CN116132198A - Internet of things privacy behavior sensing method and device based on lightweight context semantics - Google Patents

Internet of things privacy behavior sensing method and device based on lightweight context semantics Download PDF

Info

Publication number
CN116132198A
CN116132198A CN202310398776.2A CN202310398776A CN116132198A CN 116132198 A CN116132198 A CN 116132198A CN 202310398776 A CN202310398776 A CN 202310398776A CN 116132198 A CN116132198 A CN 116132198A
Authority
CN
China
Prior art keywords
privacy
access request
access
request
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310398776.2A
Other languages
Chinese (zh)
Other versions
CN116132198B (en
Inventor
周少鹏
王滨
张冲
宋令阳
朱伟康
王旭
毕志城
张峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202310398776.2A priority Critical patent/CN116132198B/en
Publication of CN116132198A publication Critical patent/CN116132198A/en
Application granted granted Critical
Publication of CN116132198B publication Critical patent/CN116132198B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Linguistics (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Artificial Intelligence (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment provides an internet of things privacy behavior sensing method and device based on lightweight context semantics. According to the method and the device, access control processing such as access permission or access refusal is carried out on the access request through an access control strategy matched with the access request dynamically, so that private data leakage of internet of things equipment caused when a provider tries to collect fine-grained data about internet of things users continuously is avoided; in addition, the embodiment presumes the behavior state of the request end sending the access request based on the context information of the access request, determines the access control strategy matched with the access request based on the behavior state of the request end, and ensures personalized access control processing; in addition, the embodiment matches the corresponding access control policy for the access request by constructing the semantic rule set for protecting privacy, and by means of the characteristics of the existing text with different semantics, the lightweight and efficient semantic-based policy is realized to perform access control processing such as access permission or access rejection.

Description

Internet of things privacy behavior sensing method and device based on lightweight context semantics
Technical Field
The application relates to the internet of things security technology, in particular to an internet of things privacy behavior perception method and device based on lightweight context semantics.
Background
In the internet of things, most applications are based on users of the internet of things. However, the internet of things user has little control over its own data, for example, in order to use the internet of things service, the provider is forced to adhere to the terms and conditions of the provider, so that the provider may attempt to continuously collect fine-grained data about the internet of things user to improve the corresponding service. The manner in which the provider tries to collect the fine-grained data about the internet of things user continuously often causes the internet of things device to reveal the private data, for example, the internet of things device in the smart home environment such as the wearable device can reveal the private data.
Disclosure of Invention
The embodiment of the application provides an abnormal behavior sensing method and device of the Internet of things based on lightweight context semantics.
The embodiment of the application provides an internet of things privacy behavior sensing method based on lightweight context semantics, which comprises the following steps:
obtaining an access request for accessing a target object;
if an access control strategy matched with the access request exists, performing access control processing on the access request according to semantic information matched with each privacy protection type in the access control strategy; the access control policy comprises at least one privacy constructor, each privacy constructor constrains semantic information matched by at least one privacy protection type;
If the access control strategy matched with the access request does not exist, the behavior state of a request end for sending the access request is presumed based on the context information of the access request, wherein the context information of the access request is used for representing the behavior state of the request end; and determining an access control strategy matched with the access request in a constructed semantic rule set for protecting privacy based on the behavior state of the request end, and performing access control processing on the access request according to semantic information matched with each privacy protection type in the determined access control strategy.
The embodiment of the application provides an internet of things privacy behavior sensing device based on lightweight context semantics, which comprises:
an obtaining unit configured to obtain an access request for accessing a target object;
the control unit is used for carrying out access control processing on the access request according to semantic information matched with each privacy protection type in the access control strategy when the access control strategy matched with the access request exists; the access control policy comprises at least one privacy constructor, each privacy constructor constrains semantic information matched by at least one privacy protection type; the method comprises the steps of,
When the access control strategy matched with the access request does not exist, the behavior state of a request end for sending the access request is presumed based on the context information of the access request, wherein the context information of the access request is used for representing the behavior state of the request end; and determining an access control strategy matched with the access request in a constructed semantic rule set for protecting privacy based on the behavior state of the request end, and performing access control processing on the access request according to semantic information matched with each privacy protection type in the determined access control strategy.
An electronic device, the electronic device comprising: a processor and a machine-readable storage medium having stored thereon computer instructions which when executed by the processor perform the steps of the method as above.
A machine-readable storage medium storing computer instructions which when executed by a processor implement the steps in the method as above.
According to the technical scheme, in the embodiment, the access control processing such as access permission or access refusal is carried out on the access request through the access control strategy matched with the access request dynamically, so that privacy data leakage of the Internet of things equipment caused when a provider tries to continuously collect fine-grained data about the Internet of things user is avoided;
Further, in this embodiment, the behavior state of the request end sending the access request is presumed based on the context information of the access request, and the access control policy matched with the access request is determined based on the behavior state of the request end, which ensures personalized access control processing;
still further, in this embodiment, by constructing a semantic rule set for protecting privacy to match a corresponding access control policy for an access request, by means of characteristics of semantics different from existing conventional texts, such as semantics may be characteristics extracted from an existing large number of texts, etc., a lightweight and efficient semantic-based policy is implemented to perform access control processing, such as allowing access or denying access, so as to avoid private data leakage of an internet of things device caused when a provider tries to continuously collect fine-grained data about an internet of things user.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart provided in an embodiment of the present application;
FIG. 2 is a control process flow chart provided in an embodiment of the present application;
Fig. 3 is a schematic structural diagram of a device according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to better understand the technical solutions provided by the embodiments of the present application and make the above objects, features and advantages of the embodiments of the present application more obvious, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart of a method provided in an embodiment of the present application. The method is applied to electronic equipment such as internet of things equipment and internet of things gateways, and the embodiment is not particularly limited.
As shown in fig. 1, the process may include the steps of:
step 101, an access request for accessing a target object is obtained.
In this embodiment, any user (such as an attacker or a normal user) may send an access request directly when there is an access requirement for the target object. Eventually, the electronic device may intercept the access request. The target object herein, such as service data, configuration information, an associated database, etc., of the terminal of the internet of things, the embodiment is not particularly limited.
As an embodiment, the above-mentioned access request indicates at least a request end (i.e., a main body) that transmits the access request, a specific resource to be accessed, such as the above-mentioned service data, etc., and a specific action to be performed, such as closing or opening a camera, etc.
Step 102, if there is an access control policy matching the access request, step 103 is executed, and if there is no access control policy matching the access request, step 104 is executed.
As an embodiment, step 102 uses the request end (i.e. the main body) indicated by the access request, the specific resource to be accessed, and the specific action to be performed as keywords, searches the policies generated for the target object for the access control policies matching the keywords (corresponding to the access control policies matching the access request), if the access control policies are found, it means that there is an access control policy matching the access request, step 103 is executed, and if the access control policies are not found, it means that there is no access control policy matching the access request, and step 104 is executed.
In this embodiment, any access control policy includes at least one privacy constructor, each privacy constructor constrains semantic information that matches at least one privacy protection type, for example, the privacy protection type is a location privacy type, the semantic information that matches the location privacy type is a location L, which indicates that access of the requesting end is denied when the current location of the requesting end is L, which is described in the following Wen Huiyou by way of example and not described herein again.
And step 103, performing access control processing on the access request according to semantic information matched with each privacy protection type in the access control strategy.
This step 103 is performed on the premise that there is an access control policy matching the access request. When the access control strategy matched with the access request exists, the access control processing can be carried out on the access request according to the semantic information matched with each privacy protection type in the access control strategy. In the following, by way of example, how to perform access control processing on an access request according to semantic information matched by each privacy protection type in an access control policy is described by using fig. 2, which is not described herein in detail.
Step 104, based on the context information of the access request, presuming the behavior state of the request end sending the access request, determining an access control strategy matched with the access request in the constructed semantic rule set for protecting privacy based on the behavior state of the request end, and performing access control processing on the access request according to the semantic information matched with each privacy protection type in the access control strategy.
In this embodiment, the context information of the access request is used to characterize the behavior state of the requesting end, such as the current location of the requesting end that sends the access request, the current network type and current IP address where the access request is currently located, the sending time and/or receiving time of the access request, and the like, and this embodiment is not limited specifically.
In a specific application, simply relying on the context information of the access request is not enough to accurately determine the behavior state of the requesting end, and in this case, as an embodiment, the behavior state of the requesting end may be further identified by using the context information of the access request and a machine learning model, such as a trained deep neural network. Based on this, in this step 104, predicting the behavior state of the requesting end that sent the access request based on the context information of the access request may include: the context information of the access request, such as the current position of the request end sending the access request, the current network type and the current IP address of the request end, the sending time and/or receiving time of the access request, the trusted activity and the like, are input into the trained deep neural network as input parameters, so that the behavior state of the request end sending the access request is estimated through the deep neural network. Finally, the current activity and behavior (collectively referred to as behavior state) of the requesting end are presumed by means of the deep neural network.
As an embodiment, after the current activity and behavior (collectively referred to as behavior state) of the request end are presumed, the embodiment can determine, based on the behavior state of the request end, an access control policy matched with the access request in the constructed semantic rule set for protecting privacy. And then, when the other access requests are subsequently received, if the request end of the other access requests which are subsequently received is the same as the request end of the access requests, and/or the specific resource to be accessed by the other access requests is the same as the specific resource to be accessed by the access requests, and/or the specific action to be executed by the other access requests is the same as the specific action to be executed by the access requests, the other access requests which are subsequently received are considered to be matched with the determined access control policy, and then, the access control processing can be directly performed on the other access requests based on the determined access control policy, and the specific access control processing mode can refer to the access control processing in step 103 or step 104, which is not repeated.
As to how to determine an access control policy for matching an access request from a constructed semantic rule set for protecting privacy based on the behavior state of a requesting end, the semantic rule set provided in this embodiment is described first.
In this embodiment, the semantic rule set is a language of a set theory, which is a rule set for semantics. In this embodiment, the semantics are different from the text, which specifically refers to features extracted from a large number of texts, and the semantic rule set in this embodiment is orders of magnitude lighter than the text.
As one embodiment, the above semantic rule set is described as follows:
1) The object is: such as the subject, the accessed resource, and/or the action to be performed.
2) The actions are as follows: one or more actions may be included. For example, taking a target object as a camera, if an access request for the camera is to open the camera or close the camera, the camera is opened or closed.
3) Access control policy set: any access control strategy set is provided with a corresponding access control strategy set identifier, the access control strategy set comprises at least one access control strategy, and each access control strategy in the access control strategy set is provided with a corresponding priority; the access control policy set is configured with a corresponding privacy constructor PCs (which in particular consists of privacy constructors of the access control policies);
Any access control policy in the access control policy set has a corresponding identifier. Any access control policy includes at least one rule, and each rule in the access control policy has a corresponding priority. In this embodiment, the access control policy is configured with at least one privacy constructor corresponding thereto.
As one embodiment, any rule in the access control policy has a corresponding identity. Any rule may be composed of at least one condition. Each rule is configured with a corresponding privacy constructor.
Based on the above description, then, an access control policy (corresponding to an access control policy matching the access request) matching the behavior state of the requesting end may be determined from the constructed semantic rule set for protecting privacy described above based on the behavior state of the inferred requesting end. There are many ways to determine the access control policy matching the behavior of the requesting end (corresponding to the access control policy matching the access request), which is described in the following Wen Huiyou by way of example and not described in detail herein.
Based on the set of semantic rules described above, as an embodiment, the access control policy (corresponding to the access control policy matching the access request) determined herein that matches the behavior state of the requesting end may be at least one access control policy in the set of access control policies, which includes at least one privacy constructor; any privacy constructor constrains semantic information matched by at least one privacy preserving type, where the constrained privacy preserving type is, for example, a location privacy type, a network privacy type, etc., which will be described by way of example and not be repeated herein.
Thus, the flow shown in fig. 1 is completed.
As can be seen from the flow shown in fig. 1, in this embodiment, access control processing such as access permission or access rejection is performed on the access request by dynamically matching the access control policy for the access request, which avoids privacy data disclosure of the internet of things device caused when the provider tries to continuously collect fine-grained data about the internet of things user;
further, in this embodiment, the behavior state of the request end sending the access request is presumed based on the context information of the access request, and the access control policy matched with the access request is determined based on the behavior state of the request end, which ensures personalized access control processing;
still further, in this embodiment, by constructing a semantic rule set for protecting privacy, by means of characteristics of semantically different existing conventional texts, such as features that the semantics may be extracted from an existing large number of texts, etc., a lightweight and efficient semantic-based policy is implemented to perform access control processing, such as allowing access or denying access, so that private data leakage of an internet of things device caused when a provider tries to continuously collect fine-grained data about an internet of things user is avoided.
How the access request is subjected to the access control processing according to the access control policy in the above step 103 or step 104 is as follows:
referring to fig. 2, fig. 2 is a flowchart of an access control process provided in an embodiment of the present application. The process may include the steps of:
step 201, for each privacy constructor in the access control policy matched with the access request, determining data information corresponding to the privacy protection type of the privacy constructor constraint according to the access request.
Based on the access control policies described above, here, each privacy constructor in the access control policies to which the access request is matched refers to a privacy constructor in which each rule in the access control policies to which the access request is matched is configured, and for convenience of description, the privacy constructor in the access control policies is described as an example in the present embodiment.
As described above, any privacy constructor may constrain at least one privacy preserving type, and correspondingly, in step 201, the data information corresponding to the privacy preserving type is specifically the data information corresponding to the privacy preserving type carried by the access request, and depends on the privacy preserving type, for example, the privacy preserving type is a location privacy type, and the data information corresponding to the privacy preserving type refers to the location where the request end sending the access request is currently located. The following step 202 will exemplify the data information corresponding to the privacy protection type, which is not described herein.
Step 202, checking whether the semantic information of the data information corresponding to the privacy protection type and the privacy protection type match meets a preset matching condition.
In this embodiment, the semantic rule set supports mathematical operations, and the data information corresponding to the privacy protection type is data that can be subjected to mathematical operations, such as data represented by a matrix. Also, the semantic information of the privacy preserving type matching described above is the semantics of data that can be subjected to mathematical operations such as representation by a matrix.
Based on this, in this embodiment, checking whether the data information corresponding to the privacy protection type and the semantic information matching the privacy protection type meet the preset matching condition may be implemented by mathematical operation, for example, calculating a difference between a first matrix (representing the data information corresponding to the privacy protection type) and a second matrix (representing the semantic information matching the privacy protection type), if the difference is within a set threshold range, determining that the data information corresponding to the privacy protection type and the semantic information matching the privacy protection type meet the preset matching condition, or else, determining that the data information corresponding to the privacy protection type and the semantic information matching the privacy protection type do not meet the preset matching condition; etc., the present embodiment is not particularly limited.
According to the embodiment, whether the data information corresponding to the privacy protection type and the semantic information matched with the privacy protection type meet the preset matching condition is checked through mathematical operation, additional configuration is not needed, and further lightweight and efficient semantic-based strategies are realized to perform access control processing such as access permission or access rejection.
For example, if the privacy protection type is a location privacy type and the semantic information matched by the location privacy type is a location L (generally refers to at least one location), then: the data information corresponding to the privacy protection type refers to the current position of the request end for sending the access request; the fact that the data information corresponding to the privacy protection type and the semantic information matched with the privacy protection type meet the preset matching condition means that the current position of the request end and the current position L meet the preset position matching condition (for example, the positions are the same, or the distance between the positions is within a set distance range) through mathematical operation.
For another example, if the privacy protection type is a network privacy type, the semantic information matched with the network privacy type is a network type N and a user trust IP address set, then: the data information corresponding to the privacy protection type refers to the network type such as work, home, cafe and current IP address where the request end is currently located; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the network type, such as work, family, cafe and the network type N, of which the request end is currently located meets the preset matching condition through mathematical operation (the network type of which the request end is currently located is one of the N network types), and the current IP address belongs to the user trust IP address set.
For another example, if the privacy protection type is a time privacy type, and the semantic information matched with the time privacy type is a sending time range and/or a receiving time range, the data information corresponding to the privacy protection type refers to the sending time of the request end for sending the access request and/or the receiving time of the device for receiving the access request; the fact that the data information corresponding to the privacy protection type and the semantic information matched with the privacy protection type meet the preset matching condition means that the sending time belongs to the sending time range and/or the receiving time belongs to the receiving time range through digital operation.
Step 203, performing access control processing on the access request according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matched with each privacy protection type, wherein the data information is constrained by each privacy construction function.
As an embodiment, in this step 203, when it is specifically implemented, if at least one target access control policy among the access control policies matched with the access request is found, the following situations occur: and if the data information corresponding to the privacy protection type constrained by the privacy constructor in the target access control strategy and the semantic information matched with the privacy protection type do not meet the preset matching condition, the access to the target object based on the access request is refused, otherwise, the access to the target object based on the access request is allowed.
The target access control policy is any access control policy that is matched with the access request, or is an access control policy with priority meeting the requirement, for example, the priority is highest among all access control policies that are matched with the access request, which can be specifically set according to the actual requirement, and the embodiment is not specifically limited.
Thus, the flow shown in fig. 2 is completed.
How access control processing is performed on an access request according to an access control policy is realized by a flow shown in fig. 2.
How the access control policy that the access request matches is determined in the set of semantic rules that have been constructed to protect privacy based on the behavior state of the requesting end in step 104 described above is as follows:
as one embodiment, after determining the behavior state based on the request end, based on the semantic information such as the behavior condition matched by the configured behavior privacy type, it may be checked whether the behavior state of the request end meets the semantic information such as the behavior condition matched by the behavior privacy type, and if so, based on the behavior state of the request end, an access control policy matched by the access request is determined in the constructed semantic rule set for protecting privacy.
In this embodiment, determining, based on the behavior state of the requesting end, an access control policy that matches an access request in the constructed semantic rule set for protecting privacy may include: and searching a matched access control strategy in the constructed semantic rule set for protecting privacy based on the request end, the resource to be accessed indicated by the access request, the specific action to be executed and the behavior state. For example, based on the semantic rule set, searching a target composed of the request end, the resource to be accessed indicated by the access request and the specific action to be executed, then searching a matched action in the actions corresponding to the searched target based on the behavior state, and finally determining the access control strategy in the access control strategy set corresponding to the searched action as the access control strategy matched with the access request. The description is given here only by way of example of how the matching access control policy is found in the constructed semantic rule set for protecting privacy based on the request end, the resource to be accessed indicated by the access request, the specific action to be performed, and the behavior state, and the embodiment is not particularly limited, and may be implemented based on the structure of the semantic rule set.
As described above, the access control policy for matching the access request may include the location privacy type, the network privacy type, and the time privacy type, based on which, if the semantic information that the current location of the requesting end that sends the access request matches the location privacy type meets a preset location matching condition, the network type n in the semantic information that the network type that the requesting end is currently located matches the network privacy type meets a preset network matching condition, and the current IP address of the requesting end belongs to the set of user trusted IP addresses in the network privacy type, the sending time of the request sent by the requesting end belongs to the sending time range that the time privacy type matches, and/or the receiving time of the access request received by the device belongs to the receiving time range that the time privacy type matches, then the access request is allowed to access the target object (which is equivalent to allowing the request to be sent in an anonymous manner), otherwise, the access request is refused to access the target object.
The above example describes how the access control policy that the access request matches is determined in the set of semantic rules that have been constructed to protect privacy based on the behavior state of the requesting end in step 104 above.
The method provided by the embodiment of the present application is described above, and the device provided by the embodiment of the present application is described below:
referring to fig. 3, fig. 3 is a block diagram of an apparatus according to an embodiment of the present application. The device comprises:
an obtaining unit configured to obtain an access request for accessing a target object;
the control unit is used for carrying out access control processing on the access request according to semantic information matched with each privacy protection type in the access control strategy when the access control strategy matched with the access request exists; the access control policy comprises at least one privacy constructor, each privacy constructor constrains semantic information matched by at least one privacy protection type; the method comprises the steps of,
when the access control strategy matched with the access request does not exist, the behavior state of a request end for sending the access request is presumed based on the context information of the access request, wherein the context information of the access request is used for representing the behavior state of the request end; and determining an access control strategy matched with the access request in a constructed semantic rule set for protecting privacy based on the behavior state of the request end, and performing access control processing on the access request according to semantic information matched with each privacy protection type in the determined access control strategy.
Optionally, the performing access control processing on the access request according to the access control policy includes:
the access control processing of the access request according to the access control policy includes: for each privacy constructor in the access control strategy, determining data information corresponding to a privacy protection type constrained by the privacy constructor according to the access request, and checking whether semantic information matched with the privacy protection type and the data information corresponding to the privacy protection type meet preset matching conditions; and carrying out access control processing on the access request according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matched with each privacy protection type, which are constrained by each privacy construction function.
Optionally, if the privacy protection type is a location privacy type and the semantic information matched with the location privacy type is a location L, then: the data information corresponding to the privacy protection type refers to the current position of the request end for sending the access request; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the current position of the request end and the position L meet the preset position matching condition;
If the privacy protection type is a network privacy type, semantic information matched with the network privacy type is a network type N and a user trust IP address set, and then: the data information corresponding to the privacy protection type refers to the network type and the current IP address where the request end for sending the access request is currently located; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the network type where the request end is currently located and the network type N meet the preset matching condition, and the current IP address belongs to the user trust IP address set;
if the privacy protection type is a time privacy type, the semantic information matched with the time privacy type is a sending time range and/or a receiving time range, and the data information corresponding to the privacy protection type is the sending time of the request terminal for sending the access request and/or the receiving time of the device for receiving the access request; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that: the transmission time belongs to the transmission time range and/or the reception time belongs to the reception time range.
Optionally, the performing the access control processing on the access request according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matched with each privacy protection type, where the data information is constrained by each privacy construction function, includes:
if at least one target access control strategy in the access control strategies matched with the access request occurs the following conditions: the data information corresponding to the privacy protection type constrained by the privacy constructor in the target access control strategy and the semantic information matched with the privacy protection type do not meet the preset matching condition, the access to the target object based on the access request is refused, otherwise, the access to the target object based on the access request is allowed; the target access control policy is any access control policy matched with the access request or is an access control policy with priority meeting the requirement.
Optionally, the predicting, based on the context information of the access request, a behavior state of a requesting end sending the access request includes:
inputting the context information of the access request as an input parameter to a trained deep neural network so as to speculate the behavior state of a request end sending the access request through the deep neural network; wherein the context information of the access request at least includes: the current position of the request end for sending the access request, the type of the network where the request end is currently located, the current IP address, the sending time and/or the receiving time of the access request.
The determining the access control policy matched with the access request in the constructed semantic rule set for protecting privacy based on the behavior state of the request end comprises the following steps: checking whether the behavior state of the request end meets semantic information matched with the configured behavior privacy type, and if so, searching matched access control strategies in a constructed semantic rule set for protecting privacy based on the request end, the resources to be accessed indicated by the access request and actions to be executed and the behavior state to serve as the access control strategies matched with the access request.
The structural description of the apparatus shown in fig. 3 is thus completed.
Based on the same application concept as the above method, the embodiment of the present application further provides an electronic device, as shown in fig. 4, including: a processor and a machine-readable storage medium; the machine-readable storage medium stores machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement steps in the method as described above in fig. 1.
Based on the same application concept as the above method, the embodiments of the present application further provide a machine-readable storage medium, where a number of computer instructions are stored, where the computer instructions can implement the method disclosed in the above example of the present application when executed by a processor.
By way of example, the machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information, such as executable instructions, data, and the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer entity or by an article of manufacture having some functionality. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present application.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (10)

1. The method for sensing the privacy behaviors of the Internet of things based on the lightweight context semantics is characterized by comprising the following steps of:
obtaining an access request for accessing a target object;
if an access control strategy matched with the access request exists, performing access control processing on the access request according to semantic information matched with each privacy protection type in the access control strategy; the access control policy comprises at least one privacy constructor, each privacy constructor constrains semantic information matched by at least one privacy protection type;
if the access control strategy matched with the access request does not exist, the behavior state of a request end for sending the access request is presumed based on the context information of the access request, wherein the context information of the access request is used for representing the behavior state of the request end; and determining an access control strategy matched with the access request in a constructed semantic rule set for protecting privacy based on the behavior state of the request end, and performing access control processing on the access request according to semantic information matched with each privacy protection type in the determined access control strategy.
2. The method of claim 1, wherein performing access control processing on the access request according to semantic information matched by each privacy protection type in the access control policy comprises:
for each privacy constructor in the access control strategy, determining data information corresponding to a privacy protection type constrained by the privacy constructor according to the access request, and checking whether semantic information matched with the privacy protection type and the data information corresponding to the privacy protection type meet preset matching conditions;
and carrying out access control processing on the access request according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matched with each privacy protection type, which are constrained by each privacy construction function.
3. The method of claim 2, wherein the step of determining the position of the substrate comprises,
if the privacy protection type is a location privacy type and the semantic information matched with the location privacy type is a location L, then: the data information corresponding to the privacy protection type refers to the current position of the request end for sending the access request; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the current position of the request end and the position L meet the preset position matching condition;
If the privacy protection type is a network privacy type, semantic information matched with the network privacy type is a network type N and a user trust IP address set, and then: the data information corresponding to the privacy protection type refers to the network type and the current IP address where the request end for sending the access request is currently located; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the network type where the request end is currently located and the network type N meet the preset matching condition, and the current IP address belongs to the user trust IP address set;
if the privacy protection type is a time privacy type, the semantic information matched with the time privacy type is a sending time range and/or a receiving time range, and the data information corresponding to the privacy protection type is the sending time of the request terminal for sending the access request and/or the receiving time of the device for receiving the access request; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that: the transmission time belongs to the transmission time range and/or the reception time belongs to the reception time range.
4. The method according to claim 2, wherein performing access control processing on the access request according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matching each privacy protection type of each privacy construction function constraint includes:
if at least one target access control strategy in the access control strategies matched with the access request occurs the following conditions: the data information corresponding to the privacy protection type constrained by the privacy constructor in the target access control strategy and the semantic information matched with the privacy protection type do not meet the preset matching condition, the access to the target object based on the access request is refused, otherwise, the access to the target object based on the access request is allowed;
the target access control policy is any access control policy matched with the access request or is an access control policy with priority meeting the requirement.
5. The method according to any one of claims 1 to 4, wherein speculating the behavior state of a requesting end that sends the access request based on the context information of the access request comprises:
inputting the context information of the access request as an input parameter to a trained deep neural network so as to speculate the behavior state of a request end sending the access request through the deep neural network; wherein the context information of the access request at least includes: the current position of the request end for sending the access request, the type of the network where the request end is currently located, the current IP address, the sending time and/or the receiving time of the access request.
6. The method of claim 1, wherein determining the access control policy that the access request matches in the set of established semantic rules for protecting privacy based on the behavior state of the requesting end comprises:
checking whether the behavior state of the request end meets semantic information matched with the configured behavior privacy type, and if so, searching matched access control strategies in a constructed semantic rule set for protecting privacy based on the request end, the resources to be accessed indicated by the access request and actions to be executed and the behavior state to serve as the access control strategies matched with the access request.
7. The utility model provides a thing networking privacy action perception device based on lightweight context semantics which characterized in that, this device includes:
an obtaining unit configured to obtain an access request for accessing a target object;
the control unit is used for carrying out access control processing on the access request according to semantic information matched with each privacy protection type in the access control strategy when the access control strategy matched with the access request exists; the access control policy comprises at least one privacy constructor, each privacy constructor constrains semantic information matched by at least one privacy protection type; the method comprises the steps of,
When the access control strategy matched with the access request does not exist, the behavior state of a request end for sending the access request is presumed based on the context information of the access request, wherein the context information of the access request is used for representing the behavior state of the request end; and determining an access control strategy matched with the access request in a constructed semantic rule set for protecting privacy based on the behavior state of the request end, and performing access control processing on the access request according to semantic information matched with each privacy protection type in the determined access control strategy.
8. The apparatus of claim 7, wherein said performing access control processing on said access request in accordance with said access control policy comprises: for each privacy constructor in the access control strategy, determining data information corresponding to a privacy protection type constrained by the privacy constructor according to the access request, and checking whether semantic information matched with the privacy protection type and the data information corresponding to the privacy protection type meet preset matching conditions; according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matched with each privacy protection type, which are constrained by each privacy construction function, performing access control processing on the access request;
If the privacy protection type is a location privacy type and the semantic information matched with the location privacy type is a location L, then: the data information corresponding to the privacy protection type refers to the current position of the request end for sending the access request; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the current position of the request end and the position L meet the preset position matching condition;
if the privacy protection type is a network privacy type, semantic information matched with the network privacy type is a network type N and a user trust IP address set, and then: the data information corresponding to the privacy protection type refers to the network type and the current IP address where the request end for sending the access request is currently located; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that the network type where the request end is currently located and the network type N meet the preset matching condition, and the current IP address belongs to the user trust IP address set;
if the privacy protection type is a time privacy type, the semantic information matched with the time privacy type is a sending time range and/or a receiving time range, and the data information corresponding to the privacy protection type is the sending time of the request terminal for sending the access request and/or the receiving time of the device for receiving the access request; the fact that the semantic information, corresponding to the privacy protection type, of which the data information is matched with the privacy protection type meets the preset matching condition means that: the transmission time belongs to the transmission time range and/or the receiving time belongs to the receiving time range;
The processing the access request according to the matching condition of the data information corresponding to each privacy protection type and the semantic information matched with each privacy protection type, wherein the matching condition comprises the following steps:
if at least one target access control strategy in the access control strategies matched with the access request occurs the following conditions: the data information corresponding to the privacy protection type constrained by the privacy constructor in the target access control strategy and the semantic information matched with the privacy protection type do not meet the preset matching condition, the access to the target object based on the access request is refused, otherwise, the access to the target object based on the access request is allowed; the target access control strategy is any access control strategy matched with the access request or is an access control strategy with priority meeting the requirement;
the predicting, based on the context information of the access request, the behavior state of the requesting end sending the access request includes: inputting the context information of the access request as an input parameter to a trained deep neural network so as to speculate the behavior state of a request end sending the access request through the deep neural network; wherein the context information of the access request at least includes: the current position of the request end for sending the access request, the type of the network where the request end is currently located, the current IP address, and the sending time and/or the receiving time of the access request;
The determining the access control policy matched with the access request in the constructed semantic rule set for protecting privacy based on the behavior state of the request end comprises the following steps: checking whether the behavior state of the request end meets semantic information matched with the configured behavior privacy type, and if so, searching matched access control strategies in a constructed semantic rule set for protecting privacy based on the request end, the resources to be accessed indicated by the access request and actions to be executed and the behavior state to serve as the access control strategies matched with the access request.
9. An electronic device, comprising: a processor and a machine-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps in the method of any of claims 1 to 6.
10. A machine-readable storage medium storing computer instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 6.
CN202310398776.2A 2023-04-07 2023-04-07 Internet of things privacy behavior sensing method and device based on lightweight context semantics Active CN116132198B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310398776.2A CN116132198B (en) 2023-04-07 2023-04-07 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310398776.2A CN116132198B (en) 2023-04-07 2023-04-07 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Publications (2)

Publication Number Publication Date
CN116132198A true CN116132198A (en) 2023-05-16
CN116132198B CN116132198B (en) 2023-07-25

Family

ID=86303104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310398776.2A Active CN116132198B (en) 2023-04-07 2023-04-07 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Country Status (1)

Country Link
CN (1) CN116132198B (en)

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465853A (en) * 2008-12-19 2009-06-24 北京工业大学 Method for protecting privacy based on access control
CN102118749A (en) * 2009-12-30 2011-07-06 比亚迪股份有限公司 Network access control device for mobile terminal and mobile terminal equipment
CN102143186A (en) * 2011-04-01 2011-08-03 华为技术有限公司 Access control method, device and system
US20130091539A1 (en) * 2011-10-11 2013-04-11 Honeywell International Inc. System and method for insider threat detection
CN103745161A (en) * 2013-12-23 2014-04-23 东软集团股份有限公司 Method and device for controlling access security
CN105787386A (en) * 2016-03-03 2016-07-20 南京航空航天大学 Cloud database access control model based on PBAC model
CN106656936A (en) * 2015-11-03 2017-05-10 电信科学技术研究院 Access control method and apparatus
CN109995738A (en) * 2018-01-02 2019-07-09 中国移动通信有限公司研究院 A kind of access control method, gateway and cloud server
CN110213375A (en) * 2019-06-04 2019-09-06 杭州安恒信息技术股份有限公司 A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF
CN110300125A (en) * 2019-02-02 2019-10-01 奇安信科技集团股份有限公司 API access control method and API access agent device
CN110691061A (en) * 2018-07-06 2020-01-14 电信科学技术研究院有限公司 Resource access control method and device
CN111355721A (en) * 2020-02-25 2020-06-30 深信服科技股份有限公司 Access control method, device, equipment and system and storage medium
CN111897768A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Method and device for configuring object access policy
CN113852592A (en) * 2021-07-13 2021-12-28 天翼智慧家庭科技有限公司 Big data security operation and maintenance control method and system based on dynamic access control strategy
CN114218605A (en) * 2021-12-14 2022-03-22 中国建设银行股份有限公司 Data access control method, device, equipment and storage medium
CN114726639A (en) * 2022-04-24 2022-07-08 国网河南省电力公司信息通信公司 Automatic arrangement method and system for access control strategy
CN114978715A (en) * 2022-05-25 2022-08-30 河南科技大学 False information propagation control method based on social situation access control model
JP2022162461A (en) * 2021-04-12 2022-10-24 株式会社日立製作所 Dynamic access authorization system and dynamic access authorization method
CN115396140A (en) * 2022-07-18 2022-11-25 国家计算机网络与信息安全管理中心 Application access control method and device, storage medium and computer equipment
CN115694943A (en) * 2022-10-25 2023-02-03 中国人民解放军国防科技大学 Behavior-based dynamic mandatory access control method, system and medium for operating system
CN115840964A (en) * 2022-12-08 2023-03-24 航天信息股份有限公司 Data processing method and device, electronic equipment and computer storage medium

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465853A (en) * 2008-12-19 2009-06-24 北京工业大学 Method for protecting privacy based on access control
CN102118749A (en) * 2009-12-30 2011-07-06 比亚迪股份有限公司 Network access control device for mobile terminal and mobile terminal equipment
CN102143186A (en) * 2011-04-01 2011-08-03 华为技术有限公司 Access control method, device and system
US20130091539A1 (en) * 2011-10-11 2013-04-11 Honeywell International Inc. System and method for insider threat detection
CN103745161A (en) * 2013-12-23 2014-04-23 东软集团股份有限公司 Method and device for controlling access security
CN106656936A (en) * 2015-11-03 2017-05-10 电信科学技术研究院 Access control method and apparatus
CN105787386A (en) * 2016-03-03 2016-07-20 南京航空航天大学 Cloud database access control model based on PBAC model
CN109995738A (en) * 2018-01-02 2019-07-09 中国移动通信有限公司研究院 A kind of access control method, gateway and cloud server
CN110691061A (en) * 2018-07-06 2020-01-14 电信科学技术研究院有限公司 Resource access control method and device
CN110300125A (en) * 2019-02-02 2019-10-01 奇安信科技集团股份有限公司 API access control method and API access agent device
CN110213375A (en) * 2019-06-04 2019-09-06 杭州安恒信息技术股份有限公司 A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF
CN111355721A (en) * 2020-02-25 2020-06-30 深信服科技股份有限公司 Access control method, device, equipment and system and storage medium
CN111897768A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Method and device for configuring object access policy
JP2022162461A (en) * 2021-04-12 2022-10-24 株式会社日立製作所 Dynamic access authorization system and dynamic access authorization method
CN113852592A (en) * 2021-07-13 2021-12-28 天翼智慧家庭科技有限公司 Big data security operation and maintenance control method and system based on dynamic access control strategy
CN114218605A (en) * 2021-12-14 2022-03-22 中国建设银行股份有限公司 Data access control method, device, equipment and storage medium
CN114726639A (en) * 2022-04-24 2022-07-08 国网河南省电力公司信息通信公司 Automatic arrangement method and system for access control strategy
CN114978715A (en) * 2022-05-25 2022-08-30 河南科技大学 False information propagation control method based on social situation access control model
CN115396140A (en) * 2022-07-18 2022-11-25 国家计算机网络与信息安全管理中心 Application access control method and device, storage medium and computer equipment
CN115694943A (en) * 2022-10-25 2023-02-03 中国人民解放军国防科技大学 Behavior-based dynamic mandatory access control method, system and medium for operating system
CN115840964A (en) * 2022-12-08 2023-03-24 航天信息股份有限公司 Data processing method and device, electronic equipment and computer storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨宏宇;宁宇光;: "一种云平台动态风险访问控制模型", 西安电子科技大学学报, no. 05 *

Also Published As

Publication number Publication date
CN116132198B (en) 2023-07-25

Similar Documents

Publication Publication Date Title
US20220358242A1 (en) Data security hub
US11102245B2 (en) Deception using screen capture
Hashem et al. Countering overlapping rectangle privacy attack for moving knn queries
CN110445769B (en) Access method and device of business system
CN102567454A (en) Method and system enabling granular discretionary access control for data stored in a cloud computing environment
US8060577B1 (en) Method and system for employing user input for file classification and malware identification
JP2023516123A (en) Method and System for Graph Computing with Hybrid Inference
CN105022939A (en) Information verification method and device
Vincent et al. Privacy protection for smartphones: an ontology-based firewall
US11630895B2 (en) System and method of changing the password of an account record under a threat of unlawful access to user data
US8364776B1 (en) Method and system for employing user input for website classification
US10681031B2 (en) Federating devices to improve user experience with adaptive security
CN116582373B (en) User access control method, system and electronic equipment
US11552985B2 (en) Method for predicting events using a joint representation of different feature types
CN116132198B (en) Internet of things privacy behavior sensing method and device based on lightweight context semantics
CN111131166A (en) User behavior prejudging method and related equipment
CN116527317A (en) Access control method, system and electronic equipment
CN116049822A (en) Application program supervision method, system, electronic device and storage medium
CN112668055B (en) Privacy information access control method and system based on ontology reasoning
Chandramohan et al. HPPC-hierarchical Petri-net based privacy nominal model approach for cloud
CN111953637B (en) Application service method and device
CN108830103B (en) Method and device for automatically generating user privacy policy and handheld device
Merdassi et al. Surveying and analyzing security issues in mobile cloud computing
CN112291786A (en) Wireless access point control method, computer device, and storage medium
Zhang et al. A differentially private method for crowdsourcing data submission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant