CN116933324B - Industrial Internet identification data security access method - Google Patents

Industrial Internet identification data security access method Download PDF

Info

Publication number
CN116933324B
CN116933324B CN202311203287.3A CN202311203287A CN116933324B CN 116933324 B CN116933324 B CN 116933324B CN 202311203287 A CN202311203287 A CN 202311203287A CN 116933324 B CN116933324 B CN 116933324B
Authority
CN
China
Prior art keywords
trust value
value
security level
authority
subject
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311203287.3A
Other languages
Chinese (zh)
Other versions
CN116933324A (en
Inventor
田常立
苏冠群
吴丹丹
姚庆刚
田艳艳
单珂
路超
张拂晓
王龙伟
陈子傲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhilian Xintong Technology Co ltd
Original Assignee
Zhilian Xintong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhilian Xintong Technology Co ltd filed Critical Zhilian Xintong Technology Co ltd
Priority to CN202311203287.3A priority Critical patent/CN116933324B/en
Publication of CN116933324A publication Critical patent/CN116933324A/en
Application granted granted Critical
Publication of CN116933324B publication Critical patent/CN116933324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2135Metering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Abstract

The invention relates to the technical field of data security protection, in particular to a method for safely accessing industrial Internet identification data. The method comprises the following steps: acquiring a data access request and determining an initial trust value of the data access request; determining a login behavior abnormality index of the main body, and combining the initial trust value and the login behavior abnormality index to obtain a target trust value; determining the type of the operational authority of the subject on the object according to the first security level and the second security level, and dividing the target trust value according to the type of the operational authority to obtain an authority value region; adjusting a target trust value according to the data access time of the subject to the object at any time point to obtain an adjusted trust value; and determining the operation authorities of the subjects to the objects at different time points according to the trust value and authority value adjusting region. The invention can effectively protect the safety of data access.

Description

Industrial Internet identification data security access method
Technical Field
The invention relates to the technical field of data security protection, in particular to a method for safely accessing industrial Internet identification data.
Background
Industrial internet identification data contains confidential data such as progress, flow, formula, process and the like in each industrial link, so that the industrial internet has higher requirements on the security and confidentiality of the data, and compared with other data with higher privacy, the industrial internet identification data usually needs to be frequently read and written due to the fact that the industrial internet identification data involve a plurality of project personnel, and thus the privacy protection effect is further poor.
In the related art, security protection of industrial internet identification data access is realized by using a security policy (Bell-La Padula, BLP) model, in this way, because the access flexibility of the traditional BLP model is poor, unlimited write operation of a low-level subject on a high-level object and unlimited read operation of the high-level subject on the low-level object are usually caused, so that the data security is poor, under the condition that the industrial internet identification data is accessed in a large amount, effective access isolation and protection cannot be performed on the industrial internet identification data, and confidentiality of sensitive information is insufficient, therefore, effective management on security access of the industrial internet identification data is needed.
Disclosure of Invention
In order to solve the technical problems that the data security is poor, the industrial Internet identification data cannot be effectively accessed, isolated and protected, and the confidentiality of sensitive information is insufficient, the invention provides a method for safely accessing the industrial Internet identification data, which adopts the following technical scheme:
the invention provides a safe access method for industrial Internet identification data, wherein a user account initiating access is taken as a subject, the industrial Internet identification data is taken as an object to be accessed, and the method comprises the following steps:
acquiring a data access request, and extracting a subject and a first security level of the subject and a second security level of the subject from the data access request; acquiring a history accessed record of the object; determining an initial trust value of the data access request according to the first security level, the second security level and the historical accessed record of the object;
obtaining login times of a main body in a login process and passwords to be verified corresponding to each login, determining login behavior abnormality indexes of the main body according to the difference between the passwords to be verified and the real passwords and the login times, and updating the initial trust value according to the login behavior abnormality indexes to obtain a target trust value;
determining the type of the operational authority of the subject on the object according to the first security level and the second security level, and dividing the target trust value according to the type of the operational authority to obtain an authority value region;
adjusting the target trust value according to the data access time of the subject to the object at any time point to obtain an adjusted trust value; and determining the operation authorities of the subjects to the objects at the corresponding time points according to the adjustment trust values at different time points and the authority value areas, wherein the types of the operation authorities comprise readable and non-writable operation authorities, readable and writable operation authorities, writable and non-readable operation authorities and non-writable and non-readable operation authorities.
Further, the determining the initial trust value of the data access request according to the first security level, the second security level, and the historical accessed record of the object includes:
counting the accessed time of the object from the historical accessed records of the object, and calculating the normalized value of the accessed time as a time influence coefficient;
determining a security level influence coefficient according to the difference between the first security level and the second security level;
and calculating the product of the time influence coefficient and the security level influence coefficient, and mapping the product to a preset numerical range to obtain an initial trust value.
Further, the determining a security level influence coefficient according to the difference between the first security level and the second security level includes:
calculating a difference between the first security level and the second security level as a security level difference;
and carrying out inverse proportion normalization processing on the security level difference to obtain a security level influence coefficient.
Further, the determining the sign-on behavior abnormality index of the subject according to the difference between the password to be verified and the real password and the sign-on times includes:
taking the type of the character in the password to be verified as the type of the character to be verified, and taking the type of the character in the real password as the type of the real character;
calculating the number of the character types to be verified, which is the same as the number of the types of the characters in the real character types, so as to obtain the number of the same types; taking the total number of the types of the middle characters of the real character type as a target number;
taking the ratio of the same type number to the target number as the initial credibility of the corresponding password to be verified; counting the average value of the initial credibility of the corresponding password to be verified under the condition of all login times as the password credibility;
performing inverse proportion normalization processing on the login times to obtain an abnormal influence factor;
and calculating a normalized value of the product of the password credibility and the anomaly impact factor as a login behavior anomaly index.
Further, the updating the initial trust value according to the login behavior abnormality index to obtain a target trust value includes:
and calculating the product of the login behavior abnormality index and the initial trust value as a target trust value.
Further, the order of the operation authorities from high to low is readable and non-writable, readable and writable, writable and non-readable, and the determining the type of the operation authorities of the subject to the object according to the first security level and the second security level includes:
and combining the first security level and the second security level according to a preset security level matching rule to obtain the operational authority of the subject on the object, and taking the operational authority which is not higher than the operational authority as an operational authority type.
Further, the dividing the target trust value according to the operable authority type to obtain an authority value area includes:
taking the data segment from the target trust value to the value 0 as a trust value segment;
obtaining the type number of the operable right type, and calculating the type number minus one as the number of subsections;
dividing the trust value segments according to the number of the subsections to obtain trust value subsections, determining the operation authorities corresponding to each trust value subsection according to the sequence from high to low of the operation authorities, and taking the numerical value region corresponding to the trust value subsections as the authority numerical value region corresponding to each operation authority.
Further, the dividing the trust value segment according to the number of sub-segments to obtain a trust value sub-segment includes:
and equally dividing the trust value segment into a number of trust value subsections of the subsections.
Further, the adjusting the target trust value according to the data access time of the subject to the object at any time point to obtain an adjusted trust value includes:
calculating the product of the data access time of the subject to the object at the time point and a preset trust value attenuation coefficient to be used as a trust attenuation value;
and taking the difference value between the target trust value and the corresponding trust attenuation value as an adjustment trust value.
Further, the determining the operation authority of the subject to the object at the corresponding time point according to the adjustment trust value and the authority value region at different time points includes:
and determining the authority value area to which the adjustment trust value belongs at any time point as an adjustment value area, and taking the operation authority corresponding to the adjustment value area as the operation authority of the host to the object at the corresponding time point.
The invention has the following beneficial effects:
according to the method, the initial trust value of the data access request is determined by combining the security level of the subject, the security level of the object and the historical accessed record of the object, the security level difference of the subject to the object is analyzed, the trust value assignment is further carried out on the access condition, the accuracy of the initial trust value is guaranteed, the abnormal degree of the login behavior is analyzed by the login behavior of the subject when the subject logs in, wherein the abnormal degree of the login behavior comprises the accuracy of passwords and the login times, the abnormal degree of the login behavior can be accurately represented by abnormal indexes of the login behavior, objective and accurate analysis is guaranteed, and the target trust value is obtained by combining the abnormal indexes of the login behavior and the initial trust value in the subject login process, wherein the historical accessed record of the object and the login condition of the subject can possibly generate difference in different times, so that the target trust value can correspondingly change, the target trust value can be adjusted according to the real-time data access condition, and the reliability of the target trust value is guaranteed. The method has the advantages that the type of the operational authority of the host on the object is analyzed, the authority value area is further determined, the data access time, the target trust value and the authority value area of the host on the object are combined conveniently, the operational authority of the host is adjusted, accordingly, the problem of data safety caused by unlimited reading and unlimited writing in a traditional BLP model is avoided, the industrial Internet identification data is effectively accessed and isolated and protected, finer-granularity data access authority control is realized, the access control strategy is coordinated, the safety of the industrial Internet identification data is improved, and the confidentiality of sensitive information is protected.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions and advantages of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for securely accessing industrial Internet identification data according to one embodiment of the present invention;
FIG. 2 is a schematic diagram of an access procedure according to an embodiment of the present invention.
Detailed Description
In order to further describe the technical means and effects adopted by the invention to achieve the preset aim, the following detailed description refers to specific implementation, structure, characteristics and effects of the method for safely accessing industrial internet identification data according to the invention by combining the accompanying drawings and the preferred embodiment. In the following description, different "one embodiment" or "another embodiment" means that the embodiments are not necessarily the same. Furthermore, the particular features, structures, or characteristics of one or more embodiments may be combined in any suitable manner.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
The following specifically describes a specific scheme of the industrial internet identification data security access method provided by the invention with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of a method for securely accessing industrial internet identification data according to an embodiment of the present invention is shown, where the method includes:
s101: acquiring a data access request, and extracting a subject and a first security level of the subject and a second security level of the subject and the subject from the data access request; acquiring a history accessed record of an object; an initial trust value for the data access request is determined based on the first security level, the second security level, and the historical accessed record of the object.
The method is particularly applied to the access scene of the industrial Internet identification data, and the industrial Internet identification data generally comprises confidential data such as progress, flow, formula, process and the like in each industrial link, so that the industrial Internet has higher requirements on the safety and privacy of the data, and compared with other data with higher privacy, the industrial Internet identification data generally needs to be frequently read and written due to the fact that the industrial Internet identification data involve a plurality of project personnel, so that the privacy protection effect is poor. In the related art, security management of industrial internet identification data access is realized by using a security policy (Bell-La Padula, BLP) model, in this way, because the access flexibility of the conventional BLP model is poor, and in the case that the industrial internet identification data is accessed in a large amount, the security management manner based on the conventional BLP model is poor, so that effective management on security access of the industrial internet identification data is needed.
In the embodiment of the invention, when the user controls the user account to perform data access, a corresponding data access request is generated, and it can be understood that the data access request can be a request data generated by the data management system when the subject triggers a corresponding access flow, and the data access request contains the identification of the subject and the identification of the object to be accessed, so that the subject and the object can be accurately positioned.
The first security level of the subject and the second security level of the object are preset security levels, and in the traditional BLP model, the security levels can be divided into 5 levels of disclosure, interior, sensitivity, importance and confidentiality. And the value is assigned according to the confidentiality degree from low to high, namely, the disclosure is 1 level, the interior is 2 level, the sensitivity is 3 level, the importance is 4 level and the confidentiality is 5 level. Of course, in other embodiments of the present invention, the configuration of different security levels may be adjusted according to the actual situation, which is not limited.
The history accessed record of the object is record information of the object accessed in the history process, and it is understood that the history accessed record may be specifically, for example, accessed time and accessed times, which is not limited.
Further, in some embodiments of the present invention, determining an initial trust value for a data access request based on the first security level, the second security level, and a historical accessed record of the object comprises: counting the accessed time of the object from the historical accessed record of the object, and calculating a normalized value of the accessed time as a time influence coefficient; determining a security level influence coefficient according to the difference between the first security level and the second security level; and calculating the product of the time influence coefficient and the security level influence coefficient, and mapping the product to a preset numerical range to obtain an initial trust value.
Further, in some embodiments of the present invention, determining the security level influence coefficient from the difference between the first security level and the second security level comprises: calculating a difference between the first security level and the second security level as a security level difference; and carrying out inverse proportion normalization processing on the security level difference to obtain a security level influence coefficient.
In some embodiments of the present invention, the calculation formula of the initial trust value may specifically be, for example:
where TV represents an initial trust value, n represents the number of accesses in the history of the object, a represents an index of the number of accesses,indicating the accessed time corresponding to the a-th accessed times,/->Representing a first security level,/->The second security level is represented by G (), and the normalization process may be specifically, for example, a linear normalization process in one embodiment of the present invention, and the normalization in the subsequent steps may be performed by using the linear normalization process, and in other embodiments of the present invention, other normalization methods may be selected according to a specific range of values, which will not be described herein.
In the method, in the process of the invention,the time influence coefficient, namely the normalized value of the accessed time in all historic accessed records of the object, can count the accessed time of the corresponding object by all other users in real time, and when the accessed time is more, the more public the corresponding object information, namely the higher the initial trust value is.
In the method, in the process of the invention,representing security level differences, ++>Representing the security level influencing factor, it is understood that when the first security level is greater than the second security level, that is, when the authority of the subject is higher than the accessed authority of the object, the high authority accesses the low authority, which may indicate that the subject has a higher trust value for the object, and when the authority of the subject is lower than the object, it may indicate that the accessed authority of the object is higher than the current access authority of the subject, and the low authority accesses the high authority, which results in a lower trust value.
Therefore, by calculating the initial trust value, the initial trust value analysis can be carried out on the condition that the subject accesses the object every time, and the access state can be conveniently controlled according to the initial trust value.
S102: obtaining login times of a main body in a login process and passwords to be verified corresponding to each login, determining login behavior abnormality indexes of the main body according to differences between the passwords to be verified and real passwords and the login times, and updating an initial trust value according to the login behavior abnormality indexes to obtain a target trust value.
In the embodiment of the invention, the situation that malicious numbers are stolen and data are acquired by logging in is possible, in this case, password attempt is usually performed by using a database collision or traversal mode, thus the situation that passwords are input for many times is possible, and in combination with an actual scene, the wrong passwords are tried for many times to represent abnormality, so the invention analyzes based on the logic, and updates the initial trust value by combining the difference between the passwords to be verified and the actual passwords and the logging times to obtain the target trust value.
Further, in some embodiments of the present invention, determining a sign-on behavior abnormality indicator of a subject according to a difference between a password to be verified and a real password and a sign-on number includes: taking the type of the character in the password to be verified as the type of the character to be verified, and taking the type of the character in the real password as the type of the real character; calculating the number of the same types of the characters in the type of the character to be verified and the type of the real character to obtain the number of the same types; taking the total number of the types of the middle characters of the real character types as a target number; taking the ratio of the same type number to the target number as the initial credibility of the corresponding password to be verified; counting the average value of the initial credibility of the corresponding password to be verified under the condition of all login times as the password credibility; performing inverse proportion normalization processing on the login times to obtain an abnormal influence factor; and calculating a normalized value of the product of the password credibility and the anomaly impact factor as a login behavior anomaly index.
In the embodiment of the present invention, the password to be verified is counted at each login, and the type of the corresponding character of the password to be verified is determined as the type of the character to be verified, and it can be understood that, due to the particularity of the password, the same character can still count two character types, for example, when the password to be verified is "102030", the corresponding type of the character to be verified includes: the three '0's are counted respectively by '1', '2', '3', '0', so as to ensure the reliability during password verification.
The real password is a password stored in the system for password verification, and the process of acquiring the real character type of the real password is similar to the process of acquiring the character type to be verified, which is not repeated.
Calculating the same number of the types of the characters in the type of the character to be verified and the type of the middle character in the type of the real character, obtaining the number of the same types, and taking the total number of the types of the middle character in the type of the real character as a target number; the ratio of the number of the same types to the target number is used as the initial credibility, namely, the higher the initial credibility is, the more the number of the same types of the corresponding character types to be verified and the medium characters of the real character types can be represented, and the smaller the initial credibility is when the same number is smaller, so that the average value of the initial credibility of the corresponding passwords to be verified under the condition of counting all login times is used as the password credibility, and when the correct passwords are directly input after one login, the password credibility is the maximum value of 1, namely, the password credibility is the normalized value.
In the embodiment of the invention, after the account and the password to be verified are input, the process of clicking the login key to execute login is regarded as one login time, so that the login time is acquired, the login time is also a key factor influencing the abnormal degree, when the login time is 1, the login is completed for 1 time, and the greater the login time is, the more likely the login is an abnormal condition, therefore, the invention carries out inverse proportion normalization processing on the login time to obtain an abnormal influence factor, and the smaller the abnormal influence factor is, the more serious the abnormal condition is indicated. And calculating a normalized value of the product of the password credibility and the anomaly impact factor as a login behavior anomaly index.
Further, in some embodiments of the present invention, updating the initial trust value according to the login behavior anomaly index to obtain the target trust value includes: and calculating the product of the login behavior abnormality index and the initial trust value as a target trust value.
In the embodiment of the invention, the abnormal sign-on behavior index can be used as the weight of the initial trust value, the initial trust value is adjusted, the abnormal sign-on behavior can be effectively analyzed because the abnormal sign-on behavior index can represent the higher the password reliability and the lower the sign-on times are, the higher the corresponding main body reliability is given a higher target trust value, and the smaller the abnormal sign-on behavior index can represent the lower the password reliability and the higher the sign-on times are, and the lower the corresponding main body reliability is given a lower target trust value.
S103: and determining the operable authority type of the object by the subject according to the first security level and the second security level, and dividing the target trust value according to the operable authority type to obtain an authority value region.
The operation authority type is a type of operation authority of operating the object by the host, and it can be understood that in the BLP model, the order of the operation authority from high to low is readable and non-writable, readable and writable, and the operation authority type includes the four types.
Further, in some embodiments of the present invention, determining the type of operational rights of the subject to the object according to the first security level and the second security level includes: and combining the first security level and the second security level according to a preset security level matching rule to obtain the operational authority of the subject on the object, and taking the operational authority which is not higher than the operational authority as the operational authority type.
In some embodiments of the present invention, operation permissions corresponding to different first security levels and different second security levels may be preset respectively, and then, an operable permission type of a subject to an object may be determined according to the operation permissions, for example, when the first security level of the subject is 5 levels and the second security level of the object is 3 levels, the condition of the 5-level object of the subject is matched with the corresponding operation permissions by combining with a preset operation rule, for example, the subject may perform a readable and non-writable operation permission on the object, and in the embodiment of the present invention, all operation permissions not higher than the readable and non-writable operation permissions may be used as the operable permission type of the corresponding subject five levels to the object three levels.
In other embodiments of the present invention, the types of the operational authorities of the subjects of different first security levels to the objects of different second security levels may be directly preset, and it may be understood that, because security requirements of different information are different, that is, the types of the operational authorities of the subjects to the objects may also affect the types of the operational authorities due to multiple mechanisms such as accessing different objects and other records of the subjects, etc., so in other embodiments of the present invention, the types of the operational authorities may be preset and adjusted according to actual situations, which is not limited and repeated.
After determining the type of the operable right, the access condition can be managed according to the type of the operable right, it can be understood that in the traditional BLP model, a rule of "downward reading and upward writing" is specified, so that a subject with a low security level can perform unrestricted writing operation on a subject with a high security level, meanwhile, the subject with the high security level can perform unrestricted reading operation on the subject with the low security level, and in combination with the large-scale reading and writing amount of industrial internet identification data, the subject with the high security level can possibly perform malicious writing, further, the accuracy of the data is lower, and the subject with the low security level cannot maintain the security level due to the large-scale reading amount, so that the stealth of the security level is reduced, namely, the data of the subject with the low security level is similar to the data with the public security level due to the large-scale reading operation, which violates the initial intention of setting up of the security level, and therefore, the subject with the high security level needs to be limited. The invention combines the target trust value and the access time of the subject to the object, thereby executing the limit access limit, thereby effectively avoiding the data security problem caused by large-scale writing and large-scale reading, and particularly referring to the subsequent embodiment.
Further, in some embodiments of the present invention, dividing the target trust value according to the operable authority type to obtain the authority value region includes: taking the data segment from the target trust value to the value 0 as a trust value segment; acquiring the type number of the operable authority types, and calculating the type number minus one as the number of subsections; dividing the trust value segments according to the number of the subsections to obtain trust value subsections, determining the operation authorities corresponding to each trust value subsection according to the sequence from high to low, and taking the numerical value region corresponding to the trust value subsections as the authority numerical value region corresponding to each operation authority.
In the embodiment of the invention, a trust value attenuation mechanism can be set, and the target trust value and the corresponding operation authority are bound, so that unlimited defects of reading and writing can be limited based on the trust attenuation mechanism. The present invention takes access time as the decay factor for the trust decay mechanism.
In the embodiment of the invention, the data segment from the target trust value to the value 0 is used as the trust value segment, so that trust value attenuation is carried out on the trust value segment, and in the attenuation process, in order to determine the trust value region of each operation authority, namely, the trust value region is attenuated to a certain trust value region, the corresponding operation authority is executed, so that the invention determines the allocation scheme corresponding to different operation authorities in the operable authority types.
It can be understood that, when the operation authority corresponds to unreadable and unwritable, it can be characterized that the access of the host to the object is finished, the operation authority corresponding to the operation authority when the trust value is attenuated to 0 is regarded as the unreadable and unwritable operation authority, therefore, when the number of types of the operable authority types is 3, 2 trust value areas are corresponding, and when the number of types of the operable authority types is 2, 1 trust value area is corresponding, therefore, the number of types is reduced by one to be regarded as the number of subsections, and the trust value sections are divided according to the number of subsections, so as to obtain the trust value subsections.
Further, in some embodiments of the present invention, the dividing the trust value segment according to the number of sub-segments to obtain the trust value sub-segment includes: the trust value segment is divided into a number of trust value subsections on average.
Of course, in other embodiments of the present invention, corresponding weights may be configured for different operation authorities, so as to achieve division of the trust value subsections based on the weights, which is not limited.
The embodiment of the invention takes the average division as a specific example for analysis, divides the trust value segment into a plurality of trust value subsections of the number of subsections, then determines the operation authorities corresponding to each trust value subsection respectively according to the sequence from high to low of the operation authorities, takes the numerical value region corresponding to the trust value subsection as the authority numerical value region corresponding to each operation authority respectively, and determines the authority numerical value region corresponding to each operation authority when a subject accesses an object, so as to determine the attenuated operation authorities according to the authority numerical value regions.
S104: adjusting a target trust value according to the data access time of the subject to the object at any time point to obtain an adjusted trust value; and determining the operation authority of the subject on the object at the corresponding time point according to the adjustment trust value and the authority value areas at different time points.
In the embodiment of the invention, the data access time of the subject to the object is used as a variation factor of trust value attenuation, namely, when the data access time is longer, the trust value attenuation is more serious, so that the corresponding operation authority is lower until the read-write operation cannot be performed.
Further, in some embodiments of the present invention, adjusting the target trust value according to the data access time of the subject to the object at any time point, to obtain the adjusted trust value includes: calculating the product of the data access time of the subject to the object at the time point and a preset trust value attenuation coefficient to be used as a trust attenuation value; and taking the difference value between the target trust value and the corresponding trust attenuation value as the adjustment trust value.
The preset attenuation coefficient is a value of attenuation of the trust value in unit time, and the preset attenuation coefficient can be specifically 10, namely attenuation of the trust value by 10 in unit time, and the embodiment of the invention sets the unit time to 30 seconds, namely attenuation of the trust value by 10 in unit time, determines the data access time of a subject to an object, thus calculating the ratio of the data access time to 30 seconds, and then calculating the product of 10 and the ratio to obtain the trust attenuation value. After the trust attenuation value is determined, the embodiment of the invention can calculate the difference value between the target trust value and the corresponding trust attenuation value as the adjustment trust value.
Further, in some embodiments of the present invention, determining the operation authority of the subject to the object at the corresponding time point according to the adjustment trust value and the authority value region at different time points includes: and determining an authority value area to which the adjustment trust value at any time point belongs as an adjustment value area, and taking the operation authority corresponding to the adjustment value area as the operation authority of the host to the object at the corresponding time point.
It can be understood that at different time points, the corresponding adjustment trust value is changed, namely gradually reduced, and the operation authority of different time points is determined according to the reduction of the adjustment trust value until the adjustment trust value is reduced to 0, wherein the operation authority is unreadable and unwritable, and indicates that the access is ended, and at the moment, the host has no authority for reading and writing to the object, so that the security problem caused by infinite reading and infinite writing is avoided.
For example, the trust value is attenuated by the types of the trust values of the object, including readable and non-writable, readable and writable, writable and non-readable, and as shown in fig. 2, fig. 2 is a schematic diagram of an access process provided by an embodiment of the present invention, when the access behavior of the object to the object starts, the corresponding operation authority is readable and non-writable, and as the data access time increases, the corresponding trust value decreases, thereby gradually transitioning to readable and writable and non-readable until the trust value decreases to 0, and at this time, the system automatically determines that the access behavior ends. Under this kind of mode, can effectively guarantee that high security level main part can carry out readable writable bi-directional operation to low security level guest, limit the access phase simultaneously, avoid the data security problem that unlimited reading and unlimited writing lead to.
According to the method, the initial trust value of the data access request is determined by combining the security level of the subject, the security level of the object and the historical accessed record of the object, the security level difference of the subject to the object is analyzed, the trust value assignment is further carried out on the access condition, the accuracy of the initial trust value is guaranteed, the abnormal degree of the login behavior is analyzed by the login behavior of the subject when the subject logs in, wherein the abnormal degree of the login behavior comprises the accuracy of passwords and the login times, the abnormal degree of the login behavior can be accurately represented by abnormal indexes of the login behavior, objective and accurate analysis is guaranteed, and the target trust value is obtained by combining the abnormal indexes of the login behavior and the initial trust value in the subject login process, wherein the historical accessed record of the object and the login condition of the subject can possibly generate difference in different times, so that the target trust value can correspondingly change, the target trust value can be adjusted according to the real-time data access condition, and the reliability of the target trust value is guaranteed. The method has the advantages that the type of the operational authority of the host on the object is analyzed, the authority value area is further determined, the data access time, the target trust value and the authority value area of the host on the object are combined conveniently, the operational authority of the host is adjusted, accordingly, the problem of data safety caused by unlimited reading and unlimited writing in a traditional BLP model is avoided, the industrial Internet identification data is effectively accessed and isolated and protected, finer-granularity data access authority control is realized, the access control strategy is coordinated, the safety of the industrial Internet identification data is improved, and the confidentiality of sensitive information is protected.
It should be noted that: the sequence of the embodiments of the present invention is only for description, and does not represent the advantages and disadvantages of the embodiments. The processes depicted in the accompanying drawings do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.

Claims (8)

1. The method for safely accessing the industrial Internet identification data is characterized in that a user account initiating access is taken as a subject, the industrial Internet identification data is taken as an object to be accessed, and the method comprises the following steps:
acquiring a data access request, and extracting a subject and a first security level of the subject and a second security level of the subject from the data access request; acquiring a history accessed record of the object; determining an initial trust value of the data access request according to the first security level, the second security level and the historical accessed record of the object;
obtaining login times of a main body in a login process and passwords to be verified corresponding to each login, determining login behavior abnormality indexes of the main body according to the difference between the passwords to be verified and the real passwords and the login times, and updating the initial trust value according to the login behavior abnormality indexes to obtain a target trust value;
determining the type of the operational authority of the subject on the object according to the first security level and the second security level, and dividing the target trust value according to the type of the operational authority to obtain an authority value region;
adjusting the target trust value according to the data access time of the subject to the object at any time point to obtain an adjusted trust value; determining the operation authorities of a host to an object at corresponding time points according to the adjustment trust values at different time points and the authority value areas, wherein the types of the operation authorities comprise readable and non-writable operation authorities, readable and writable operation authorities, writable and non-readable operation authorities and non-writable and non-readable operation authorities;
the step of adjusting the target trust value according to the data access time of the subject to the object at any time point to obtain an adjusted trust value comprises the following steps:
calculating the product of the data access time of the subject to the object at the time point and a preset trust value attenuation coefficient to be used as a trust attenuation value; the time point is the time when the subject accesses the object, and the data access time is the duration of the access of the subject to the object;
taking the difference value between the target trust value and the corresponding trust attenuation value as an adjustment trust value;
the determining the operation authority of the subject to the object at the corresponding time point according to the adjustment trust value and the authority value area at different time points comprises the following steps:
and determining the authority value area to which the adjustment trust value belongs at any time point as an adjustment value area, and taking the operation authority corresponding to the adjustment value area as the operation authority of the host to the object at the corresponding time point.
2. The method of claim 1, wherein said determining an initial trust value for said data access request based on said first security level, said second security level, and said object's historical accessed record, comprises:
counting the accessed time of the object from the historical accessed records of the object, and calculating the normalized value of the accessed time as a time influence coefficient;
determining a security level influence coefficient according to the difference between the first security level and the second security level;
and calculating the product of the time influence coefficient and the security level influence coefficient, and mapping the product to a preset numerical range to obtain an initial trust value.
3. The method for securely accessing industrial internet identification data according to claim 2, wherein said determining a security level influence factor based on a difference between said first security level and said second security level comprises:
calculating a difference between the first security level and the second security level as a security level difference;
and carrying out inverse proportion normalization processing on the security level difference to obtain a security level influence coefficient.
4. The method for securely accessing industrial internet identification data according to claim 1, wherein the determining the sign-on behavior abnormality index of the subject according to the difference between the password to be verified and the real password and the sign-on times comprises:
taking the type of the character in the password to be verified as the type of the character to be verified, and taking the type of the character in the real password as the type of the real character;
calculating the number of the character types to be verified, which is the same as the number of the types of the characters in the real character types, so as to obtain the number of the same types; taking the total number of the types of the middle characters of the real character type as a target number;
taking the ratio of the same type number to the target number as the initial credibility of the corresponding password to be verified; counting the average value of the initial credibility of the corresponding password to be verified under the condition of all login times as the password credibility;
performing inverse proportion normalization processing on the login times to obtain an abnormal influence factor;
and calculating a normalized value of the product of the password credibility and the anomaly impact factor as a login behavior anomaly index.
5. The method for securely accessing industrial internet identification data according to claim 1, wherein updating the initial trust value according to the login behavior anomaly index to obtain a target trust value comprises:
and calculating the product of the login behavior abnormality index and the initial trust value as a target trust value.
6. The method for securely accessing industrial internet identification data according to claim 1, wherein the order of the operation rights from high to low is readable and non-writable, readable and writable and non-readable, and wherein the determining the type of the operation rights of the subject to the object according to the first security level and the second security level comprises:
and combining the first security level and the second security level according to a preset security level matching rule to obtain the operational authority of the subject on the object, and taking the operational authority which is not higher than the operational authority as an operational authority type.
7. The method for securely accessing industrial internet identification data according to claim 6, wherein said dividing said target trust value according to said operable authority type to obtain an authority value region comprises:
taking the data segment from the target trust value to the value 0 as a trust value segment;
obtaining the type number of the operable right type, and calculating the type number minus one as the number of subsections;
dividing the trust value segments according to the number of the subsections to obtain trust value subsections, determining the operation authorities corresponding to each trust value subsection according to the sequence from high to low of the operation authorities, and taking the numerical value region corresponding to the trust value subsections as the authority numerical value region corresponding to each operation authority.
8. The method for securely accessing industrial internet identification data according to claim 7, wherein said dividing the trust value segment according to the number of subsections to obtain trust value subsections comprises:
and equally dividing the trust value segment into a number of trust value subsections of the subsections.
CN202311203287.3A 2023-09-19 2023-09-19 Industrial Internet identification data security access method Active CN116933324B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311203287.3A CN116933324B (en) 2023-09-19 2023-09-19 Industrial Internet identification data security access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311203287.3A CN116933324B (en) 2023-09-19 2023-09-19 Industrial Internet identification data security access method

Publications (2)

Publication Number Publication Date
CN116933324A CN116933324A (en) 2023-10-24
CN116933324B true CN116933324B (en) 2023-12-05

Family

ID=88390107

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311203287.3A Active CN116933324B (en) 2023-09-19 2023-09-19 Industrial Internet identification data security access method

Country Status (1)

Country Link
CN (1) CN116933324B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2169588A1 (en) * 2008-09-24 2010-03-31 EADS Deutschland GmbH Method for guaranteeing safety
CN101984627A (en) * 2010-11-12 2011-03-09 北京工业大学 Method for mapping authority in access control based on trust
CN103873482A (en) * 2014-03-31 2014-06-18 北京工业大学 Method for direct trust value calculation based on historical mutual information
CN111787050A (en) * 2020-05-15 2020-10-16 华南师范大学 Method, system and device for analyzing login abnormal behavior
CN113255000A (en) * 2021-06-04 2021-08-13 曙光信息产业(北京)有限公司 Data access control method and device, electronic equipment and readable storage medium
CN115242546A (en) * 2022-09-15 2022-10-25 浙江中控技术股份有限公司 Industrial control system access control method based on zero trust architecture
CN115941252A (en) * 2022-10-17 2023-04-07 国网浙江省电力有限公司桐乡市供电公司 MQTT dynamic access control method based on trust calculation
CN116436683A (en) * 2023-04-27 2023-07-14 国网江苏省电力有限公司 Zero-trust power network equipment access security trust evaluation method and device
CN116527317A (en) * 2023-03-24 2023-08-01 北京电子科技学院 Access control method, system and electronic equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7877469B2 (en) * 2006-02-01 2011-01-25 Samsung Electronics Co., Ltd. Authentication and authorization for simple network management protocol (SNMP)
US8272033B2 (en) * 2006-12-21 2012-09-18 International Business Machines Corporation User authentication for detecting and controlling fraudulent login behavior
WO2015123678A1 (en) * 2014-02-14 2015-08-20 Intertrust Technologies Corporation Network security systems and methods

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2169588A1 (en) * 2008-09-24 2010-03-31 EADS Deutschland GmbH Method for guaranteeing safety
CN101984627A (en) * 2010-11-12 2011-03-09 北京工业大学 Method for mapping authority in access control based on trust
CN103873482A (en) * 2014-03-31 2014-06-18 北京工业大学 Method for direct trust value calculation based on historical mutual information
CN111787050A (en) * 2020-05-15 2020-10-16 华南师范大学 Method, system and device for analyzing login abnormal behavior
CN113255000A (en) * 2021-06-04 2021-08-13 曙光信息产业(北京)有限公司 Data access control method and device, electronic equipment and readable storage medium
CN115242546A (en) * 2022-09-15 2022-10-25 浙江中控技术股份有限公司 Industrial control system access control method based on zero trust architecture
CN115941252A (en) * 2022-10-17 2023-04-07 国网浙江省电力有限公司桐乡市供电公司 MQTT dynamic access control method based on trust calculation
CN116527317A (en) * 2023-03-24 2023-08-01 北京电子科技学院 Access control method, system and electronic equipment
CN116436683A (en) * 2023-04-27 2023-07-14 国网江苏省电力有限公司 Zero-trust power network equipment access security trust evaluation method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
多级安全模型;于昇;祝璐;沈昌祥;;计算机工程与设计(13);7-10+18 *
强制访问控制模型研究与实现;张海娟;付争方;罗琴;吴茜;;计算机工程与设计(03);81-83 *
面向移动Web操作系统的BLP改进模型及应用;朱大立;杨莹;金昊;邵京;冯维淼;;信息安全学报(04);17-30 *

Also Published As

Publication number Publication date
CN116933324A (en) 2023-10-24

Similar Documents

Publication Publication Date Title
US7290279B2 (en) Access control method using token having security attributes in computer system
CN108009443A (en) The access method and system of data
CN105827645B (en) Method, equipment and system for access control
DE112016004476T5 (en) TECHNOLOGIES FOR ONLY RUNNING TRANSACTION MEMORY
CN108762782A (en) A kind of safety access control method for encrypting solid state disk and BIOS chips based on safety
CN112069527A (en) Tax control invoice protection method and system based on multiple safety protection measures
CN108021822A (en) The desensitization method and system of data
CN111159762B (en) Subject credibility verification method and system under mandatory access control
CN116933324B (en) Industrial Internet identification data security access method
CN114861224A (en) Medical data system based on risk and UCON access control model
CN112434270B (en) Method and system for enhancing data security of computer system
Fernandez et al. Two security patterns: least privilege and security logger and auditor
CN113824739B (en) User authority management method and system of cloud management platform
JPS60108925A (en) Operation permitting system
CN107241357A (en) User access control method and apparatus in cloud computing system
CN110717192B (en) Big data security oriented access control method based on Key-Value accelerator
RU2630163C1 (en) Method of control of files access
KR930004434B1 (en) Data accessing method
CN104751069A (en) Data safety access method and system thereof
RU2534488C1 (en) System for controlling access to computer system resources with "initial user, effective user, process" subject
CN113139177B (en) File isolation optimization and enhancement method in android application virtualization environment
CN117744100A (en) Reading management method, control device, equipment and machine-readable storage medium
CN117540357B (en) Data security management method based on machine learning
CN110188567B (en) Associated access control method for preventing sensitive data jigsaw
CN114116411B (en) Operation and maintenance operation management and control system for monitoring database security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Industrial Internet Identity Data Security Access Method

Granted publication date: 20231205

Pledgee: Jining Rural Commercial Bank Co.,Ltd.

Pledgor: Zhilian Xintong Technology Co.,Ltd.

Registration number: Y2024980004597

PE01 Entry into force of the registration of the contract for pledge of patent right