CN114650149A - Authorization policy processing method, system and storage medium - Google Patents
Authorization policy processing method, system and storage medium Download PDFInfo
- Publication number
- CN114650149A CN114650149A CN202011403594.2A CN202011403594A CN114650149A CN 114650149 A CN114650149 A CN 114650149A CN 202011403594 A CN202011403594 A CN 202011403594A CN 114650149 A CN114650149 A CN 114650149A
- Authority
- CN
- China
- Prior art keywords
- data
- authorization
- authorization policy
- policy
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 206
- 238000003860 storage Methods 0.000 title claims abstract description 15
- 238000003672 processing method Methods 0.000 title claims abstract description 14
- 239000008280 blood Substances 0.000 claims abstract description 60
- 210000004369 blood Anatomy 0.000 claims abstract description 60
- 238000005457 optimization Methods 0.000 claims abstract description 41
- 238000000034 method Methods 0.000 claims abstract description 40
- 230000008569 process Effects 0.000 claims abstract description 23
- 238000000586 desensitisation Methods 0.000 claims description 42
- 230000035945 sensitivity Effects 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 230000033228 biological regulation Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 34
- 239000011159 matrix material Substances 0.000 description 17
- 238000000605 extraction Methods 0.000 description 9
- 238000009795 derivation Methods 0.000 description 6
- 241000282414 Homo sapiens Species 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008033 biological extinction Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention discloses an authorization strategy processing method, a system and a storage medium, comprising the following steps: determining data characteristics according to the data access log; determining data blood relationship; obtaining an authorization policy; and adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relations and the authorization policy. By adopting the method and the device, strategy loopholes which appear when the same data is backed up or redundant data possibly existing in a platform can be avoided; the policy optimization process can be dynamically adjusted according to the access condition of data in practical application.
Description
Technical Field
The present invention relates to the field of wireless communication technologies, and in particular, to an authorization policy processing method, system, and storage medium.
Background
With the development of the modern society, big data has started to change the life and working modes of people, and brings huge opportunities and challenges to the technological progress of the modern times. Huge data volume is generated in all trades at all times, the data is converted into capital and profit from cost, and the data is presented with the maximum value.
In human society, the relationship of blood relationship refers to the relationship of human beings generated by marriage or birth.
In the big data era, data is explosively increased, and massive and various types of data are rapidly generated. The huge and complicated data information generates new data through the contact fusion, conversion transformation and circulation, and the new data is converged into the ocean of the data.
The data generation, processing fusion, circulation and circulation are carried out until the data are finally lost, and a relationship can be naturally formed among the data. The relationship between data is expressed by taking a similar relationship in human society as reference, and the relationship is called the blood-related relationship of the data. Unlike the relationship of blood relationship in human society, the relationship of blood relationship of data also contains some characteristic features:
1. and attributing. Generally, specific data is attributed to a specific organization or individual, and the data has attributes.
2. And (4) multiple sources. The same data may have multiple sources (multiple parents). One data may be generated by processing a plurality of data, and such processing may be a plurality of data.
3. Traceability. The blood relationship of the data shows the life cycle of the data, shows the whole process from generation to extinction of the data, and has traceability.
4. And (4) layering. The blood-based relationship of the data is hierarchical. The description information of the data, such as classification, induction and summarization of the data, forms new data, and the description information of different degrees forms the hierarchy of the data.
At present, security strategies such as authority and desensitization of a data full link are optimized based on the existing blood relationship of a data platform, and the security of data in the using process can be ensured.
The prior art has the defects that a strategy loophole exists in the conventional scheme for predicting the strategy rationality of the authorization strategy of the data blood relationship.
Disclosure of Invention
The invention provides an authorization policy processing method, an authorization policy processing system and a storage medium, which are used for solving the problem of vulnerability in a data authorization policy.
The invention provides the following technical scheme:
an authorization policy processing method, comprising:
determining data characteristics according to the data access log;
determining data blood relationship;
obtaining an authorization policy;
and adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relations and the authorization policy.
In an implementation, the data access log includes one or a combination of the following information:
the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitized or not and whether the data operation is successful or not.
In implementation, the data characteristics are determined after characteristic extraction is carried out on the following data:
data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,
data of a label indicator comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.
In implementation, the authorization policy is adjusted according to the data relationship, namely the authorization policy is adjusted according to the backup and/or redundant data of the data determined by the data relationship.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
In implementation, adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy includes:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;
adjusting the authorization policy for the differentiated data based on the data characteristics of the differentiated data and/or the authorization policy.
In implementation, determining whether data belonging to the same data belong to data with difference according to the same degree of data characteristics and/or authorization policy of the data, includes:
when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
data for which the same degree of the authorization policy of the data is negative belongs to data having a difference.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the adjustment is carried out according to one or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
for the desensitization strategy, adjusting the desensitization strategy to a desensitization strategy after the duplication of the union set of the desensitization strategy configuration of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
In implementation, after the adjusting the authorization policy, the method further includes:
and verifying the adjusted authorization strategy and feeding back a verification result.
An authorization policy processing system comprising:
a processor for reading the program in the memory, performing the following processes:
determining data characteristics according to the data access log;
determining data blood relationship;
obtaining an authorization policy;
adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships and the authorization policy;
a transceiver for receiving and transmitting data under the control of the processor.
In an implementation, the data access log includes one or a combination of the following information:
the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitized or not and whether the data operation is successful or not.
In implementation, the data characteristics are determined after characteristic extraction is carried out on the following data:
data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,
data of a label index comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.
In implementation, the authorization policy is adjusted according to the data relationship, namely the authorization policy is adjusted according to the backup and/or redundant data of the data determined by the data relationship.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
In implementation, adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy includes:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;
adjusting the authorization policy for the differentiated data based on the data characteristics of the differentiated data and/or the authorization policy.
In implementation, determining whether the data belongs to the data with difference according to the same degree of data characteristics and/or authorization policy of the data belonging to the same data includes:
when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
the data with the same degree of the authorization policy of the data being negative belongs to the data with the difference.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
In the implementation, after the adjusting the authorization policy, the method further includes:
and verifying the adjusted authorization strategy and feeding back a verification result.
An authorization policy processing system comprising:
the characteristic calculation module is used for determining data characteristics according to the data access log;
the data blood margin module is used for determining the data blood margin relation;
the strategy configuration library is used for acquiring an authorization strategy;
and the strategy optimization module is used for adjusting the authorization strategy according to one or the combination of the data characteristics, the data consanguinity relation and the authorization strategy.
In an implementation, the feature calculation module is further configured to determine the data feature from the data access log including one or a combination of the following information:
the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitized or not and whether the data operation is successful or not.
In an implementation, the feature calculation module is further configured to determine data features after performing feature extraction on the following data:
data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,
data of a label indicator comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data judges the sensitivity level or not.
In an implementation, the policy optimization module is further configured to adjust the authorization policy based on backup and/or redundant data of the data determined by the data consanguinity relationship.
In an implementation, the policy configuration repository is further configured to obtain the authorization policy comprising one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
In an implementation, the policy optimization module, when adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity, and the authorization policy, is further configured to:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;
adjusting the authorization policy for the differentiated data based on the data characteristics of the differentiated data and/or the authorization policy.
In an implementation, the policy optimization module is further configured to, when determining whether data belonging to the same data belongs to data with a difference according to a same degree of data characteristics and/or authorization policy of the data, include:
when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
data for which the same degree of the authorization policy of the data is negative belongs to data having a difference.
In an implementation, the policy optimization module is further configured to, when the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
In an implementation, the method further comprises the following steps:
and the strategy verification module is used for verifying the adjusted authorization strategy and feeding back a verification result after the authorization strategy is adjusted.
A computer-readable storage medium storing a computer program for executing the above authorization policy processing method.
The invention has the following beneficial effects:
in the technical scheme provided by the embodiment of the invention, because the relationship among the data is determined according to the data blood relationship, the backup and/or redundant data can be determined, the data characteristics determined according to the data access log and the authorization strategy determine whether the data with the blood relationship are consistent, and if the data with the blood relationship are inconsistent, the authorization strategy can be adjusted according to the difference of the data, so that the strategy loophole which possibly exists in the platform for the same data during backup or redundant data can be avoided; because the adjustment is carried out according to the data access log, the strategy optimization process can be dynamically adjusted according to the access condition of the data in the actual application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram illustrating an implementation flow of an authorization policy processing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a system architecture for blood-based policy optimization according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a feature calculation process according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a data structure of a database according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating the structure of data 1 in the database according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating data relationship according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a policy optimization process according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of a difference feature matrix 1 according to an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of a difference feature matrix 2 according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a process for policy optimization based on blood-related nodes according to an embodiment of the present invention;
FIG. 11 is a schematic diagram illustrating an example of a policy optimization based on a blood-related node according to an embodiment of the present invention;
FIG. 12 is a diagram of an authorization policy processing system architecture 1 according to an embodiment of the present invention;
fig. 13 is a schematic diagram of an authorization policy processing system structure 2 according to an embodiment of the present invention.
Detailed Description
The inventor notices in the process of invention that:
in the existing scheme, an authorization policy optimization model is constructed by extracting the characteristics of authorization log information, then policy rationality prediction is carried out on a received authorization policy, and optimization processing is carried out on the authorization policy according to a generated prediction value.
The existing scheme has at least one of the following problems:
1. the authorization strategy optimization process is mainly based on historical authorization log information, backup or redundant data possibly existing in the same data on a platform are not considered, and strategy vulnerabilities of the same data with low occurrence rate are difficult to discover.
2. The policy optimization process is not dynamically adjusted according to the access situation of data in actual application when the authorization policy is optimized.
That is, the scheme for performing policy rationality prediction on the authorization policy of the data consanguinity is mainly based on historical authorization log information, and does not consider backup or redundant data possibly existing in the same data on a platform, so that policy vulnerabilities are difficult to discover for the same data with a low occurrence rate, and dynamic adjustment cannot be performed.
Based on this, the embodiment of the invention provides a policy optimization scheme, which mainly optimizes and adjusts the policy according to the data consanguinity relationship, and combines the actual access condition of the data to ensure the reasonability and safety of the policy.
The following describes embodiments of the present invention with reference to the drawings.
Fig. 1 is a schematic flow chart of an implementation of an authorization policy processing method, as shown in the figure, including:
It should be noted that there is no timing relationship between steps 101 to 103 in the implementation.
The technical scheme provided by the embodiment of the invention is adjusted according to the data access log, so that the strategy optimization process can be dynamically adjusted according to the access condition of data in practical application, and the 'bug' can be dynamically compensated due to the dynamic adjustment.
Because these "vulnerabilities" are backup or redundant data that may exist on the platform from the same data, and the data of the platform is changing constantly, for example, the current policy is perfect, and there is no "vulnerability", but when a new backup or redundant data is generated for a certain data, it is considered that a "vulnerability" may occur, at this time, the relationship between this data and the previous data and the newly generated data can be determined through the blood-related relationship, and then a new authorization policy can be adjusted, and thus it can be considered that a new "vulnerability" is overcome.
In the implementation, after the adjusting the authorization policy, the method may further include:
and verifying the adjusted authorization strategy and feeding back a verification result.
In order to better understand the implementation of the authorization policy processing method, the following example will describe an implementation manner of a policy optimization system architecture formed by using functional modules, it should be noted that, in a specific practice, other forms of structural systems may also be adopted, and the combination or separation of the functional modules does not affect the implementation of the scheme.
Fig. 2 is a schematic diagram of a architecture of a system for blood-based policy optimization, and as shown in the figure, the system may mainly include the following functional modules:
a feature calculation module: calculating data characteristics according to the data access log library, and establishing a data consanguinity relation library;
data blood margin module: establishing a data blood relationship database;
a policy optimization module: optimizing and adjusting the existing strategy based on the existing blood relationship, the data characteristics and the strategy configuration library;
a policy verification module: and verifying the adjusted authorization strategy and feeding back a verification result. For example, the administrator performs rationality verification on the optimized policy result set and feeds back the adjustment result to the policy optimization module.
The implementation of the feature computation module to build a database of data access features is described below.
In an implementation, the data access log includes one or a combination of the following information:
the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitized or not and whether the data operation is successful or not.
In implementation, the following data are subjected to feature extraction, and then the data features are determined:
data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,
data of a label indicator comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.
Fig. 3 is a schematic diagram of a characteristic calculation process, and as shown in the figure, a specific implementation of the process according to the statistical data characteristics of the data access log may be as follows:
1. the data access log library stores audit log contents related to the operation of the data platform, and the data access log is input to the characteristic calculation module.
2. Preprocessing a log:
and preprocessing the data access log, including processes of filtering meaningless logs, removing redundant fields, formatting data and the like, and preparing for subsequent feature extraction.
The data access log content may be one or a combination of the following: time of operation, data content, user, whether authorized, whether desensitized, whether sensitive, whether operation was successful, etc.
3. Log feature extraction:
and calculating multi-dimensional index values of data access, and constructing an index library. Feature extraction may be performed based on a library of metrics. The data multidimensional indexes comprise two categories of statistical indexes and label indexes which are respectively as follows:
the statistical indicator of data access may include one or a combination of the following: the access volume, the interception rate, the user volume, the general query volume, the export derived volume, the illegal user volume and the like.
The tag metrics for data access may include one or a combination of the following: whether it is sensitive, whether it is authorized, whether it is desensitized, whether it is determined the sensitivity level, etc.
4. Constructing a log feature library:
and according to the data access characteristics, performing characterization processing on the data access log to construct a data characteristic library. Fig. 4 is a schematic diagram of a data structure of a data feature library, and information contained in the constructed data feature library may be as shown in the figure, which is described as follows by way of example:
data 1 may be a table of a database or a column of a table.
The access characteristic may be an amount of access of data 1, an amount of violation of data 1, an amount of users of data 1, and the like.
The tag characteristics may be whether data 1 contains sensitive data, the sensitivity level of data 1, whether data 1 is desensitized, etc.
Fig. 5 is a schematic structural diagram of data 1 in the data feature library, and specific data 1 is shown in the figure.
The following describes the implementation of establishing a data blood relationship library.
In implementation, the authorization policy is adjusted according to the data relationship, namely the authorization policy is adjusted according to the backup and/or redundant data of the data determined by the data relationship.
Fig. 6 is a schematic diagram of data blood relationship, as shown in the figure, the data blood relationship refers to a flow direction conversion diagram of data inside a data platform, and identifies the whole process of the data from a source table, an intermediate table and a final target table.
Through data lineage relationships, multiple copies or redundant data of the same data in a data platform can be found, and the data can be created due to the requirements of an intermediate table or a temporary table and is not deleted in time, but is easy to be ignored because the data is not frequently used. Therefore, redundant backup of the data is found along the blood relationship, management personnel can be helped to find the vulnerability of the data strategy configuration better, and the strategy configuration loss of important data is prevented.
The data blood relationship map can be established by means of related sql commands of the database or by means of analyzing audit logs and the like.
The data consanguinity database is a graph database that stores nodes and connecting lines in relationship, which may include the following:
a source node: from which table a certain data flows, e.g. the a-library test _ ori table visit column.
And a destination node: some data flows back into which tables within the platform.
Node connecting line: the flow direction of certain data is indicated, and information such as flow operation and time of specific execution can be recorded.
The implementation of establishing a policy configuration database is described below.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
Specifically, in the policy configuration database, the security policy configuration related to the target data is recorded, and may include three major elements, data, user, and policy. The policy may be an authorization policy, a desensitization policy, a sensitive rating policy, etc.
For example:
and (3) authorization policy: authority that user Amy has on data 1: select, insert.
Desensitization strategy: and when the user Amy accesses the data 1, hiding numbers from 2 to 7 as numbers.
Sensitive grading strategy: data 1 is four levels of sensitivity.
The implementation of the policy optimization module is described below.
In implementation, adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy includes:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization strategy of the data belonging to the same data;
adjusting the authorization policy for data with differences according to data characteristics of the data with differences and/or the authorization policy.
Fig. 7 is a schematic diagram of a policy optimization process, as shown in the figure, the policy optimization module may implement adjustment based on the data feature library, the data consanguinity relation library, and the existing policy configuration library, and the specific process may be as follows:
1. and constructing a differential feature matrix on the blood margin link.
In specific implementation, when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside the preset range belong to data with differences;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
specifically, based on a data blood relationship database and a data feature database, a data feature matrix of a blood relationship link is established in a blood relationship feature matching module, feature values of the same data at different nodes of the link are compared, and a difference feature matrix is determined. If the statistical type characteristic exists, setting the tolerance of the characteristic value difference, and not calculating the difference value within the tolerance; if the label type features are inconsistent, the difference features are obtained.
For example: data 1 is in the table of node 1, the interception rate is 90%, which indicates that the authorization policy is set strictly. However, in the node 2, the interception rate is 10%, a large number of users can access the data 1, and the difference between the interception rates is large. Fig. 8 is a schematic structural diagram of the difference feature matrix 1, and as shown in the figure, the storage content of the difference feature matrix of the data is:
2. and constructing a difference strategy matrix on the blood margin link.
In a specific implementation, the data with the same degree of the authorization policy of the data being negative belongs to the data with the difference.
Specifically, based on the data consanguinity relation library and the strategy configuration library, a strategy matrix of a consanguinity link is constructed in a consanguinity strategy matching module, strategy configurations of the same data at different nodes of the link are compared, and a difference strategy matrix is determined.
For example: fig. 9 is a schematic structural diagram of the differential feature matrix 2, and the authorization list and sensitivity level of the data 1 at the node 1 and the node 2 are shown in fig. 9. User 1, user 2 and user 3 all have select rights in node 2, and only user 1 has select rights in node 1. At node 2, there is non-sensitive data, and at node 1, there is a level 4 of sensitivity.
As shown in the figure, the storage content of the differential policy matrix of the data is as follows:
in an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
Fig. 10 is a schematic diagram of a policy optimization process based on blood-related nodes, and as shown in the figure, based on a difference feature matrix and a difference policy matrix on the blood-related nodes, a node policy is optimized in a policy optimization module, specifically as follows:
1: according to the differential strategy matrix, the following criteria can be referred to for different types of strategy optimization:
and (3) authorization policy: calculating a union set of the configuration of the authorization strategies of the blood margin nodes, then removing duplication as a standard strategy, and adjusting the authorization strategies of all the nodes on the blood margin;
desensitization strategy: calculating a union set of the desensitization strategies of the blood margin nodes, then performing duplication removal as a standard strategy, and adjusting the desensitization strategies of all the nodes on the blood margin;
sensitive grading strategy: and calculating the highest level of the sensitivity levels of the blood margin nodes as a standard strategy, and adjusting the sensitivity grading strategy of all the nodes on the blood margin.
For example: fig. 11 is a schematic diagram of an example of policy optimization based on the blood-edge nodes, and assuming that the configuration of data 1 on the whole blood-edge relationship and the configuration on other nodes are all subsets of node 1 and node 2, the result of adjusting the configuration of each node according to the above optimization criteria is shown in fig. 11.
2: the strategy optimization module selects standard nodes (namely representative nodes) of data on the blood-related links according to the difference characteristic matrix and the actual scene characteristics, for example, the nodes closest to the average value (for example, the center of mass is selected by a K-means algorithm) can be selected as the standard nodes by calculating the access quantity average value of the multiple nodes. And transmitting the original strategy configuration and the optimized strategy configuration of the standard node to a strategy verification module as verification bases.
For example: for data 1, the node with the largest visit amount is the node which is most concerned by the administrator, namely the most reasonable node is configured, and the standard node of the data 1 in the blood-related link is selected to be the node 4 (the visit total amount reaches 10000) according to the difference characteristic matrix.
The implementation of the policy validation module is described below.
Since policy configuration is an important link related to data security, in the policy validation module, an administrator is required to manually adjust and verify the policy optimization set, so as to ensure that an appropriate policy is configured to the data node.
The administrator needs to adjust the strategy optimization result according to the difference configuration output by the strategy optimization module in the module, and needs to feed back the selection accuracy of the standard node of the strategy optimization module, so that the effect of the strategy optimization module is improved.
Based on the same inventive concept, the embodiment of the present invention further provides an authorization policy processing system and a computer readable storage medium, and because the principle of solving the problem of these devices is similar to that of the authorization policy processing method, the implementation of these devices may refer to the implementation of the method, and the repeated parts are not described again.
When the technical scheme provided by the embodiment of the invention is implemented, the implementation can be carried out as follows.
Fig. 12 is a schematic diagram of an authorization policy processing system structure 1, as shown in the figure, the system includes:
a processor 1200 for reading the program in the memory 1220 and executing the following processes:
determining data characteristics according to the data access log;
determining data blood relationship;
obtaining an authorization policy;
adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships, and the authorization policy;
a transceiver 1210 for receiving and transmitting data under the control of the processor 1200.
In an implementation, the data access log includes one or a combination of the following information:
the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitive or not and whether the data operation is successful or not.
In implementation, the data characteristics are determined after characteristic extraction is carried out on the following data:
data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,
data of a label index comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.
In implementation, the authorization policy is adjusted according to the data relationship, namely the authorization policy is adjusted according to the backup and/or redundant data of the data determined by the data relationship.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
In implementation, adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy includes:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;
adjusting the authorization policy for the differentiated data based on the data characteristics of the differentiated data and/or the authorization policy.
In implementation, determining whether data belonging to the same data belong to data with difference according to the same degree of data characteristics and/or authorization policy of the data, includes:
when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
data for which the same degree of the authorization policy of the data is negative belongs to data having a difference.
In an implementation, the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the adjustment is carried out according to one or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
In implementation, after the adjusting the authorization policy, the method further includes:
and verifying the adjusted authorization strategy and feeding back a verification result.
Where in fig. 12, the bus architecture may include any number of interconnected buses and bridges, with various circuits of one or more processors represented by processor 1200 and memory represented by memory 1220 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1210 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium. The processor 1200 is responsible for managing the bus architecture and general processing, and the memory 1220 may store data used by the processor 1200 in performing operations.
Fig. 13 is a schematic diagram of an authorization policy processing system structure 2, as shown, the system includes:
a feature calculation module 1301, configured to determine data features according to the data access log;
a data blood relationship module 1302 for determining a data blood relationship;
a policy configuration library 1303, configured to obtain an authorization policy;
a policy optimization module 1304 for adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships, and the authorization policy.
In an implementation, the feature calculation module is further configured to determine the data feature from a data access log including one or a combination of the following information:
the operation time of the data, the content of the data, the user of the data, whether the data is authorized or not, whether the data is desensitized or not, whether the data is sensitive or not and whether the data operation is successful or not.
In an implementation, the feature calculation module is further configured to determine data features after performing feature extraction on the following data:
data comprising statistical indicators of one or a combination of the following information: data access amount, data interception rate, data user amount, data general query amount, data export derivation amount and data illegal user amount; and/or the presence of a gas in the gas,
data of a label indicator comprising one or a combination of the following information: whether the data is sensitive or not, whether the data is authorized or not, whether the data is desensitized or not, and whether the data is judged to be sensitive or not.
In an implementation, the policy optimization module is further configured to adjust the authorization policy based on backup and/or redundant data of the data determined by the data consanguinity relationship.
In an implementation, the policy configuration repository is further configured to obtain the authorization policy comprising one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
In an implementation, the policy optimization module, when adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity, and the authorization policy, is further configured to:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;
adjusting the authorization policy for data with differences according to data characteristics of the data with differences and/or the authorization policy.
In an implementation, the policy optimization module is further configured to, when determining whether data belonging to the same data belongs to data with a difference according to a same degree of data characteristics and/or authorization policy of the data, include:
when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
data for which the same degree of the authorization policy of the data is negative belongs to data having a difference.
In an implementation, the policy optimization module is further configured to, when the authorization policy includes one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the adjustment is carried out according to one or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
In an implementation, the method further comprises the following steps:
and the strategy verification module is used for verifying the adjusted authorization strategy and feeding back a verification result after the authorization strategy is adjusted.
For convenience of description, each part of the above-described apparatus is separately described as being functionally divided into various modules or units. Of course, the functionality of the various modules or units may be implemented in the same one or more pieces of software or hardware in practicing the invention.
A computer-readable storage medium storing a computer program for executing the above authorization policy processing method.
The specific implementation may refer to implementation of the authorization policy processing method.
In summary, in the technical scheme provided by the embodiment of the present invention, based on the data blood relationship, a policy vulnerability of data in the platform flow process can be discovered, so as to better optimize the security policy.
The scheme is combined with the data actual access log, and the strategy can be optimized from the data actual use perspective.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. An authorization policy processing method, comprising:
determining data characteristics according to the data access log;
determining data blood relationship;
obtaining an authorization strategy;
adjusting the authorization policy according to one or a combination of data characteristics, data context, and the authorization policy.
2. The method of claim 1, wherein adjusting the authorization policy based on data context is adjusting the authorization policy based on data that is redundant and/or backup to data determined by data context.
3. The method of claim 1, wherein the authorization policy comprises one or a combination of the following policies configured for data and/or users:
authorization policy, desensitization policy, sensitive rating policy.
4. The method of any one of claims 1 to 3, wherein adjusting the authorization policy based on one or a combination of data characteristics, data consanguinity relationships, and the authorization policy comprises:
determining data belonging to the same data according to the data blood relationship;
determining whether the data belong to data with difference according to the data characteristics and/or the same degree of an authorization policy of the data belonging to the same data;
adjusting the authorization policy for the differentiated data based on the data characteristics of the differentiated data and/or the authorization policy.
5. The method of claim 4, wherein determining whether data belonging to the same data belong to data having a difference according to a degree of identity of data characteristics and/or an authorization policy of the data, comprises:
when the data characteristics of the data are determined according to the statistical indexes, the data with the same degree outside a preset range belong to data with difference;
when the data characteristics of the data are determined according to the label indexes, the data with the same degree of judgment belong to data with difference;
data for which the same degree of the authorization policy of the data is negative belongs to data having a difference.
6. The method of claim 4, wherein the authorization policy comprises one or a combination of the following policies configured for data and/or users: when the authorization strategy, the desensitization strategy and the sensitive grading strategy are adopted, the regulation is carried out according to one of the following modes or the combination of the following modes:
for the authorization policy, adjusting the authorization policy into an authorization policy after duplication removal of the configured union set of the authorization policies of all data;
adjusting the desensitization strategy to a desensitization strategy after de-duplication of a configured union set of the desensitization strategies of each data;
and adjusting the sensitivity grading strategy to be the highest level of the sensitivity grade in each data.
7. The method of claim 1, wherein adjusting the authorization policy further comprises:
and verifying the adjusted authorization strategy and feeding back a verification result.
8. An authorization policy processing system, comprising:
a processor for reading the program in the memory and executing the following processes:
determining data characteristics according to the data access log;
determining data blood relationship;
obtaining an authorization policy;
adjusting the authorization policy according to one or a combination of data characteristics, data consanguinity relationships, and the authorization policy;
a transceiver for receiving and transmitting data under the control of the processor.
9. An authorization policy processing system, comprising:
the characteristic calculation module is used for determining data characteristics according to the data access log;
the data blood margin module is used for determining the data blood margin relation;
the strategy configuration library is used for acquiring an authorization strategy;
and the strategy optimization module is used for adjusting the authorization strategy according to one or the combination of the data characteristics, the data consanguinity relation and the authorization strategy.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011403594.2A CN114650149A (en) | 2020-12-02 | 2020-12-02 | Authorization policy processing method, system and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011403594.2A CN114650149A (en) | 2020-12-02 | 2020-12-02 | Authorization policy processing method, system and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114650149A true CN114650149A (en) | 2022-06-21 |
Family
ID=81990167
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011403594.2A Pending CN114650149A (en) | 2020-12-02 | 2020-12-02 | Authorization policy processing method, system and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114650149A (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106407832A (en) * | 2015-08-03 | 2017-02-15 | 阿里巴巴集团控股有限公司 | A method and an apparatus for data access control |
CN106599713A (en) * | 2016-11-11 | 2017-04-26 | 中国电子科技网络信息安全有限公司 | Database masking system and method based on big data |
CN106778303A (en) * | 2016-12-07 | 2017-05-31 | 腾讯科技(深圳)有限公司 | Delegated strategy optimization method and delegated strategy optimization device |
CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
CN108418676A (en) * | 2018-01-26 | 2018-08-17 | 山东超越数控电子股份有限公司 | A kind of data desensitization method based on permission |
CN110232290A (en) * | 2018-03-05 | 2019-09-13 | 中兴通讯股份有限公司 | Log desensitization method, server and storage medium |
CN110457405A (en) * | 2019-08-20 | 2019-11-15 | 上海观安信息技术股份有限公司 | A kind of database audit method based on genetic connection |
CN110532797A (en) * | 2019-07-24 | 2019-12-03 | 方盈金泰科技(北京)有限公司 | The desensitization method and system of big data |
US20200204558A1 (en) * | 2018-12-19 | 2020-06-25 | Uber Technologies, Inc. | Dynamically adjusting access policies |
CN111666186A (en) * | 2020-04-26 | 2020-09-15 | 杭州数梦工场科技有限公司 | Data access abnormity detection method and device, storage medium and computer equipment |
-
2020
- 2020-12-02 CN CN202011403594.2A patent/CN114650149A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106407832A (en) * | 2015-08-03 | 2017-02-15 | 阿里巴巴集团控股有限公司 | A method and an apparatus for data access control |
CN106599713A (en) * | 2016-11-11 | 2017-04-26 | 中国电子科技网络信息安全有限公司 | Database masking system and method based on big data |
CN106778303A (en) * | 2016-12-07 | 2017-05-31 | 腾讯科技(深圳)有限公司 | Delegated strategy optimization method and delegated strategy optimization device |
CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
CN108418676A (en) * | 2018-01-26 | 2018-08-17 | 山东超越数控电子股份有限公司 | A kind of data desensitization method based on permission |
CN110232290A (en) * | 2018-03-05 | 2019-09-13 | 中兴通讯股份有限公司 | Log desensitization method, server and storage medium |
US20200204558A1 (en) * | 2018-12-19 | 2020-06-25 | Uber Technologies, Inc. | Dynamically adjusting access policies |
CN110532797A (en) * | 2019-07-24 | 2019-12-03 | 方盈金泰科技(北京)有限公司 | The desensitization method and system of big data |
CN110457405A (en) * | 2019-08-20 | 2019-11-15 | 上海观安信息技术股份有限公司 | A kind of database audit method based on genetic connection |
CN111666186A (en) * | 2020-04-26 | 2020-09-15 | 杭州数梦工场科技有限公司 | Data access abnormity detection method and device, storage medium and computer equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10986131B1 (en) | Access control policy warnings and suggestions | |
US8166000B2 (en) | Using a data mining algorithm to generate format rules used to validate data sets | |
US8972460B2 (en) | Data model optimization using multi-level entity dependencies | |
CN110348238B (en) | Privacy protection grading method and device for application | |
CN108092945B (en) | Method and device for determining access authority and terminal | |
CN113110866B (en) | Evaluation method and device for database change script | |
CN115203750B (en) | Hive data authority control and security audit method and system based on Hive plug-in | |
CN110968894B (en) | Fine granularity access control scheme for game service data | |
US20200097673A1 (en) | Data privilage control method and system | |
CN109871705A (en) | A kind of database update method and system | |
CN115086075B (en) | Mandatory access control method and device with credible behaviors | |
CN115859345A (en) | Data access management method and system based on block chain | |
CA3131725C (en) | Sql optimization method and device, computer equipment and storage medium | |
CN114424191A (en) | Fine-grained access control to a process language of a database based on accessed resources | |
CN116910023A (en) | Data management system | |
WO2021179579A1 (en) | Backup data analysis method and apparatus based on file information, and computer device | |
CN114650149A (en) | Authorization policy processing method, system and storage medium | |
CN114611127B (en) | Database data security management system | |
CN113824739B (en) | User authority management method and system of cloud management platform | |
CN114598556B (en) | IT infrastructure configuration integrity protection method and protection system | |
Zhu | Interoperability of multimedia network public opinion knowledge base group based on multisource text mining | |
CN114020446A (en) | Cross-multi-engine routing processing method, device, equipment and storage medium | |
CN114511330A (en) | Improved CNN-RF-based Ethernet workshop Pompe deception office detection method and system | |
CN114547314B (en) | Data classification and classification method and system based on master-slave table | |
KR102648905B1 (en) | Method and device for privacy-constrained data perturbation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |