CN117349883A - Data access management method and system based on block chain - Google Patents
Data access management method and system based on block chain Download PDFInfo
- Publication number
- CN117349883A CN117349883A CN202311299924.1A CN202311299924A CN117349883A CN 117349883 A CN117349883 A CN 117349883A CN 202311299924 A CN202311299924 A CN 202311299924A CN 117349883 A CN117349883 A CN 117349883A
- Authority
- CN
- China
- Prior art keywords
- access
- user
- data
- level
- blockchain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 67
- 238000013461 design Methods 0.000 claims abstract description 26
- 238000013475 authorization Methods 0.000 claims abstract description 23
- 238000012544 monitoring process Methods 0.000 claims abstract description 22
- 238000012550 audit Methods 0.000 claims abstract description 14
- 238000012795 verification Methods 0.000 claims abstract description 14
- 238000005516 engineering process Methods 0.000 claims abstract description 10
- 238000004458 analytical method Methods 0.000 claims abstract description 8
- 238000012706 support-vector machine Methods 0.000 claims description 18
- 230000002159 abnormal effect Effects 0.000 claims description 13
- 238000000034 method Methods 0.000 claims description 13
- 230000009471 action Effects 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 10
- 239000013598 vector Substances 0.000 claims description 8
- 230000000694 effects Effects 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 6
- 230000009286 beneficial effect Effects 0.000 claims description 5
- 238000012549 training Methods 0.000 claims description 5
- 238000013500 data storage Methods 0.000 claims description 3
- 239000004744 fabric Substances 0.000 claims description 3
- 230000014759 maintenance of location Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 230000001934 delay Effects 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
A data access management method and system based on block chain is characterized by comprising the following steps: analyzing and conducting system design according to requirements, wherein the requirements analysis comprises determining targets and use cases of a data access management system, such as ensuring data integrity and authorization management, and the system design comprises selecting a blockchain platform design intelligent contract; encrypting data according to a designed system and determining a user group accessing the data; carrying out identity verification on a user group and setting access control; and auditing and monitoring the data access record in real time. The invention allows the establishment of an access control system without centralization by a blockchain technology, eliminates single-point faults and risks of traditional centralized authorization management, thereby improving the usability and safety of the system, providing an untampereable audit record by a blockchain, improving the transparency, realizing more efficient access management, reducing human errors and delays and protecting the privacy of data by using an encryption algorithm.
Description
Technical Field
The invention belongs to the technical field of data access management, and particularly relates to a data access management method and system based on a block chain.
Background
With the development of science and technology, preventing disclosure of sensitive data is still an important problem, especially when employees remotely work and access data using mobile devices, there is often a problem that rights are not allocated properly inside an organization, so that some users have excessive access rights, while other users may not have enough rights, which may cause disclosure, abuse and internal threat of data, and with the continuous release of privacy regulations, organizations need to process user data more strictly and ensure compliance with compliance requirements, which requires more powerful access management control. Compared with the traditional network, the blockchain has two main core characteristics: firstly, the data is difficult to tamper, and secondly, the data is decentralised. Based on the two characteristics, the information recorded by the blockchain is more real and reliable, and in consideration of the reliability and the safety of the blockchain technology, when data and data with stronger confidentiality are involved, a management system for data access is required to be constructed based on the blockchain technology, when a user accesses a data database, a secret key is matched to reduce the access risk, and the existing management system based on the blockchain can avoid the access of illegal users and can avoid the illegal visitors from erasing the access record through fixed access records so as to avoid being discovered, but the access risk of the legal visitors cannot be evaluated in the mode, and the risk of important data leakage caused by the legal visitors is also larger.
Disclosure of Invention
This section is intended to outline some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description summary and in the title of the application, to avoid obscuring the purpose of this section, the description summary and the title of the invention, which should not be used to limit the scope of the invention.
The present invention has been developed in view of the above-described or existing problems of data access in which there is a risk of sensitive data leakage, lack of reliability and security.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a data access management method based on a blockchain, which is characterized in that the method includes: analyzing and conducting system design according to requirements, wherein the requirements analysis comprises determining targets and use cases of a data access management system, such as ensuring data integrity and authorization management, and the system design comprises selecting a blockchain platform design intelligent contract; encrypting data according to a designed system and determining a user group accessing the data; carrying out identity verification on a user group and setting access control; and auditing and monitoring the data access record in real time.
As a preferable scheme of the blockchain-based data access management method of the invention, the method comprises the following steps: the system design is analyzed and carried out according to the requirements, and the system design specifically comprises the following steps: by using the blockchain technology, the data is ensured not to be tampered or damaged in the storage and transmission processes, so that the user trusts the accuracy and the integrity of the data; by improving the security of the data, authorized users are ensured to be able to access the sensitive data, thereby being beneficial to preventing data leakage and unauthorized access; by simplifying the data authorization management, the data owner or administrator can easily define and modify the access rights of the user without complicated manual operation; user authentication, data encryption, and authorization management are performed through Hyperledger Fabric.
As a preferable scheme of the blockchain-based data access management method of the invention, the method comprises the following steps: the system according to the design encrypts data and determines a user group accessing the data, comprising: a symmetric encryption algorithm is selected to protect confidentiality of data, and a hardware security module is used to protect a secret key, so that the secret key storage and transmission are ensured to be safe; encryption is performed during data storage and transmission to ensure that data remains confidential during unauthorized access; the body-building verification mechanism is implemented to ensure that legal users can access data, users with different identities are identified by using biological identification features, red with different degrees is displayed during identification, dark red represents the highest access authority level a, red represents the common access authority level b, light red represents the lowest access authority level c, and dynamic authorization is carried out according to the access authority level of the users.
As a preferable scheme of the blockchain-based data access management method of the invention, the method comprises the following steps: the authentication and access control setting for the user group comprises the following steps: digital identity verification based on public key encryption ensures that only legitimate users can connect to the blockchain network; after the user identity is verified, if the user identity is the lowest access authority c level, the user will not grant further deep access rights to the user, and the access is terminated; if the user identity is the access authority level b, the user obtains further deep access rights and grants the level one access rights; if the user identity is the highest access authority level a, the user obtains further deep access rights and grants secondary access rights.
As a preferable scheme of the blockchain-based data access management method of the invention, the method comprises the following steps: the setting access control further includes: setting the level experience threshold of the accessed user as 5 years, setting the reputation threshold of the accessed user as 90, and if the user obtains the first-level access right and the level experience is less than five years, the user cannot obtain the second-level access right; if the user obtains the first-level access right and the horizontal experience is not less than five years, the user obtains the second-level access right; if the user obtains the first-level access rights and the reputation threshold is less than 90, the user cannot obtain the second-level access rights; if the user obtains the primary access right and the reputation threshold is not less than 90, the user obtains the secondary access right.
As a preferable scheme of the blockchain-based data access management method of the invention, the method comprises the following steps: the setting access control further includes: constructing and training a support vector machine model, inputting a first-level access right feature vector and a second-level access right feature vector into the model, returning a real value by the support vector machine model, setting a threshold value, and outputting the support vector machine model as binary, wherein 00000001 represents that the access time is not limited, and 00000010 represents that the access time is limited; if the output value of the user who obtains the first-level access right is 00000001, the user can access the first-level access right at working time of working days and holidays of weekends; if the user output value for obtaining the first-level access right is 00000010, the user can only access the first-level access right in working time of working days; if the output value of the user who obtains the secondary access rights is 00000001, the user can access all-weather in real time and in an emergency; if the output value of the user who obtains the second-level access rights is 00000010, the user can only access in real time all weather; training the support vector machine model again, inputting the feature vector with unlimited time for obtaining the first-level access right into the model, returning a real value by the support vector machine model, setting a threshold value, and outputting the support vector machine model as binary, wherein 00000011 indicates that the access times can exceed two times, and 00000100 indicates that the access times are within two times; if the output value of the user with unlimited first-level access right time is 00000011, the user can access on holidays and the access times can be more than twice; if the output value of the user with unlimited primary access right time is 00000100, the user can only access on double holidays and the access times are not more than twice; if the access times of the user obtaining the first-level access rights exceeds twice, the access time of each time is from the early eighth point to the late seventh point and the time length is within eight hours; if the number of times of access of the user obtaining the first-level access right is not more than two times, the access time of each time is from eight early to twelve noon or from twelve noon to seven late and the time length is within four hours.
As a preferable scheme of the blockchain-based data access management method of the invention, the method comprises the following steps: the auditing and real-time monitoring of the data access record comprises the following steps: for each data access event, the record includes a timestamp, a user identity, an accessed data object, an access operation, an access result, access source information, the access record should be stored in a secure manner to prevent unauthorized access and tampering, a blockchain technique or a secure audit log storage system is used to ensure the non-tampering of the data, a retention period of the access record is determined, and the access record is periodically audited to check whether abnormal activity or unauthorized access attempts exist; setting a real-time alarm rule so as to trigger an alarm immediately when abnormal activity is detected, and if someone tries to access or access sensitive data in multiple invalidity, the system should immediately sound the alarm; creating dashboards and reports for visualizing monitoring data access activities, helping administrators quickly identify potential problems, configuring automated response mechanisms to automatically take action upon occurrence of a security event, suspending user accounts, locking access rights, or triggering further scrutiny, determining data sources to monitor, including operating system logs, application logs, network traffic, database activities, etc., integrating these data sources to obtain a comprehensive monitoring view, and upon detection of a security threat, immediately taking quarantine and quarantine action to prevent further harm.
In a second aspect, embodiments of the present invention provide a blockchain-based data access management system that includes an analytics design module for analyzing and performing system design according to requirements, the requirements analysis including determining goals and use cases of the data access management system, such as ensuring data integrity and authorization management, the system design including selecting a blockchain platform design intelligence contract; the data encryption module is used for encrypting the data according to a designed system and determining a user group accessing the data; the verification control module is used for carrying out identity verification on the user group and setting access control; and the audit monitoring module is used for auditing the data access record and monitoring in real time.
In a third aspect, embodiments of the present invention provide a computer apparatus comprising a memory and a processor, the memory storing a computer program, wherein: the processor, when executing the computer program, implements any of the steps of the blockchain-based data access management method described above.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having a computer program stored thereon, wherein: the computer program, when executed by a processor, performs any of the steps of the blockchain-based data access management method described above.
Compared with the prior art, the invention has the beneficial effects that: the blockchain technology of the invention allows the establishment of an access control system with decentralization, eliminates single-point faults and risks of traditional centralized authorization management, means that a single authorization management server is not needed to be relied on, thereby improving the usability and the safety of the system, the blockchain provides tamper-proof audit records, all access and authorization events are recorded on the blockchain, anyone can check the records, the transparency is improved, the detection and the prevention of unauthorized access behaviors are facilitated, intelligent contracts on the blockchain can automatically execute access control strategies, no intermediation is needed, more efficient access management can be realized, human errors and delays are reduced, and an encryption algorithm is used for protecting the privacy of data. Only authorized users can decrypt and access the data, so that the confidentiality of the data is improved, the users can master the own data and access rights more, the users can manage and authorize other people to access the own data more flexibly, and the personal privacy protection is enhanced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
FIG. 1 is a flowchart of a blockchain-based data access management method according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a blockchain-based data access management system according to an embodiment of the present invention.
FIG. 3 is an internal block diagram of a computer device of a blockchain-based data access management method and system according to an embodiment of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1 to 2, a first embodiment of the present invention provides a data access management method based on a blockchain, including:
s1: and analyzing and designing the system according to the requirements.
Preferably, the demand analysis includes determining goals and use cases of the data access management system, such as ensuring data integrity and authorization management, and the system design includes selecting a blockchain platform design intelligence contract.
Furthermore, by using a blockchain technology, the data is ensured not to be tampered or damaged in the storage and transmission processes, so that a user trusts the accuracy and the integrity of the data; by improving the security of the data, authorized users are ensured to be able to access the sensitive data, thereby being beneficial to preventing data leakage and unauthorized access; by simplifying the data authorization management, the data owner or administrator can easily define and modify the access rights of the user without complicated manual operation; user authentication, data encryption, and authorization management are performed through Hyperledger Fabric.
Further, allowing an administrator to select specific data objects, resources, or files that a user may access, such as a list of resource directories or folders, the system should automatically update these rights without manual intervention when the user's rights level or access scope is changed by the data owner or administrator, which may be accomplished through the use of access policies and rules; providing access policy templates to simplify rights settings, an administrator may select predefined policy templates without having to manually configure the rights of each user, there may be "read only access", "edit access", "manage access"; allowing creation and management of roles or organizations, assigning users to roles or organizations, and then defining permissions for roles or organizations, which will be automatically assigned or de-assigned when users join or leave an organization.
S2: the data is encrypted and a community of users accessing the data is determined according to the designed system.
Preferably, a symmetric encryption algorithm is selected to protect confidentiality of data, and a hardware security module is used to protect a secret key, so that the secret key storage and transmission are ensured to be safe; encryption is performed during data storage and transmission to ensure that data remains confidential during unauthorized access.
Preferably, a body-building verification mechanism is implemented to ensure that legal users can access data, users with different identities are identified by using biological identification features, different degrees of redness are displayed during identification, the redness represents the highest access authority level a, the redness represents the common access authority level b, the redness represents the lowest access authority level c, and dynamic authorization is carried out according to the access authority level of the users.
Further, the a-level access authority user is the user with the highest authority, is an administrator or an advanced user with special authority, is responsible for system configuration, user management, audit and other sensitive operations, and the identity identifier allocated to the user can be an administrator or an advanced user; b-level access authority users have standard common access authority, can perform conventional operations but cannot perform sensitive or management operations, are common system users, and are assigned with an identity of 'common users'; the c-level access rights users have only the lowest access rights and can only perform limited operations, such as read-only or limited operations, they are external guests or very limited users, and the identity assigned to these users may be a "guest" or a "limited user".
S3: and carrying out identity authentication on the user group and setting access control.
Preferably, digital authentication based on public key encryption ensures that only legitimate users can connect to the blockchain network; after the user identity is verified, if the user identity is the lowest access authority c level, the user will not grant further deep access rights to the user, and the access is terminated; if the user identity is the access authority level b, the user obtains further deep access rights and grants the level one access rights; if the user identity is the highest access authority level a, the user obtains further deep access rights and grants secondary access rights.
Further, if red and dark red users are marked to attempt to access information in the test environment and are identified by biometric identification, the system records access records of the red users, including information such as access time stamps, accessed data objects, access operations, access results, etc., monitors the access flow of the red users, including how they browse, view or modify the information, monitors the access time of the red users in real time to ensure that they access the data only for an allowed period of time.
Further, the system detects and identifies abnormal behaviors of the standard red user, if the user is detected to have behaviors of attempting to access unauthorized data and modifying sensitive information, an alarm is immediately triggered, a security team or an administrator is notified, the security team or the administrator is informed to further investigate the triggered alarm, and access records and behaviors of the standard red user are analyzed to judge whether security threats exist.
Further, if security threat exists in the records and behaviors of the red mark user, the red mark user pays long-term important attention, whether the access records of the red mark user are matched with the functions of the red mark user or not is detected, whether the red mark user accesses authorized resources and data objects or not is detected, and whether unauthorized access exists or not is detected; checking whether the access frequency of the marked red user accords with the responsibility of the marked red user; checking that the access operation of the mark red user matches its responsibility, e.g. if only read-only rights are present, no writing or modification operation should be performed; if the marked user has security threat, suspending the user account, limiting the access authority and isolating the affected system through long-term attention and examination; if the marked red user has no security threat, the marked red user is further opened with higher access rights.
Further, for a-level access rights users, further expanding the secondary access rights, allowing configuration of system settings, access to advanced management tools and functions, providing advanced data analysis tools and the ability to generate detailed reports to help them understand data better, allowing them to create and manage custom workflows to meet organization specific needs, allowing them to access more data sources and resources to support wider business needs; the system should be able to control and monitor the rights of users in real time to accommodate changes in their needs and behavior, and should adjust their access rights immediately if the rights level of users changes.
Preferably, setting the level experience threshold of the accessed user as 5 years, and setting the reputation threshold of the accessed user as 90, wherein if the user obtains the first-level access right and the level experience is less than five years, the user cannot obtain the second-level access right; if the user obtains the first-level access right and the horizontal experience is not less than five years, the user obtains the second-level access right; if the user obtains the first-level access rights and the reputation threshold is less than 90, the user cannot obtain the second-level access rights; if the user obtains the primary access right and the reputation threshold is not less than 90, the user obtains the secondary access right.
Further, the system can automatically evaluate the user's horizontal experience and reputation and automatically authorize according to a set threshold, if the user's experience exceeds 5 years, but the reputation falls below the threshold, the system can reduce their permission level; if the user is downgraded to a level of access rights, the system may provide feedback and advice to help them improve experience and reputation to obtain higher levels of rights.
Preferably, a support vector machine model is built and trained, primary and secondary access right feature vectors are input into the model, the support vector machine model returns a real value, a threshold value is set, the output of the support vector machine model is binary, 00000001 indicates that the access time is unlimited, and 00000010 indicates that the access time is limited; if the output value of the user who obtains the first-level access right is 00000001, the user can access the first-level access right at working time of working days and holidays of weekends; if the user output value for obtaining the first-level access right is 00000010, the user can only access the first-level access right in working time of working days; if the output value of the user who obtains the secondary access rights is 00000001, the user can access all-weather in real time and in an emergency; if the output value of the user who obtains the second-level access rights is 00000010, the user can only access in real time all weather; training the support vector machine model again, inputting the feature vector with unlimited time for obtaining the first-level access right into the model, returning a real value by the support vector machine model, setting a threshold value, and outputting the support vector machine model as binary, wherein 00000011 indicates that the access times can exceed two times, and 00000100 indicates that the access times are within two times; if the output value of the user with unlimited first-level access right time is 00000011, the user can access on holidays and the access times can be more than twice; if the output value of the user with unlimited primary access right time is 00000100, the user can only access on double holidays and the access times are not more than twice; if the access times of the user obtaining the first-level access rights exceeds twice, the access time of each time is from the early eighth point to the late seventh point and the time length is within eight hours; if the number of times of access of the user obtaining the first-level access right is not more than two times, the access time of each time is from eight early to twelve noon or from twelve noon to seven late and the time length is within four hours.
Furthermore, if the access record investigation is performed on the working day to find that the access address of the user is a common safe access address and the time is working time of the working day, the access times are also normal frequency, and the access condition of the double holidays needs to be further confirmed; if an IP address is found in a log of a certain holiday, and frequently attempts to log on a core server of a company in early morning, after further investigation, the IP address is found not to belong to any known staff of the company, and its access behavior includes multiple failed attempts to log on, the user may have security threat, and the identity of the user needs to be further confirmed to be suspicious.
Further, the access channel is further set for the suspicious of the access identity, and the identity is confirmed by letting the user access the outdated information, if the user has the following actions: downloading or exporting outdated information on a large scale to obtain a large amount of data; logging in for multiple times by using invalid credentials or passwords, and possibly recording events of multiple login failures by the system; using a proxy server or other means to hide their true identity and location; accessing information at an abnormally fast rate and logging in from multiple geographic locations, it can be determined to be a suspicious user and set access restrictions to deny further access thereto; otherwise, the access rights can be opened to it.
Further, the access channel is set for the suspicious of the access identity, and the user can confirm the identity by accessing unimportant information, if the user has the following actions: frequent access to unimportant information, not conforming to normal operation or usage patterns; accessing unimportant information in non-working hours or unusual time periods such as late night or early morning; it may be determined to be a suspicious user and set access restrictions to deny further access thereto; otherwise, the access rights can be opened to it.
Further, the access channel is set for the suspicious of the access identity, and the user accesses the fictitious information to confirm the identity, if the user has the following actions: the abnormal working time accesses imaginary information irrelevant to the working responsibility or authority of the abnormal working time; obtaining fictional information from an information source that cannot be verified or trusted; using sufficient rights to access and modify the fictitious information and attempting to fool other users, management layers, or systems by tampering with the fictitious information, it may be determined to be a suspicious user and set access restrictions to deny further access thereto; otherwise, the access rights can be opened to it.
And S4, auditing and monitoring the data access record in real time.
Preferably, for each data access event, the record includes a timestamp, a user identity, an accessed data object, an access operation, an access result, access source information, the access record should be stored in a secure manner to prevent unauthorized access and tampering, a blockchain technique or a secure audit log storage system is used to ensure the non-tampering of the data, a retention period of the access record is determined, and the access record is periodically audited to check whether there is abnormal activity or unauthorized access attempt.
Further, using a blockchain to store access records, which is a non-tamperable distributed ledger, ensures the security and integrity of the records, each new access event can be added to a new block of the blockchain, and linked to a previous block using a cryptographic hash function, generating a digital signature for each access event for verifying the integrity of the event, only authorized users with the corresponding private key can generate a valid digital signature, thereby ensuring the non-tamper-evident modification of the records, and performing periodic audits to check the access records for abnormal activity or unauthorized access attempts. The audit is manually audited by a security team, and the audit should record audit results, abnormal activities and corrective actions taken. For access records stored in non-blockchain systems, it is ensured that they are encrypted during transmission and storage to prevent unauthorized access.
Further, a real-time alarm rule is set so as to trigger an alarm immediately when abnormal activities are detected, and if someone tries to access or access sensitive data in multiple times in an invalid manner, the system should immediately sound the alarm; creating dashboards and reports for visualizing monitoring data access activities, helping administrators quickly identify potential problems, configuring automated response mechanisms to automatically take action upon occurrence of a security event, suspending user accounts, locking access rights, or triggering further scrutiny, determining data sources to monitor, including operating system logs, application logs, network traffic, database activities, etc., integrating these data sources to obtain a comprehensive monitoring view, and upon detection of a security threat, immediately taking quarantine and quarantine action to prevent further harm.
Further, using a rules engine or security information and event management system to monitor and detect multiple invalid access attempts, unauthorized access to sensitive data, triggering an alarm when the number of occurrences of a violation event reaches a particular threshold, or when a particular security event pattern is detected, configuring an alarm notification mechanism, including email, text message, instant message, etc., to immediately notify a security team or administrator upon detection of an abnormal activity; when multiple invalid access attempts are detected, automatically suspending a user account or locking access rights, and designing an automatic inspection flow to further investigate and verify security events; collecting and monitoring operating system logs, including login events, file accesses, system errors, monitoring logs of critical applications to detect abnormal activity at the application level, monitoring network traffic using a network traffic analysis tool to detect abnormal traffic and potential network attacks, implementing database activity monitoring to ensure secure access of sensitive data and to detect unauthorized database queries; when a security threat is detected, the affected system or network segment is isolated from the rest of the network using network isolation techniques to prevent further intrusion by an attacker, evidence and analyze the affected system to understand the nature of the attack, and take action to repair the vulnerability.
In a preferred embodiment, a blockchain-based data access management system includes an analytics design module for analyzing and conducting system design based on demand, the demand analysis including determining goals and usages of the data access management system, such as ensuring data integrity and authorization management, the system design including selecting a blockchain platform design intelligence contract; the data encryption module is used for encrypting the data according to a designed system and determining a user group accessing the data; the verification control module is used for carrying out identity verification on the user group and setting access control; and the audit monitoring module is used for auditing the data access record and monitoring in real time.
The above unit modules may be embedded in hardware or independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above units.
In one embodiment, a computer device, which may be a terminal, is provided that includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
Example 2
Referring to table 1, for another embodiment of the present invention, based on the above method, a scientific comparison experiment is provided for verifying the beneficial effects thereof.
TABLE 1
The invention allows the establishment of an access control system without single point failure and risk of traditional centralized authorization management through a blockchain technology, which means that a single authorization management server is not needed to be relied on, thereby improving the usability and the security of the system, the blockchain provides tamper-proof audit records, all access and authorization events are recorded on the blockchain, anyone can check the records, the transparency is improved, the detection and the prevention of unauthorized access actions are facilitated, intelligent contracts on the blockchain can automatically execute an access control strategy, no intermediary is needed, more efficient access management can be realized, human errors and delays are reduced, and an encryption algorithm is used for protecting the privacy of data. Only authorized users can decrypt and access the data, so that the confidentiality of the data is improved, the users can master the own data and access rights more, the users can manage and authorize other people to access the own data more flexibly, and the personal privacy protection is enhanced.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered by the scope of the claims of the present invention.
Claims (10)
1. A blockchain-based data access management method, comprising:
analyzing and conducting system design according to requirements, wherein the requirements analysis comprises determining targets and use cases of a data access management system, such as ensuring data integrity and authorization management, and the system design comprises selecting a blockchain platform design intelligent contract;
encrypting data according to a designed system and determining a user group accessing the data;
carrying out identity verification on a user group and setting access control;
and auditing and monitoring the data access record in real time.
2. The blockchain-based data access management method of claim 1, wherein the analyzing and system designing according to the requirements specifically comprises:
by using the blockchain technology, the data is ensured not to be tampered or damaged in the storage and transmission processes, so that the user trusts the accuracy and the integrity of the data; by improving the security of the data, authorized users are ensured to be able to access the sensitive data, thereby being beneficial to preventing data leakage and unauthorized access; by simplifying the data authorization management, the data owner or administrator can easily define and modify the access rights of the user without complicated manual operation; user authentication, data encryption, and authorization management are performed through Hyperledger Fabric.
3. The blockchain-based data access management method of claim 1, wherein encrypting data and determining a population of users accessing the data according to the designed system comprises:
a symmetric encryption algorithm is selected to protect confidentiality of data, and a hardware security module is used to protect a secret key, so that the secret key storage and transmission are ensured to be safe; encryption is performed during data storage and transmission to ensure that data remains confidential during unauthorized access; the body-building verification mechanism is implemented to ensure that legal users can access data, users with different identities are identified by using biological identification features, red with different degrees is displayed during identification, dark red represents the highest access authority level a, red represents the common access authority level b, light red represents the lowest access authority level c, and dynamic authorization is carried out according to the access authority level of the users.
4. The blockchain-based data access management method of claim 1, wherein authenticating the user population and setting access control comprises:
digital identity verification based on public key encryption ensures that only legitimate users can connect to the blockchain network; after the user identity is verified, if the user identity is the lowest access authority c level, the user will not grant further deep access rights to the user, and the access is terminated; if the user identity is the access authority level b, the user obtains further deep access rights and grants the level one access rights; if the user identity is the highest access authority level a, the user obtains further deep access rights and grants secondary access rights.
5. The blockchain-based data access management method of claim 1, wherein the setting access control further comprises:
setting the level experience threshold of the accessed user as 5 years, setting the reputation threshold of the accessed user as 90, and if the user obtains the first-level access right and the level experience is less than five years, the user cannot obtain the second-level access right; if the user obtains the first-level access right and the horizontal experience is not less than five years, the user obtains the second-level access right; if the user obtains the first-level access rights and the reputation threshold is less than 90, the user cannot obtain the second-level access rights; if the user obtains the primary access right and the reputation threshold is not less than 90, the user obtains the secondary access right.
6. The blockchain-based data access management method of claim 1, wherein the setting access control further comprises:
constructing and training a support vector machine model, inputting a first-level access right feature vector and a second-level access right feature vector into the model, returning a real value by the support vector machine model, setting a threshold value, and outputting the support vector machine model as binary, wherein 00000001 represents that the access time is not limited, and 00000010 represents that the access time is limited; if the output value of the user who obtains the first-level access right is 00000001, the user can access the first-level access right at working time of working days and holidays of weekends; if the user output value for obtaining the first-level access right is 00000010, the user can only access the first-level access right in working time of working days; if the output value of the user who obtains the secondary access rights is 00000001, the user can access all-weather in real time and in an emergency; if the output value of the user who obtains the second-level access rights is 00000010, the user can only access in real time all weather; training the support vector machine model again, inputting the feature vector with unlimited time for obtaining the first-level access right into the model, returning a real value by the support vector machine model, setting a threshold value, and outputting the support vector machine model as binary, wherein 00000011 indicates that the access times can exceed two times, and 00000100 indicates that the access times are within two times; if the output value of the user with unlimited first-level access right time is 00000011, the user can access on holidays and the access times can be more than twice; if the output value of the user with unlimited primary access right time is 00000100, the user can only access on double holidays and the access times are not more than twice; if the access times of the user obtaining the first-level access rights exceeds twice, the access time of each time is from the early eighth point to the late seventh point and the time length is within eight hours; if the number of times of access of the user obtaining the first-level access right is not more than two times, the access time of each time is from eight early to twelve noon or from twelve noon to seven late and the time length is within four hours.
7. The blockchain-based data access management method of claim 1, wherein the auditing and real-time monitoring of the data access records includes:
for each data access event, the record includes a timestamp, a user identity, an accessed data object, an access operation, an access result, access source information, the access record should be stored in a secure manner to prevent unauthorized access and tampering, a blockchain technique or a secure audit log storage system is used to ensure the non-tampering of the data, a retention period of the access record is determined, and the access record is periodically audited to check whether abnormal activity or unauthorized access attempts exist;
setting a real-time alarm rule so as to trigger an alarm immediately when abnormal activity is detected, and if someone tries to access or access sensitive data in multiple invalidity, the system should immediately sound the alarm; creating dashboards and reports for visualizing monitoring data access activities, helping administrators quickly identify potential problems, configuring automated response mechanisms to automatically take action upon occurrence of a security event, suspending user accounts, locking access rights, or triggering further scrutiny, determining data sources to monitor, including operating system logs, application logs, network traffic, database activities, etc., integrating these data sources to obtain a comprehensive monitoring view, and upon detection of a security threat, immediately taking quarantine and quarantine action to prevent further harm.
8. A blockchain-based data access management system, comprising:
an analytic design module for analyzing and performing a system design according to requirements, the requirements analysis including determining goals and use cases of the data access management system, such as ensuring data integrity and authorization management, the system design including selecting a blockchain platform design intelligence contract;
the data encryption module is used for encrypting the data according to a designed system and determining a user group accessing the data;
the verification control module is used for carrying out identity verification on the user group and setting access control;
and the audit monitoring module is used for auditing the data access record and monitoring in real time.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the blockchain-based data access management method of any of claims 1-7 when the computer program is executed.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the blockchain-based data access management method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311299924.1A CN117349883A (en) | 2023-10-09 | 2023-10-09 | Data access management method and system based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311299924.1A CN117349883A (en) | 2023-10-09 | 2023-10-09 | Data access management method and system based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117349883A true CN117349883A (en) | 2024-01-05 |
Family
ID=89355334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311299924.1A Pending CN117349883A (en) | 2023-10-09 | 2023-10-09 | Data access management method and system based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117349883A (en) |
-
2023
- 2023-10-09 CN CN202311299924.1A patent/CN117349883A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101512490B (en) | Securing data in a networked environment | |
| Bishop et al. | We have met the enemy and he is us | |
| CN110957025A (en) | Medical health information safety management system | |
| Viega | Building security requirements with CLASP | |
| CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
| US10637864B2 (en) | Creation of fictitious identities to obfuscate hacking of internal networks | |
| CN117332433A (en) | Data security detection method and system based on system integration | |
| CN110708156B (en) | Communication method, client and server | |
| US20170255784A1 (en) | Database security model | |
| CN110474916A (en) | Web oriented application provides the method and device of franchise account | |
| Mumtaz et al. | PDIS: A Service Layer for Privacy and Detecting Intrusions in Cloud Computing. | |
| CN113901507B (en) | Multi-party resource processing method and privacy computing system | |
| CN108600178A (en) | A kind of method for protecting and system, reference platform of collage-credit data | |
| Voitovych et al. | Multilayer Access for Database Protection | |
| Kadebu et al. | A security requirements perspective towards a secured nosql database environment | |
| CN117349883A (en) | Data access management method and system based on block chain | |
| Panjwani et al. | IT service management from a perspective of small and medium sized companies | |
| Das et al. | A Comprehensive Analysis of Trust, Privacy, and Security Measures in the Digital Age | |
| CN112769784A (en) | Text processing method and device, computer readable storage medium and processor | |
| Haber et al. | Privileged Access Management (PAM) | |
| Tall et al. | Integrating Cybersecurity Into a Big Data Ecosystem | |
| Chang et al. | Design of inside information leakage prevention system in ubiquitous computing environment | |
| Jaidi | Advanced access control to information systems: Requirements, compliance and future directives | |
| Ali et al. | Mitis-an insider threats mitigation framework for information systems | |
| Georgiou et al. | A security policy for cloud providers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |