CN114615040A

CN114615040A - Knowledge graph ontology data classification and classification security access control method and application

Info

Publication number: CN114615040A
Application number: CN202210204309.7A
Authority: CN
Inventors: 程永靖; 谢伟; 闫凯; 黄健; 张友根; 袁山洞; 贾国辉
Original assignee: National University of Defense Technology
Current assignee: National University of Defense Technology
Priority date: 2022-03-02
Filing date: 2022-03-02
Publication date: 2022-06-10

Abstract

The invention discloses a knowledge graph ontology data classification safety access control method and application. The method comprises the following steps: predefining a system authority level range, a safety control system parameter, an authority granularity, a category attribute space of body data and a safety level attribute space; when a user uploads the body data, the type and the security level of the uploaded data are defined by the user, and if the security level of the user and the security level of the uploaded data meet certain conditions, the uploaded data are stored in an encrypted manner; when the user downloads the body data, if the security level of the user and the security level of the downloaded data meet certain conditions, the downloaded data is decrypted and provided for the user. The invention can meet the complex safety requirement of the massive growth knowledge graph ontology data in the using process and has the advantages of confidentiality, integrity, reliability and flexibility.

Description

Knowledge graph ontology data classification and classification security access control method and application

Technical Field

The invention belongs to the technical field of data storage, and particularly relates to a hierarchical classification security access control method for knowledge graph ontology data and application thereof.

Background

In recent years, with the explosive growth of mass data, the storage requirement of ontology data of an industry knowledge graph is also increasing, and an object cloud storage system is a cloud computing architecture for data storage and is generally used for storing unstructured data with classification and classification characteristics. On the premise that cloud service is not trusted, how to achieve fine-grained access control over a large number of ontology data resources with the characteristic of classification in cloud storage and guarantee that confidential data in the cloud storage cannot be illegally accessed is a problem to be solved urgently in the cloud computing technology.

In a distributed object storage system in cloud computing, a friendly access interface is usually adopted to enable object storage to have the characteristic of cross-platform data sharing, operations such as data addition, retrieval, update and deletion (CRUD), object attributes and the like can be efficiently executed through the interface, the distributed object storage system is suitable for loading MB-level ontology data and flexibly inquiring, using, updating and expanding all dimensional attributes of the MB-level ontology data, the computing efficiency and the user experience of the distributed object storage system are remarkably improved, and therefore the distributed object storage system is more suitable for ontology data and knowledge graph application in a cloud computing mode. In object-based storage, object data is a type of storage container that provides unstructured file access operations with a fixed interface. While maintaining a set of metadata describing attributes of the file data for management, the metadata may generally be utilized to implement a security policy that prevents unauthorized access to the data. The American National Standards Institute (ANSI) approved standard specifications for object storage in 2005, and object storage is now widely used, typically in large-scale implementations such as S3 by AWS, wye OBS, OpenstackSwift and Ceph, and so on.

However, with the development of the cloud storage technology, the data security problem is inevitably brought by the characteristics of dynamic complexity, openness, high resource concentration and the like. The user who hosts the ontology data to the third-party cloud service provider for storage and management can lose control over data access rights, especially for some metadata leaks involving national secrets and industry and business secrets, which can cause extremely serious consequences. Therefore, a knowledge graph ontology data security access mechanism suitable for the object cloud storage mode needs to be provided, and the mechanism should have a flexible and reliable security system to protect the confidentiality, integrity and reliability of knowledge graph ontology data.

The access control technology is an important means for preventing data from being illegally accessed, an access control mechanism for a large number of resources in cloud storage is realized, and a user can safely host the body data to a cloud platform. Thus, many scholars have proposed different solutions, focusing mainly on 3 aspects, see table 1.

TABLE 1 cloud computing access control techniques

The common access control method comprises the following steps: the system comprises an autonomous access control (DAC), a Mandatory Access Control (MAC), a role-based access control (RBAC), an attribute-based access control (ABAC), a task-based access control (TBAC), and the like, and each type of single access control mechanism has its characteristics and obvious disadvantages, such as: DAC often causes improper authorization and untimely permission revocation, so that the potential safety hazard of sensitive data exists; MAC is naturally deficient in flexibility, which makes it difficult for the system to change its rights according to dynamic adjustment of the service, resulting in increased labor cost for the service. The RBAC, the ABAC and the TBAC well balance the safety and the flexibility, but with the mass storage and the explosive growth of knowledge map body data, the RBAC, the ABAC and the TBAC are difficult to analyze roles, attributes or tasks of the knowledge map body data in a fine-grained manner, so that the accurate access authority control is performed.

Therefore, in order to meet the security requirement of massive increase of the data of the knowledge graph ontology, a fine-grained data security access control mechanism with confidentiality, integrity, flexibility and reliability needs to be provided. In addition, although the research on the access control mechanism in cloud computing is going on, in the practical application scenario, there are two problems. On one hand, as the size of the object cloud storage is enlarged, the ontology data with hierarchical relevance features in the field is generally required to be classified and managed. If there is a classification relationship: music → chinese music → liu de hua, if user a uploads music 1, the system specifies that his classification attribute is liu de hua, while a user B with a permission level of chinese music should be able to access all files under the liu de hua classification. On the other hand, under the storage of massive object data, in order to realize the controlled sharing and storage isolation of the data, high-efficiency fine-grained access control is required to be carried out; in order to meet concurrent access requests of large-scale users, a distributed authorization center is also required to be established in a cloud environment. However, the cloud storage structure of data of knowledge-graph ontology based on object data format faces more challenges in new access control technology due to the differences in application scope, underlying architecture, principle and model from the traditional block storage.

Disclosure of Invention

Aiming at least one defect or improvement requirement in the prior art, the invention provides a knowledge graph ontology data hierarchical classification security access control method and application, and the method has the advantages of confidentiality, integrity, reliability and flexibility.

To achieve the above object, according to a first aspect of the present invention, there is provided a method for controlling hierarchical classification of data of a knowledge-graph ontology, comprising:

predefining a system authority level range, security control system parameters, a category attribute space of body data and a security level attribute space, wherein the security control system parameters are used for data encryption or decryption in an uploading or downloading process, the category attribute space is used for defining a category hierarchical relationship of the body data, and the security level attribute space is used for defining the authority level allowed by the body data of each category;

when a user uploads the body data, the type and the security level of the uploaded data are defined, and if the security level of the user and the security level of the uploaded data meet a first preset condition, the type of the uploaded data belongs to a type attribute space, and the security level of the uploaded data belongs to a security level attribute space, the uploaded data are stored in an encrypted mode;

or when the user downloads the body data, filling in the category and the security level of the downloaded data, if the security level of the user and the security level of the downloaded data meet a second preset condition, and the category of the downloaded data belongs to the category attribute space, and the security level of the downloaded data belongs to the security level attribute space, decrypting the downloaded data and providing the decrypted downloaded data for the user.

Furthermore, hierarchical authorization nodes corresponding to the authority level range are arranged and comprise main authorization nodes and sub authorization nodes, the main authorization node on the uppermost layer has the maximum authority, the main authorization node stores a main key generated according to the parameters of the safety control system, and a private key of each sub authorization node is generated according to the main key and the authorization level;

in the process of encrypting and storing the uploaded data, the main authorization node or the sub authorization node provides a private key of the main key or the sub authorization node for the uploading user to encrypt the uploaded data;

or in the download data decryption process, the main authorization node or the sub authorization node provides the main key or the private key of the sub authorization node for the download user to decrypt the download data.

Further, generating an authorized private key of the uploading user according to the authorized private key provided for the uploading user and the security level of the uploading user, and encrypting the uploading data by using the authorized private key of the uploading user;

or generating the authorized private key of the downloading user according to the authorized private key provided for the downloading user and the security level of the downloading user, and decrypting the uploaded data by using the authorized private key of the uploading user.

Further, in the process of uploading data, the authorization node with the lowest hierarchy is selected from the authorization nodes meeting the category and the security level of the uploaded data to authorize the uploading user.

Furthermore, in the process of downloading data, the authorization node with the highest level is selected from the authorization nodes meeting the category and the security level of the downloaded data to authenticate the downloading user.

Further, the knowledge-graph ontology data hierarchical classification security access control method further comprises the following steps: and defining the authority control granularity, the authority level of the security level attribute space and the security level defined when a user uploads data in advance according to the authority control granularity and the system authority level range.

Further, a hierarchical cloud storage system based on cloud storage objects corresponding to the authority level range is arranged.

Further, if the security level of the user and the security level of the uploaded data meet a first preset condition, the category of the uploaded data belongs to a category attribute space, the security level of the uploaded data belongs to a security level attribute space, the cloud storage system generates an access token and transmits the access token to the uploaded user, and then the access token and the uploaded user information are cached in the body object metadata area as key value pairs;

and the uploading user receives the access token, uploads the body data to the cloud storage system, the cloud storage system verifies the access token, if the access token passes the verification, the uploaded data are accepted as data files of the specified category, and meanwhile, the metadata files are expanded and updated.

According to a second aspect of the invention, a knowledge graph ontology data hierarchical classification security access control system is provided, which comprises a hierarchical distributed authorization center;

the hierarchical distributed authorization center is used for predefining a system authority level range, security control system parameters, category attribute space and security level attribute space of body data, the security control system parameters are used for data encryption or decryption in an uploading or downloading process, the category attribute space is used for defining category hierarchical relation of the body data, and the security level attribute space is used for defining authority levels allowed by the body data of each category;

when the hierarchical distributed authorization center is used for receiving body data uploaded or downloaded by a user, the uploaded data comprises a user-defined uploaded data type and a user-defined uploaded data security level, if the user security level and the uploaded data security level meet a first preset condition, the uploaded data type belongs to a type attribute space, the uploaded data security level belongs to a security level attribute space, the authorized user encrypts and stores the uploaded data into a cloud storage system, if the user security level and the downloaded data security level meet a second preset condition, the downloaded data type belongs to the type attribute space, the downloaded data security level belongs to the security level attribute space, and the downloaded data is decrypted and provided for the user from the cloud storage system.

According to a third aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements any one of the above-described methods for hierarchical classification security access control of knowledge-graph ontology data.

In general, compared with the prior art, the invention has the following beneficial effects:

(1) the method can meet the complex safety requirements of the massive growth knowledge graph ontology data in the using process, and has the advantages of confidentiality, integrity, reliability and flexibility.

(2) The ontology data with the hierarchical relevance feature can be subjected to classification management. For example, there is a classification relationship: music → chinese music → liu de hua, if user a uploads music 1, the system specifies that his classification attribute is liu de hua, while a user B with a permission level of chinese music should be able to access all files under the liu de hua classification.

(3) Under the storage of massive object data, the controlled sharing and storage isolation of the data can be realized through efficient hierarchical authority access control, and fine-grained uploading and downloading control can be performed according to roles, attributes and the like.

Drawings

FIG. 1 is a schematic diagram of a knowledge-graph ontology data hierarchical classification security access control method according to an embodiment of the present invention;

FIG. 2 is a flow diagram of a method for hierarchical classification of security access control to data of a knowledge-graph ontology in accordance with an embodiment of the present invention;

fig. 3 is a schematic application diagram of a hierarchical classification security access control method for data of a knowledge-graph ontology according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.

The technical problem to be solved by the invention is to overcome the defect that the existing single access control model is difficult to adapt to the complex security requirement of the knowledge graph ontology data stored based on cloud objects in the using process, and provide a hierarchical ontology data classification security access control (HGCAC) method with confidentiality, integrity, reliability and flexibility. The method can be used for knowledge graph authority control based on ontology data object cloud storage, including but not limited to query, retrieval and use of knowledge graphs.

The embodiment of the invention takes the HGCAC algorithm as a core, combines the advantages of various methods such as mandatory access control, role access control, attribute access control and the like, and is designed on the basis of an object cloud storage system. In the embodiment of the present invention, as shown in fig. 1, the roles include 3 types: the system comprises a User, a cloud storage system CSP and a hierarchical distributed authorization center KGC. The user's operations include: and submitting requests for uploading and downloading the data files of the knowledge graph ontology and data encryption and decryption operations. The hierarchical distributed authorization center is mainly responsible for 3 functions: firstly, maintaining system public parameters, secondly, entrusting child nodes to carry out hierarchical authorization, and thirdly, providing private keys for target users and carrying out authorization. This scheme allows an authorized user to have different data access rights, according to which the user is classified into different Security Classes (SC). In general, the master KGC is responsible for assigning private information and keys to each of the sub-KGCs of a lower level, and each sub-KGC can derive the decryption key of the current security level and its successor from its private information and public parameters in order to be able to read the data of the lower security level. The three types of entity roles: the User, the cloud storage system CSP and the hierarchical distributed authorization center KGC jointly form the access control model, and after demonstration, the access control model is suitable for a use scene of dynamic and complex hierarchical classification knowledge graph ontology data storage.

For a User, the access control model (as shown in fig. 1) mainly includes two types of users: the data uploading request user (uploading user, the same below) and the data downloading request user (downloading user, the same below) almost cover all user roles of uploading or reading, downloading or writing operations related to the model.

For a hierarchical distributed authorization center KGC, a distributed hierarchical classification authorization strategy is mainly adopted. As shown in fig. 1, it is assumed that the maximum permission range of the system is set to be 1 to 6, and when the permission control granularity is 2, the top-level master KGC node of the KGC has the highest security access permission (level 1 to 6), and is mainly responsible for providing a private key for a target user (a user with the highest security level), and can delegate child nodes to perform hierarchical authorization, thereby giving a security access permission of a specific category to a user with a lower security level.

For the CSP, the cloud storage data objects and the hierarchical authorization KGC are in one-to-one correspondence, the same-layer categories can be expanded infinitely, and the security levels of different-layer body data can be defined by self. As shown in fig. 1, the hierarchical classification mode of the cloud storage system CSP is strictly consistent with that of the distributed authorization center, which can ensure the strict authority control and the flexibility of data security access.

In fact, the scheme is an access control scheme of the cloud storage service, and for the access control of the cloud storage service, the traditional operation reading and writing are converted into processes of encryption uploading, writing, downloading decryption and reading. And the data uploader defines an access control structure, namely an authentication tag, according to the data classification category and the security level, and uploads the encrypted data to the object cloud storage server. The user accesses the subject data and the data may be downloaded for decryption if the user's security level dominates the data security level (i.e., when the user's security level is higher than the data security level), wherein the higher the data classification or security level, the more data may be dominated (i.e., accessed). In practical application, other operations of the cloud storage can be composed of the two types of behaviors (data uploading and accessing), so that the operations can be converted into a combination of the operations, and specific access control is performed according to a fine-grained access control strategy.

As shown in fig. 2, a method for controlling security access by hierarchical classification of data of a knowledge-graph ontology according to an embodiment of the present invention includes:

s201, a system authority level range, security control system parameters, a category attribute space of body data and a security level attribute space are predefined, the security control system parameters are used for data encryption or decryption in an uploading or downloading process, the category attribute space is used for defining category hierarchical relations of the body data, and the security level attribute space is used for defining authority levels allowed by the body data of each category.

Further, when defining the parameters, the authority control granularity needs to be predefined. The authority level of the security level attribute space and the security level defined when the user uploads data are defined according to the authority control granularity and the system authority level range.

In one embodiment, the parameters are defined as follows:

subject set Sub ═ { Sub ═ Sub }₁,…,sub_mDenotes the user of the access operation, sub_i.L_s＝(L_user,G_user) Represents a subject mark, L_userIs user identity information, G_userIs the user security level;

object set Obj ═ Obj₁,…,obj_nDenotes ontological object data in cloud storage, where obj_j.L_o＝(C_data,G_data) Represents a guest mark, C_dataIs an ontology data category, G_dataIs the body data security level;

the authentication label is composed of a host mark and an object mark, namely L ═ sub_i.L_s,obj_j.L_o)；

The access request operation set R ═ upload, download, read, write };

the request-response set D ═ { yes, no, error };

the system executes a set of states V ═ { S × R × O }, where V ∈ { S × R × O } indicates which subjects access which objects in which operations;

the access control model response function g (-), where g (V) ε D represents the response result.

Ontology data attribute space Ω ═ Ω_G,Ω_GIn which Ω is_C,Ω_GThe attribute space of the category and the attribute space of the security level of the ontology data are respectively.

S202, when a user uploads body data, the type and the security level of the uploaded data are defined by the user, and if the security level of the user and the security level of the uploaded data meet a first preset condition, the type of the uploaded data belongs to a type attribute space, and the security level of the uploaded data belongs to a security level attribute space, the uploaded data are stored in an encrypted mode; or when the user downloads the body data, filling in the category and the security level of the downloaded data, if the security level of the user and the security level of the downloaded data meet a second preset condition, and the category of the downloaded data belongs to the category attribute space, and the security level of the downloaded data belongs to the security level attribute space, decrypting the downloaded data and providing the decrypted downloaded data for the user.

In one embodiment, the security access control policy is defined according to the parameters in the above example as follows:

the conditions that the user needs to meet the success of the uploading operation or the writing operation are as follows: if and only if the user's authentication is passed, that is: ver (L)_user) True, the security level marked by the user subject is less than or equal to the security level marked by the object of the uploaded data file, and the data category and the security level of the object mark respectively belong to the category attribute space and the security level attribute space of the system, namely, the pair

obj_jE, Obj, having:

the conditions that the user needs to meet when the downloading operation is successful or the reading operation is successful are as follows: if and only if the user's authentication is passed, that is: ver (L)_user) True, and the security level of the user subject mark is greater than or equal to the security level of the downloaded data file object mark, and the data category and the security level of the object mark respectively belong to the category attribute space and the security level attribute space of the system, namely, the pair

obj_jE, Obj, having:

furthermore, hierarchical authorization nodes corresponding to the authority level range are arranged and comprise a main authorization node and sub-authorization nodes, the main authorization node has the maximum authority, a main key generated according to the parameters of the security control system is stored by the main authorization node, and a private key of each sub-authorization node is generated according to the main key and the authorization level; in the process of encrypting and storing the uploaded data, the main authorization node or the sub authorization node provides a private key of the main key or the sub authorization node for an uploading user to encrypt the uploaded data; or the download data is decrypted, and the main authorization node or the sub authorization node provides the main key or the private key of the sub authorization node for the download user to decrypt the download data.

Further, generating an authorized private key of the uploading user according to the authorized private key provided for the uploading user and the security level of the uploading user, and encrypting the uploading data by using the authorized private key of the uploading user; or generating the authorized private key of the downloading user according to the authorized private key provided for the downloading user and the security level of the downloading user, and decrypting the uploaded data by using the authorized private key of the uploading user.

Furthermore, the KGC executes the hierarchical delegation authorization rule, and should follow the minimum authorization principle, that is, on the premise of meeting the category and security requirement of the body data in the object tag, the KGC should be searched for the smallest child as possible for authorization, that is, in the process of uploading data, the authorization node with the lowest hierarchy among the authorization nodes meeting the category and security level of the uploaded data is selected to authorize the uploading user. This KGC minimization authorization principle is specifically explained as: when the authorization unit conforming to the user category and the security level has a plurality of KGC nodes, the child KGC node with the minimum authority and the minimum coverage category is selected. Taking fig. 1 as an example, in the KGC security authorization system with the permission range of 1-6 and the permission control granularity of 2, when the user uploads the ontology data with the security level of 2 and the category coverage range of C12, although KGC and KGC are used₁、KGC₁₂All meet the requirement (at this time, the security level is greater than or equal to 2 and the KGC whose category attribute space contains C12 is all uploaded), but the distributed hierarchical authorization center only distributes KGC with minimum authority₁₂The node authorizes the uploading user, which is the key for ensuring the KGC to carry out fine-grained authority control.

Furthermore, the KGC executes the hierarchical attribute allocation rule, and should follow the maximum allocation principle, that is, on the premise of satisfying the class and security requirements of the CSP body data, the KGC should search the largest father as possible to allocate the attribute authority (i.e., authenticate), that is, during the data downloading process, the authorized node with the highest hierarchy is selected from the authorized nodes satisfying the class and security level of the downloaded data to authenticate the downloading user. This KGC-level attribute maximization allocation principle is specifically explained as follows: when the authentication unit meeting the CSP body data category and security requirement has a plurality of KGC nodes, a father KGC node with the highest authority and the largest coverage category is selected. Taking fig. 1 as an example, in the KGC security authorization system with the authority range of 1-6 and the authority control granularity of 2, when the user downloads the body data with the security level of 4 and the category coverage range of C11, although KGC is used for the user to download the body data with the security level of 4 and the category coverage range of C11₁、KGC₁₂All meet the requirement (at this time, the security level is less than or equal to 4 and the KGC containing C11 in the category attribute space is all downloaded), but in the distributed hierarchical authorizationThe heart will only assign the KGC with the highest authority₁The node authenticates the downloading user (or the reading user), which is the key to ensure the KGC to perform strict control on confidentiality.

Further, a hierarchical ontology data cloud storage system corresponding to the authority level range is arranged.

Further, the method for controlling hierarchical classification security access of knowledge graph ontology data in the embodiment of the present invention includes five parts, namely a system initialization algorithm (Setup), a KGC node authorization algorithm (Delegate), a user authorization and private key generation algorithm (KeyGen), an object data encryption algorithm (Encrypt), and a ciphertext data decryption algorithm (Decrypt).

The knowledge graph ontology data classified safety access control method comprises the following steps:

(1) and the authority respectively registers identities of the uploading user and the downloading user, and the authority allocates the corresponding operation authority security level to the users according to the registration information.

(2) The system executes the authority initialization algorithm Setup and inputs the maximum authority range G_range(e.g., 1-6), authority control granularity G_size(as 2), safety control system parameter λ, ontology data attribute space Ω ═ Ω_C,Ω_GIn which Ω is_C,Ω_GThe category attribute space and the level attribute space of the ontology data are respectively. Outputting a hierarchical authority identification mode, a system public parameter PK and a master key MK, wherein the master key is stored by the highest KGC and used for authorizing the sub KGC and generating a private key; the system public parameter PK is generated by the input parameter and the master key MK in an MD5 encrypted manner and ultimately participates in other algorithms of the system for authority control.

(3) The data uploading by the user comprises the following steps:

and (3.1) the uploading user accesses the cloud storage system and submits an uploading operation request.

(3.2) the cloud storage service CSP verifies the user identity and the access Token, and if the user identity and the access Token are not existed or are illegal, the cloud storage service CSP is (re) directed to the KGC to request authentication; otherwise, transferring to the step (3.8).

(3.3) the distributed authorization center KGC receives the authentication command from the CSP and sends an authentication tag request to the uploading user.

(3.4) uploading the authentication label L ═ comprising the subject mark and the object mark sent by the user_user,G_user,C_upload,G_upload) And the object mark is customized by the uploading user according to the uploaded body data category and the security level.

(3.5) the KGC receives the authentication request, verifies whether the authentication request meets a first preset condition, if so, assigns the sub-KGC (or the main KGC is in person) to carry out authorization according to a minimum authorization principle and executes a KeyGen algorithm to generate a private key SK_usr(ii) a If not, transferring to the step (3.3).

(3.6) the sub KGC sends the authentication passing result and the private key SK_usrTo the user.

And (3.7) simultaneously, the KGC returns the identity information and the authentication passing result to the cloud storage service CSP through the secure channel.

And (3.8) the CSP generates an access Token and sends the access Token to the user, and then the Token and the user information are cached in the ontology object metadata area as key value pairs.

(3.9) the user receives the result of passing the authentication and the access Token, optionally by means of the private key SK_usrAnd encrypting and sending the body data to be uploaded.

(3.10) uploading a common (or encrypted) body data JSON file, verifying the Token by the CSP of the cloud storage system, and if the Token passes the verification, accepting the (ciphertext) file as a data file of a specified category, and expanding and updating the metadata file. Specifically, the following are mentioned: here, normal/encryption refers to a packaging mode of data during channel transmission, and is a security protection during transmission, which is determined by step (3.9), and this is different from the security level in the object tag for access control uploaded by the user, one for data transmission protection and one for data access control.

(4) The user downloading data comprises the following steps:

when downloading the object data that the user wants to access, the private key SK also needs to be obtained in the previous way_usrAnd a Token, andand sending a file downloading request, mainly comprising the steps of:

and (4.1) the downloading user accesses the cloud storage system and submits a downloading operation request.

(4.2) the cloud storage service CSP verifies the user identity and the access Token, and if the user identity and the access Token are not existed or are illegal, the cloud storage service CSP is (re) directed to the KGC to request authentication; otherwise, transferring to the step (4.8).

(4.3) the distributed authorization center KGC receives the authentication command from the CSP and sends an authentication tag request to the download user.

(4.4) downloading authentication label L ═ L (L) comprising subject label and object label sent by user_user,G_user,C_download,G_download) And the object marks are customized by a downloading user according to the filled body data category and the security level.

(4.5) the KGC receives the authentication request, verifies whether the authentication request meets a second preset condition, if so, assigns the sub-KGC (or the main KGC is in person) to carry out authorization according to a minimum authorization principle and executes a KeyGen algorithm to generate the private key SK_usr(ii) a If not, the step is transferred to the step (4.3).

(4.6) the sub KGC sends the authentication passing result and the private key SK_usrTo the user.

And (4.7) simultaneously, the KGC returns the identity information and the authentication passing result to the cloud storage service CSP through the secure channel.

And (4.8) the CSP generates an access Token and sends the access Token to the downloading user, and then the Token and the user information are cached in the body object metadata area as key value pairs.

(4.9) downloading the result of authentication passing received by the user and the access Token, and directly receiving (when data is not transmitted in an encrypted way) or relying on the private key SK_usrAnd decrypting and receiving the body data to be downloaded (when the data is encrypted and transmitted by the uploading user).

Assume CSP ontology data attribute space

Ω＝{(C，1-6)，(C|C₁，1-4)，(C|C₂，1-4)，(C|C₁|C_l1，1-2)，(C|C₁|C₁₂，1-2)，

(C|C₂|C₂₁，1-2)，(C|C₂|C₂₂，1-2)}

The cloud storage data object and the hierarchical authorization KGC are in one-to-one correspondence, the same-layer category can realize infinite expansion, and the security levels of different-layer body data can be defined by self. We set the maximum authority range of the system to be 1-6, and the authority control granularity to be 2, then each algorithm is defined as follows:

(1)Setup：G_range，G_size，λ，Ω＝{Ω_C，Ω_G}→MK，PK

defining a hash function

Random selection

The system parameters are spliced and encrypted by using MD5, MK is added at the tail part, and the public parameters PK are obtained by using MD5 again.

(2)Delegate：MK，PK，ω∈Ω＝{Ω_C，Ω_G}→SK_KGC

And splicing MK, PK and omega, and then encrypting by using MD5 to obtain an authorized private key of the sub KGC.

(3)KeyGen：MK，PK，sub_i.L_s→SK_usr

MK, PK, sub_i.L_sSplicing is performed and then encrypted using MD5 to obtain the user's authorized private key.

(4)Encrypt:SK_usr,Ontology_data→Ciphertext_data

SK is converted into_usrAnd splicing the Ontology _ data, and then encrypting by using the MD5 to obtain the ciphertext of the Ontology data.

(5)Decrypt:SK_usr,Ciphertext_data→Ontology_data

And performing MD5 reverse decryption on the Ciphertext Ciphertext _ data by using the obtained private key to obtain the original text of the body data.

An application implementation of the method for controlling hierarchical classification security access of data of a knowledge graph ontology according to an embodiment of the present invention is shown in fig. 3.

The invention discloses a knowledge graph ontology data hierarchical classification security access control system, which comprises a hierarchical distributed authorization center; the hierarchical distributed authorization center is used for predefining a system authority level range, security control system parameters, category attribute space and security level attribute space of body data, the security control system parameters are used for data encryption or decryption in an uploading or downloading process, the category attribute space is used for defining category hierarchical relation of the body data, and the security level attribute space is used for defining authority levels allowed by the body data of each category; the hierarchical distributed authorization center is further used for receiving body data uploaded or downloaded by a user, the uploaded data comprises uploaded data types and security levels defined by the user, if the security levels of the user and the uploaded data meet a first preset condition, the uploaded data types belong to a type attribute space, the uploaded data security levels belong to a security level attribute space, the authorized user encrypts and stores the uploaded data into the cloud storage system, and if the security levels of the user and the downloaded data meet a second preset condition, the downloaded data is decrypted and provided for the user from the cloud storage system.

The implementation principle and technical effect of the system are similar to those of the method, and are not described herein again.

The embodiment of the invention also provides a storage medium, on which a computer program is stored, wherein the computer program is executed by a processor to implement the technical scheme of any one of the above-mentioned embodiments of the method for controlling hierarchical classification of security access to knowledge graph ontology data. The implementation principle and technical effect are similar to those of the above method, and are not described herein again.

It must be noted that in any of the above embodiments, the methods are not necessarily executed in order of sequence number, and as long as it cannot be assumed from the execution logic that they are necessarily executed in a certain order, it means that they can be executed in any other possible order.

It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims

1. A knowledge graph ontology data hierarchical classification security access control method is characterized by comprising the following steps:

when a user uploads body data, self-defining the type and the security level of the uploaded data, and if the security level of the user and the security level of the uploaded data meet a first preset condition, the type of the uploaded data belongs to a type attribute space, and the security level of the uploaded data belongs to a security level attribute space, encrypting and storing the uploaded data;

2. The method for hierarchical classification security access control of ontology data of knowledge graph according to claim 1, wherein hierarchical authorization nodes corresponding to the scope of authority level are arranged, including a main authorization node and sub-authorization nodes, the uppermost main authorization node has the maximum authority, the main authorization node stores a main key generated according to the security control system parameters, and a private key of each sub-authorization node is generated according to the main key and the authorization level;

3. The method for hierarchical classification security access control of data of a knowledge graph ontology according to claim 2, wherein the authorized private key of the uploading user is generated according to the authorized private key provided to the uploading user and the security level of the uploading user, and the uploaded data is encrypted by using the authorized private key of the uploading user;

4. The method for hierarchical classification security access control of data of a knowledge graph ontology according to claim 2, wherein in the process of uploading data, the authorization node with the lowest hierarchy is selected from the authorization nodes meeting the category and security level of the uploaded data to authorize the uploading user.

5. The method as claimed in claim 2, wherein during downloading data, the authorized node with the highest hierarchy is selected from the authorized nodes meeting the classification and security level of the downloaded data to authenticate the downloading user.

6. The method of hierarchical classification security access control of data of a knowledge-graph ontology as claimed in claim 1, further comprising: and defining the authority control granularity, the authority level of the security level attribute space and the security level defined when a user uploads data in advance according to the authority control granularity and the system authority level range.

7. The method for hierarchical classification of security access control of data of knowledge-graph ontology according to claim 1, characterized in that a hierarchical cloud storage system based on cloud storage objects corresponding to the scope of authority levels is arranged.

8. The method for hierarchical classification security access control of data of a knowledge graph ontology according to claim 7, wherein if the security level of the user and the security level of the uploaded data satisfy a first preset condition, and the category of the uploaded data belongs to a category attribute space, the security level of the uploaded data belongs to a security level attribute space, the cloud storage system generates and transmits an access token to the uploaded user, and then caches the access token and the uploaded user information as key value pairs in an ontology object metadata area;

9. A knowledge graph ontology data classification security access control system is characterized by comprising a hierarchical distributed authorization center;

10. A storage medium on which a computer program is stored, which computer program, when being executed by a processor, carries out the method according to any one of claims 1 to 8.