control, in particular to a dynamic access control method based on a service body.
Background
The super application system combines and integrates a plurality of business services, thereby realizing the integration of the business system and facilitating convenience for people and enterprises. Meanwhile, as the service systems in the super application system are numerous, access control operation frequently occurs, and the service systems may be associated, the operation of the service system in the whole access control process becomes complex, the access efficiency is low, and the service system data can be directly interacted in the access process, so that hidden danger exists in the aspect of data security.
Disclosure of Invention
Aiming at the problems, the application provides a dynamic access control method based on a service body, which realizes the separation of a service system and data thereof in the access control process by introducing the concept of the service body, ensures the security of the data in the access authorization process and improves the efficiency of user access control.
In order to achieve the above object, the present application provides a dynamic access control method based on a service body, including:
abstracting the business system to obtain an initial business body BE Init ;
The user sends an access request to the service system, and the initial service body BE Init The method for acquiring the user attribute acquires the user attribute to obtain a complete service body
The trust evaluation method in the service body evaluates the trust level of the user according to the user attribute;
the trust judgment mechanism in the service body judges the trust level of the user and the security level attribute value of the service system of the service body;
and if the user trust level is higher than the service system security level attribute value of the service body, allowing the user to continue to access.
As a further improvement of the application, the super application system comprises a plurality of service system modules, each service system module is respectively abstracted to correspondingly obtain an initial service body BE Init ;
When the user sends an access request to the service system, the initial service body BE Init The user request acquisition method receives the access request and processes the access request to acquire access request information;
according to the service system information in the access request information and the initial service body BE of the corresponding service system module Init And establishing a mapping relation.
As a further improvement of the present application, the service body is an abstract description of the complex of the service system and the user, including attributes, methods and mechanisms;
the attributes comprise a service body ID attribute, a service system attribute and a user attribute, and the service system attribute comprises a security level;
the method comprises a service body initialization method, a user request acquisition method, a user attribute acquisition method and a trust evaluation method;
the mechanism comprises a trust judgment mechanism and an access control mechanism.
As a further improvement of the present application, the service body initializing method abstracts the service system into a service body structure, and obtains an initial service body BE by adding the service system attribute of the service system to the service body structure Init 。
As a further improvement of the application, the trust evaluation method in the business body dynamically evaluates the user trust level according to the user attribute; comprising the following steps:
taking the user credibility grade attribute value in the user attribute as a historical trust value of the user;
evaluating the space-time attribute in the user attribute to obtain a space-time trust value of the user;
and integrating the historical trust value and the space-time trust value to obtain the user trust level.
As a further improvement of the application, in the dynamic evaluation process of the user trust level, the historical trust value is directly given in the first evaluation, and the later user historical trust value is calculated according to the user trust level, and the formula is as follows:
uht=0.5*CT
the space-time attribute comprises time, address and context, and the space-time trust value of the user is calculated according to the association degree of each space-time attribute and system security, wherein the formula is as follows:
the calculation formula of the user trust level is as follows:
CT=α×uht+β×st(α+β=1)
wherein, the liquid crystal display device comprises a liquid crystal display device,
uht, st, CT the historical trust value, the space-time trust value and the user trust level of the user respectively;
rel represents the degree of association of each spatio-temporal attribute with system security;
w represents the weight occupied by each space-time attribute;
n represents the number of the space-time attributes;
alpha and beta respectively represent weights occupied by the historical trust value and the time-space attribute trust value of the user in the system.
As a further improvement of the application, the service body further comprises an access authorization mechanism, and the user request acquisition method also acquires operation type information when processing the access request;
when the user is allowed to continue to access, the access authorization mechanism acquires the user attribute and the service body ID attribute and obtains the operation authority range of the user in the service system;
and if the operation type in the user request is within the operation authority range, authorizing access.
As a further improvement of the application, according to the association relation between different service system modules in the super application system, the service bodies have authority inheritance relation;
the child business body inherits the authority of the corresponding unique parent business body and can also possess additional authority.
As a further improvement of the application, the service body further comprises a correlation method, and the correlation between the two service bodies is calculated according to the correlation method;
and if the association degree of one service body and the other service body is greater than 0.5, the two service bodies have an inheritance relationship.
As a further improvement of the present application, the association degree of the two service bodies is calculated by the service system attributes corresponding to the two service bodies, and the formula is:
wherein, the liquid crystal display device comprises a liquid crystal display device,
am represents a service system attribute set of a service body m;
an represents a service system attribute set of a service body n;
|A m ∩A n the I represents the number of the business body m and the business body n which have the same attribute;
|A m ∪A n the i indicates the number of all the attributes owned by business entity m and business entity n.
Compared with the prior art, the application has the beneficial effects that:
the application abstractly describes the service system and the access user information as the service body, realizes the access control to the user based on the user attribute and the security level of the service system by a trust evaluation method and a trust judgment mechanism in the service body, namely, realizes the separation of the access control process and the service system data, ensures the security of the data in the access authorization process, and realizes the rapid access control of the service system.
The application abstracts and describes the service system as a modularized initial service body BE aiming at a modularized service system Init Setting a user request acquisition method in a service body, timely acquiring access request information of a user when the user initiates an access request, and mapping the access request information to a corresponding initial service body BE according to the access request information of the user Init The flexible configuration of the service body is realized, and the access control is faster and more accurate.
The application dynamically evaluates the user attribute in the process of user access, evaluates the user trust level according to the user attribute obtained by dynamic evaluation, and further compares the user trust level with the security level attribute value of the service system in the service body, thereby ensuring the dynamic timeliness and reliability of the information in the process of access control.
According to the application, the attribute of the access user is automatically acquired by the user attribute acquisition method in the service body, so that the reliability evaluation efficiency of the access user is improved.
The application combines the access control method based on the attribute to divide the access authority into fine granularity, and sets the access control mechanism in the business body at the same time to realize the fine granularity access requirement of the access user.
The method for setting the association degree in the service bodies can calculate the association degree between the service bodies of all the modules, and the service bodies have inheritance relation according to the association degree, so that the authority management work of the service bodies can be simplified, and the flexibility of the access authorization process is improved.
Drawings
FIG. 1 is a flow chart of a dynamic access control method based on a service body according to an embodiment of the present application;
FIG. 2 is a detailed flow chart of a dynamic access control method based on a service body according to an embodiment of the present application;
fig. 3 is a schematic diagram of a service-based access control model according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The application is described in further detail below with reference to the attached drawing figures:
the application provides a dynamic access control method based on a service body, which introduces a service body concept and defines the service body, wherein the specific content of the service body comprises the following steps:
the Business Entity is an abstract description of a complex of a Business system and an access user, is a data structure consisting of three parts of attributes, methods and mechanisms through the definition of the Business Entity, and realizes the quick access authorization of the Business system by executing a series of methods and mechanisms. Namely:
Business_Entity={Attributes,Methods,Mechanisms}
(1) The attribute is a characteristic expression for the service body and mainly comprises an ID attribute, a service system attribute and a user attribute, wherein the ID attribute is a unique identification attribute of the service body, the service system attribute is a static attribute in the service body and is an abstract attribute of the service system, the attribute value of the service system is kept unchanged, the value of the service system is generated along with the generation of the service body, and the service system disappears along with the disappearance of the service body and mainly comprises an owner, rights and a security level; the user attribute obtained in the business body is dynamic, and the value of the user attribute is dynamically obtained by a user attribute obtaining method in the business body in the user access control process, and mainly comprises identity, time, address, context, content and trust level. Expressed as:
Attribute{
String BeId;
String BusAttr[]={Permission,Owner,SaftyLevel};
String UserAttr[]={Identity,Time,Address,TrustLevel,Content};
}
(2) The method comprises a service body initialization method, a user request acquisition method, a user attribute acquisition method, a trust evaluation method and a relevance method:
(1) service body initialization method
Firstly, initializing a service body, namely abstracting a service system into a service body BE Init Obtaining the attribute of the related service system to form a service body BE Init And (5) finishing initialization.
Input: bsattr
And (3) outputting: BE Init
GetBsAttr(<Permission,Owner,SafetyLevel>)→<<Permission,value>,<Owner,value>,<SafetyLevel,value>>
InitBE(<<Permission,value>,<Owner,value>,<SafetyLevel,value>>)→BE Init
(2) User request acquisition method
The user request acquisition method receives an original access request (Original Access Control Request, OACR) sent by a user, processes the request to acquire related information, and the U, OP and BS respectively represent the user, the operation type and the service system.
Input: OACR (active oxygen compression ratio)
And (3) outputting: parameter values in OACR
<U,OP,BS>→OACR
GetRequest(OACR)→<<U,value>,<OP,value>,<BS,value>>
(3) User attribute acquisition method
When users and business body BE Init After the mapping is completed, the business body BE is activated Init The user attribute obtaining method in the method obtains the user attribute and attribute value, mainly comprising identity, time, address, trust level and content, and finally forms a service body
Input: userAttr
And (3) outputting: userAttr value
<Identity,Time,Address,TrustLevel,Content>→UserAttr
GetUserAttr(UserAttr)→<<Identity,value>,<Time,value>,<Address,value>,<TrustLevel,value>,<Content,value>>
(4) Trust assessment method
The Trust evaluation method Trust improves the reliability evaluation efficiency of the access user, and dynamically evaluates the access user according to the related attribute value acquired by the access attribute of the user. The description of trust evaluation consists of two parts, namely a user history trust value uht, and the user history trust value is determined according to the obtained user trust level attribute value; and secondly, a space-time trust value st, wherein the space-time trust value refers to a trust value after time, address and context are evaluated. The final integrated trust value CT is expressed as
CT=α×uht+β×st(α+β=1)
Alpha, beta represent the weights that the user history trust value and the spatiotemporal attribute trust value occupy in the system.
The first user history trust value is directly assigned, and the later user history trust values are calculated from CT, uht =0.5 CT.
The calculation of the trust value of the space-time attribute is calculated by each evaluation factor in the space-time attribute, the association degree of each evaluation factor and the system security is expressed by rel, w represents the proportion occupied by each evaluation factor, and then the calculation of the space-time attribute is expressed as
Where n represents the number of evaluation factors.
(5) Correlation degree method
The representation of the business systems is modular, so that the mapped business bodies are also modular, and the business systems have inherited association relationships, and correspondingly have the relationship among the business bodies. And the relationship between the service bodies can be verified for a plurality of times according to the relationship for consistency detection, so that the accuracy of the relationship between the service bodies is ensured. The similarity of business m to business n can be calculated by the following formula:
wherein Am, an represent the service system characteristic attribute set of service m, n respectively, |A m ∩A n The I represents the number of the business body m and the business body n which have the same characteristic attribute, and the I A is that m ∪A n The i indicates the number of all the feature attributes possessed by business entity m and business entity n. When S is Jaccard (m,n)>And 0.5, the association degree between the two business bodies is large, and the business bodies have inheritance relations. Meanwhile, the calculation of the association degree can be used for consistency check, and the accuracy of the relation between the business bodies is ensured.
The code for calculating Jaccard coefficients is as follows.
Input: featureAttr1, featureAttr2
And (3) outputting: s is S J
Calculating the number of identical attributes
featureAttr1.retainAll(featureAttr2)→featureAttr1
featureAttr1.size()→Num1
Calculating the number of all attributes
featureAttr1.addAll(featureAttr2)→featureAttr1
featureAttr1.size()→Num2
Calculating Jaccard coefficients
S J =Num1/Num2
(3) The mechanism comprises a trust judgment mechanism and an access authorization mechanism
(1) Trust judgment mechanism
In the service body mechanism, the trust judgment mechanism realizes the trust level judgment between the user and the service body, and completes the first step based on the access control of the service body. In the process, mapping is carried out by adopting a mode of comparing the trust level of the user with the security level of the service system, and the trust level of the access user is evaluated in a service body trust evaluation method to obtain a corresponding trust value, thereby forming a service bodyThe service system attribute has a security level attribute, the trust value of the access user is compared with the security level of the service system, and if the trust value is higher than the security level, the next access can be performed; otherwise, access is denied.
(2) Access authorization mechanism
Fine granularity access control decisions: because of the complexity of the network and the diversity of users, the management of the business hierarchy inheritance relationship, the authority and the business hierarchy need to be refined to meet the fine granularity access requirement of the access user on the business system resources based on the limiting conditions of environment, operation, context and the like, so that the flexible access control decision mechanism of the business hierarchy is configured, and the fine granularity access requirement of the access user can be more effectively solved.
After the trust judgment mechanism module judges whether the user can continue to access, the access authorization mechanism module is executed, related attributes are acquired in combination with the access control scheme based on the attributes, fine-grained authority judgment is carried out, and finally the access control request is completed. UA and BeId respectively represent user attribute and business body ID attribute.
<UA∩BeId>→Request
Access(Request)→Authority Refinement
(4) Relationship among business bodies, users and authorities
(1) The business bodies have inheritance relations, the business bodies can inherit other business bodies, the child business bodies can also possess or be associated with different authorities while possessing the authorities of the father business body, all authorities of the child business bodies are formed, and one business body can only inherit one business body; the inheritance relationship of the service body simplifies the authority management work to a certain extent, reflects the system association between service systems and the flexibility in the authorization process.
(2) The relationship between the users and the service bodies is many-to-many, one user can correspond to a plurality of service bodies, and one service body can also correspond to a plurality of users. Described as
(3) The business body and the authorities are in a many-to-many relationship, one business body corresponds to a plurality of authorities, and one authority can correspond to a plurality of business bodies. Described as
As shown in fig. 1 and 2, the dynamic access control method based on the service body of the present application includes the steps of:
s1, initializing a service system to obtain an initial service body BE Init ;
Wherein, the liquid crystal display device comprises a liquid crystal display device,
the expression form of the service system in the super application system is modularized and comprises a plurality of service system modules, and when the service system is abstracted, initial service body BE is respectively obtained corresponding to each service system module Init ;
Namely:
s2, a user sends out an access request, and an initial service body BE Init The method for acquiring the user attribute acquires the user attribute to obtain a complete service body
Wherein, the liquid crystal display device comprises a liquid crystal display device,
(1) When a user sends an access request, an initial service body BE Init The method for acquiring the user request receives and processes the access request to acquire the user, the operation type and the service system information;
expressed as:
(2) Initial business body BE according to business system information and corresponding module Init Establishing a mapping relation, triggering a GetUserAttr function in a service body for acquiring user attribute information, acquiring service system attributes by using the GetBuattr function, abstracting the service system into a service body structure by an InitBE function, and adding the service system attributes into the service body structure to acquire an initial service body BE Init Constructing an abstract data structure of the combination of the access user and the service system;
expressed as:
s3, evaluating the trust level of the user according to the user attribute by a trust evaluation method in the service body; expressed as:
wherein, the liquid crystal display device comprises a liquid crystal display device,
taking the attribute value of the user trust level in the user attribute as a historical trust value of the user;
evaluating the space-time attribute in the user attribute to obtain a space-time trust value of the user;
and obtaining the user trust level by integrating the historical trust value and the space-time trust value.
In particular, the method comprises the steps of,
in the dynamic evaluation process of the user trust level, the historical trust value is directly given in the first evaluation, and the later user trust value is calculated according to the user trust level, wherein the formula is as follows:
uht=0.5*CT
the space-time attribute comprises time, address and context, and the space-time trust value of the user is calculated according to the association degree of each space-time attribute and the system security, wherein the formula is as follows:
the calculation formula of the user trust level is as follows:
CT=α×uht+β×st(α+β=1)
wherein, the liquid crystal display device comprises a liquid crystal display device,
uht, st, CT the historical trust value, the space-time trust value and the user trust level of the user respectively;
rel represents the degree of association of each spatio-temporal attribute with system security;
w represents the weight occupied by each space-time attribute;
n represents the number of the space-time attributes;
alpha and beta respectively represent weights occupied by the historical trust value and the time-space attribute trust value of the user in the system.
S4, comparing and judging the user trust level and the security level of the service system by a trust judgment mechanism in the service body, if the user trust level is higher than the security level of the service system, allowing the user to continue accessing, otherwise refusing to access.
Expressed as:
and S5, when the user is allowed to access, further making a fine-grained access control decision.
Wherein, the liquid crystal display device comprises a liquid crystal display device,
the service body also comprises an access authorization mechanism, and operation type information is acquired when the user request acquisition method processes the access request;
when the user is allowed to continue to access, the access authorization mechanism acquires the user attribute and the service body ID attribute, and obtains the operation authority range of the user in the service system;
if the operation type in the user request is within the operation authority range, the access is authorized.
Namely: UA and BeId respectively represent user attribute and business body ID attribute.
<UA∩BeId>→Request
Access(Request)→Authority Refinement
The dynamic access control method based on the service body can BE represented by a model (BE-BAC) shown in figure 3, introduces the concept of the service body, is used as abstract description of a complex of a service system and an access user, realizes the mapping relation of the user-the service body-the authority, completes the quick authorization, and realizes the dynamic, quick and safe access control.
The BE-BAC model mainly comprises the following elements of users, service bodies, service systems, operations, relations, sessions, constraints and the like, and is specifically defined as follows:
user (Users, U): an access principal having certain attributes and an entity requesting access to a business system resource, the attributes of the access user consisting essentially of: identity, time, address, context, content, trust level. These attributes are used in the authorization process.
Business System (BS): access object, which refers to an object that accesses user operations, an accessed resource entity, which also has attributes, including: owner, rights, security level (security level). These attributes are also used in the authorization process.
Business Entity (BE): the abstract description of the service system and the user is composed of attributes, methods and mechanisms, and dynamic, rapid and fine-grained access authorization is realized.
Operation (OP): operations performed by the user on the access object, such as reading, writing, deleting, etc.
Rights (permission): is the privilege of accessing the operation of the business system resources owned by the user, and can access the guest resources of the business system or do the authorization qualification of some operation.
Constraint (Limit): the method is limited in a session process, a user-service body mapping process, a service body-object mapping process and the like, and mainly comprises a cardinal constraint, an attribute conflict constraint, a space-time constraint, a responsibility separation constraint, a minimum authority principle, a data abstraction principle and the like.
Attributes (Attributes): elements for identifying entities of access users, service systems and the like are defined as a binary group < Attribute, value >, wherein UA refers to user attributes, OA refers to operation attributes, BA refers to service body attributes, EA refers to environment attributes, and the current environment state of access occurs.
Session (SES): and mapping the corresponding relation between the user and the set formed by the service bodies of the modules.
User-traffic mapping (User-Business Entity Mapping, UBM): and acquiring access user attributes through the association relation between the session establishment user and the service body, and establishing a complete service body structure.
Business Entity-rights mapping (BPM): and the corresponding relation between the service body and the authority is realized, and the access authorization process is completed.
The application has the advantages that:
(1) The business system and the access user information are abstract described as business bodies, and access control to users can be realized based on user attributes and the security level of the business system through a trust evaluation method and a trust judgment mechanism in the business bodies, namely, the separation of the access control process and the business system data is realized, the security of the data in the access authorization process is ensured, and the rapid access control of the business system is realized.
(2) For modularized business system, abstract description of business system as modularized initial business body BE Init Setting a user request acquisition method in a service body, timely acquiring access request information of a user request when the user initiates an access request, and mapping a service system module in the access request information according to the user to a corresponding initial service body BE Init The flexible configuration of the service body is realized, and the access control is faster and more accurate.
(3) And dynamically evaluating the user attribute in the user access process, evaluating the user trust level according to the user attribute obtained by dynamic evaluation, and comparing with the security level attribute value of the service system in the service body, thereby ensuring the dynamic timeliness and reliability of the information in the access control process.
(4) And automatically acquiring the attribute of the access user by a user attribute acquisition method in the service body, thereby improving the reliability evaluation efficiency of the access user.
(5) And combining an access control method based on attributes, carrying out fine granularity division on the access authority, and setting an access control mechanism in a service body to realize the fine granularity access requirement of an access user.
(6) The method for setting the association degree in the service bodies can calculate the association degree between the service bodies of each module and obtain the relationship between the service bodies according to the association degree, thereby simplifying the authority management work of the service bodies and improving the flexibility of the access authorization process.
The above is only a preferred embodiment of the present application, and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A dynamic access control method based on a service body, comprising:
abstracting the business system to obtain an initial business body BE Init The business body is an abstract description of a complex of the business system and the user, and comprises attributes, methods and mechanisms;
the user sends an access request to the service system, and the initial service body BE Init The method for acquiring the user attribute acquires the user attribute to obtain a complete service body
The trust evaluation method in the service body evaluates the trust level of the user according to the user attribute;
the trust judgment mechanism in the service body judges the trust level of the user and the security level attribute value of the service system of the service body;
and if the user trust level is higher than the service system security level attribute value of the service body, allowing the user to continue to access.
2. The dynamic access control method according to claim 1, wherein:
the super application system comprises a plurality of service system modules, wherein each service system module is respectively abstracted to correspondingly obtain an initial service body BE Init ;
When the user sends an access request to the service system, the initial service body BE Init The user request acquisition method receives the access request and processes the access request to acquire access request information;
according to the service system information in the access request information and the initial service body BE of the corresponding service system module Init And establishing a mapping relation.
3. The dynamic access control method according to claim 2, wherein:
the attributes comprise a service body ID attribute, a service system attribute and a user attribute, and the service system attribute comprises a security level;
the method comprises a service body initialization method, a user request acquisition method, a user attribute acquisition method and a trust evaluation method;
the mechanism includes a trust determination mechanism.
4. A dynamic access control method according to claim 3, characterized in that: the service body initialization method abstracts the service system into a service body structure, acquires the service system attribute of the service system, and adds the service system attribute into the service body structure to acquire an initial service body BE Init 。
5. The dynamic access control method according to claim 1, wherein: the trust evaluation method in the service body dynamically evaluates the trust level of the user according to the user attribute; comprising the following steps:
taking the user trust level attribute value in the user attribute as a historical trust value of the user;
evaluating the space-time attribute in the user attribute to obtain a space-time trust value of the user;
and integrating the historical trust value and the space-time trust value to obtain the user trust level.
6. The dynamic access control method according to claim 5, wherein: in the dynamic evaluation process of the user trust level, the historical trust value is directly given in the first evaluation, and the later user historical trust value is calculated according to the user trust level, wherein the formula is as follows:
uht=0.5*CT
the space-time attribute comprises time, address and context, and the space-time trust value of the user is calculated according to the association degree of each space-time attribute and system security, wherein the formula is as follows:
the calculation formula of the user trust level is as follows:
CT=α×uht+β×st(α+β=1)
wherein, the liquid crystal display device comprises a liquid crystal display device,
uht, st, CT the historical trust value, the space-time trust value and the user trust level of the user respectively;
rel represents the degree of association of each spatio-temporal attribute with system security;
w represents the weight occupied by each space-time attribute;
n represents the number of the space-time attributes;
alpha and beta respectively represent weights occupied by the historical trust value and the time-space attribute trust value of the user in the system.
7. A dynamic access control method according to claim 3, characterized in that: the service body further comprises an access authorization mechanism, and operation type information is also acquired when the user request acquisition method processes the access request;
when the user is allowed to continue to access, the access authorization mechanism acquires the user attribute and the service body ID attribute and obtains the operation authority range of the user in the service system;
and if the operation type in the user request is within the operation authority range, authorizing access.
8. The dynamic access control method according to claim 7, wherein: according to the association relation between different service system modules in the super application system, the service bodies have authority inheritance relation;
the child business body inherits the authority of the corresponding unique parent business body and can also possess additional authority.
9. The dynamic access control method according to claim 8, wherein: the service body further comprises a relevancy method, and the relevancy between the two service bodies is calculated according to the relevancy method;
and if the association degree of one service body and the other service body is greater than 0.5, the two service bodies have an inheritance relationship.
10. The dynamic access control method according to claim 9, wherein: calculating the association degree of the two service bodies through the service system attributes corresponding to the two service bodies, wherein the formula is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,
am represents a service system attribute set of a service body m;
an represents a service system attribute set of a service body n;
|A m ∩A n the I represents the number of the business body m and the business body n which have the same attribute;
|A m ∪A n the i indicates the number of all the attributes owned by business entity m and business entity n.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210200138.0A CN114567489B (en) | 2022-03-02 | 2022-03-02 | Dynamic access control method based on service body |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210200138.0A CN114567489B (en) | 2022-03-02 | 2022-03-02 | Dynamic access control method based on service body |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114567489A CN114567489A (en) | 2022-05-31 |
| CN114567489B true CN114567489B (en) | 2023-09-15 |
Family
ID=81715319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210200138.0A Active CN114567489B (en) | 2022-03-02 | 2022-03-02 | Dynamic access control method based on service body |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114567489B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN105282160A (en) * | 2015-10-23 | 2016-01-27 | 绵阳师范学院 | Credibility-based dynamic access control method |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060136999A1 (en) * | 2004-12-16 | 2006-06-22 | Martin Kreyscher | Trust based relationships |
| WO2014043894A1 (en) * | 2012-09-21 | 2014-03-27 | Nokia Corporation | Method and apparatus for providing access control to shared data based on trust level |
| US11132681B2 (en) * | 2018-07-06 | 2021-09-28 | At&T Intellectual Property I, L.P. | Services for entity trust conveyances |
-
2022
- 2022-03-02 CN CN202210200138.0A patent/CN114567489B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN105282160A (en) * | 2015-10-23 | 2016-01-27 | 绵阳师范学院 | Credibility-based dynamic access control method |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
Non-Patent Citations (1)
| Title |
|---|
| 基于信任值评估的云计算访问控制模型研究;范运东;吴晓平;石雄;;信息网络安全(07) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114567489A (en) | 2022-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dimmock et al. | Using trust and risk in role-based access control policies | |
| Lv et al. | An optimizing and differentially private clustering algorithm for mixed data in SDN-based smart grid | |
| US6256737B1 (en) | System, method and computer program product for allowing access to enterprise resources using biometric devices | |
| Thakare et al. | PARBAC: Priority-attribute-based RBAC model for azure IoT cloud | |
| US20100161967A1 (en) | Method and system for dynamically implementing an enterprise resource policy | |
| Feng et al. | A trust and context based access control model for distributed systems | |
| CN110941856A (en) | Data differential privacy protection sharing platform based on block chain | |
| CN111611324B (en) | Cross-domain access strategy optimization method and device | |
| Huang et al. | An improved federated learning approach enhanced internet of health things framework for private decentralized distributed data | |
| US20220321364A1 (en) | System and Method to Facilitate an Account Protection Check Through Blockchain | |
| Zheng et al. | A Matrix Factorization Recommendation System-Based Local Differential Privacy for Protecting Users' Sensitive Data | |
| EP1736897A2 (en) | Method and system for assignment of membership through script | |
| CN114567489B (en) | Dynamic access control method based on service body | |
| Alruwaythi et al. | Fuzzy logic approach based on user behavior trust in cloud security | |
| Ouechtati et al. | A fuzzy logic based trust-ABAC model for the Internet of Things | |
| Alom et al. | Helping users managing context-based privacy preferences | |
| Wang et al. | A trust and attribute-based access control framework in internet of things | |
| CN114553487B (en) | Access control method and system based on map | |
| EP4028924A1 (en) | Resource access control | |
| Lim et al. | Intelligent access control mechanism for ubiquitous applications | |
| Al-Karkhi et al. | Discreet verification of user identity in pervasive computing environments using a non-intrusive technique | |
| US20220321562A1 (en) | System and Method to Facilitate an Account Protection Check for Sets of Credentials | |
| Agrawal et al. | Integrity management in a trusted utilitarian data exchange platform | |
| Su et al. | Trust-based fuzzy access control model research | |
| CN117938511A (en) | Attribute access control dynamic authority management method and system based on zero trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240430 Address after: Room 5033, 5th Floor, Shandong Digital Industry Building, No. 28-1 Jingqi Road, Shizhong District, Jinan City, Shandong Province, 250001 Patentee after: Jinan Rongtu Information Technology Co.,Ltd. Country or region after: China Address before: 276000 west side of north section of Industrial Road, Lanshan District, Linyi, Shandong Patentee before: LINYI University Country or region before: China |