CN117421758B - Daily operation data isolation method - Google Patents
Daily operation data isolation method Download PDFInfo
- Publication number
- CN117421758B CN117421758B CN202311744362.7A CN202311744362A CN117421758B CN 117421758 B CN117421758 B CN 117421758B CN 202311744362 A CN202311744362 A CN 202311744362A CN 117421758 B CN117421758 B CN 117421758B
- Authority
- CN
- China
- Prior art keywords
- operation data
- daily operation
- data
- daily
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 103
- 230000035945 sensitivity Effects 0.000 claims abstract description 73
- 230000000694 effects Effects 0.000 claims abstract description 14
- 238000002372 labelling Methods 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 5
- 238000000034 method Methods 0.000 claims description 40
- 230000008569 process Effects 0.000 claims description 27
- 238000011156 evaluation Methods 0.000 claims description 23
- 238000012163 sequencing technique Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000011157 data evaluation Methods 0.000 claims description 4
- 238000013139 quantization Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 abstract description 3
- 230000001276 controlling effect Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Abstract
The invention discloses a daily operation data isolation method, which relates to the technical field of data processing and comprises the steps of dividing daily operation data according to business categories to obtain initial daily operation data categories; performing secondary division on the daily operation data according to the contribution degree of each initial daily operation data category to obtain daily operation data value categories; determining attribute information of each daily operation data value category; dividing the attribute category into a first attribute and a second attribute, and labeling the sensitivity level corresponding to each daily operation data value category through the first attribute; setting an isolation strategy according to the value class and the sensitivity level of the daily operation data, and establishing an isolation environment based on the isolation strategy and the second attribute; access control to the daily operational data is controlled. The accuracy of the isolation of the daily operation data is improved, the isolation effect of the data is guaranteed, and powerful guarantee is provided for the interaction between the data.
Description
Technical Field
The present application relates to the field of data processing technology, and more particularly, to a daily operation data isolation method.
Background
Background technologies for day-to-day operational data isolation methods include network isolation, encryption technology, access control and authentication, auditing and monitoring, data classification and tagging, compliance and regulatory requirements, backup and disaster recovery, employee training and awareness. The integrated application of these techniques aims to ensure the security, availability and compliance of data. Network isolation is used to separate data traffic of different levels, encryption techniques protect confidentiality of data, access control limits user access.
In the prior art, daily operation data has a plurality of attribute characteristics, the attribute characteristics are closely related to the self safety of the daily operation data, but at present, data isolation is carried out only according to the value or risk of the data, so that the isolation effect is poor, and the isolation accuracy is low.
Therefore, how to combine the attribute features and the value of the daily operation data to improve the isolation effect and the isolation accuracy is a technical problem to be solved at present.
Disclosure of Invention
The invention provides a daily operation data isolation method which is used for solving the technical problems of poor data isolation effect and low isolation precision in the prior art. The method comprises the following steps:
receiving daily operation data and daily business processes, and dividing the daily operation data according to business categories to obtain initial daily operation data categories;
calculating the contribution degree of each initial daily operation data category to the daily business process respectively, and carrying out secondary division on daily operation data according to the contribution degree of each initial daily operation data category to obtain daily operation data value categories;
defining attribute categories of daily operation data, and determining attribute information of each daily operation data value category;
dividing the attribute category into a first attribute and a second attribute, and labeling the sensitivity level corresponding to each daily operation data value category through the first attribute;
setting an isolation strategy according to the value class and the sensitivity level of the daily operation data, and establishing an isolation environment based on the isolation strategy and the second attribute;
and placing the daily operation data in the corresponding isolation environment according to the value category of the daily operation data, and controlling the access control of the daily operation data.
In some embodiments of the present application, calculating a contribution degree of each initial daily operation data category to a daily business process includes:
determining a main link and a secondary link in a daily business process;
calculating the contribution degree of each initial daily operation data category to the main link and the secondary link, thereby determining the contribution degree of each initial daily operation data category to the daily business process;
;
wherein P is the contribution degree to the daily business process,the contribution weight of the main links, n is the number of the main links, < >>Weight corresponding to the ith main link, < ->Contribution degree for the ith main link, < ->The contribution weight of the secondary links, m is the number of secondary links, < >>Weight corresponding to the jth secondary link, < ->The contribution degree of the j-th secondary link.
In some embodiments of the present application, the performing secondary division on the daily operation data according to the contribution degree of each initial daily operation data category to obtain a daily operation data value category includes:
presetting standard quantity of daily operation data value categories and initial daily operation data categories corresponding to different contribution degree intervals;
determining the actual number of the initial daily operation data categories corresponding to each contribution degree interval according to the contribution degree interval in which the contribution degree of the initial daily operation data categories is located;
if the actual number of the initial daily operation data categories corresponding to the same contribution degree interval does not exceed the standard number of the initial daily operation data categories, determining the daily operation data value categories according to the interval where the contribution degree is located;
otherwise, defining the intermediate value of each contribution interval as a representative value thereof, recording the contribution interval as a contribution interval to be divided, and sorting the initial daily operation data category of the contribution interval to be divided according to the contribution size to obtain an overall sorting;
determining the intermediate sequence of the overall sequence according to the standard quantity, and removing the intermediate sequence from the overall sequence to obtain a front sequence and a rear sequence respectively;
and correspondingly dividing each initial daily operation data category in the front sequencing and the rear sequencing of the contribution degree intervals adjacent to the two sides of the contribution degree interval to be divided.
In some embodiments of the present application, the performing, in a pre-sorting and a post-sorting of contribution intervals adjacent to two sides of the contribution interval to be divided, a corresponding division of each initial daily operation data category includes:
the contribution degree interval at the left side of the contribution degree interval to be divided is recorded as a first interval, and the contribution degree interval at the right side of the contribution degree interval to be divided is recorded as a second interval;
if the difference between the contribution degree in the front sorting and the rear sorting and the representative value of the first interval is larger than the difference between the contribution degree in the front sorting and the rear sorting and the representative value of the second interval, dividing the initial daily operation data category corresponding to the contribution degree into the second interval;
otherwise, dividing the initial daily operation data category corresponding to the contribution degree into a first interval.
In some embodiments of the present application, classifying attribute categories into a first attribute and a second attribute includes;
acquiring information of each attribute category of historical daily operation data, and predetermining a data sensitivity index and an isolation effect index;
calculating the association degree of the information of each attribute category, the data sensitivity index and the isolation effect index respectively, and recording the association degree as a first association degree and a second association degree;
and dividing attribute categories exceeding a first threshold in the first association degree into first attributes, and dividing attribute categories exceeding a second threshold in the second association degree into second attributes.
In some embodiments of the present application, labeling, by a first attribute, a sensitivity level corresponding to each daily operation data value class includes:
associating the data sensitivity indexes with the data evaluation indexes, screening out various data sensitivity evaluation indexes, and obtaining comprehensive data sensitivity evaluation indexes;
carrying out quantization processing on each first attribute, and establishing a data sensitivity change relation curve corresponding to each first attribute by taking the first attribute as an abscissa and taking a comprehensive data sensitivity evaluation index as an ordinate;
determining an average comprehensive data sensitivity evaluation index corresponding to each first attribute based on the characteristic values in the data sensitivity change relation curve;
determining a sensitivity level based on the average comprehensive data sensitivity evaluation index and the daily operation data value class;
;
wherein L is a sensitivity level, D is an average comprehensive data sensitivity evaluation index, exp is an exponential function, v is an intermediate value corresponding to the daily operation data value class,is a first constant, +>Is a second constant []To round the symbol.
In some embodiments of the present application, setting an isolation policy according to a daily operational data value class and a sensitivity level includes:
the isolation policy includes an encryption level, a monitoring level, and an access control level;
finding a corresponding isolation policy level in a preset isolation policy table through the value class and the sensitivity level of the daily operation data;
the daily operation data value class and the sensitivity level are commonly corresponding to an isolation policy level, and each isolation policy level is corresponding to an encryption level, a monitoring level and an access control level.
In some embodiments of the present application, establishing an isolation environment based on an isolation policy and a second attribute includes:
dividing a network area through different isolation strategy levels, and dividing the isolation strategies of different levels into different virtual networks;
if multiple daily operation data value categories exist in the same virtual network and the differences among the multiple daily operation data value categories are larger than a value threshold, the virtual network is further divided according to the daily operation data value categories to obtain multiple sub virtual networks;
corresponding network isolation environments are established based on second attributes of data within the virtual network and within the sub-virtual network.
In some embodiments of the present application, and controlling access control of daily operational data, the method includes:
identifying trusted and untrusted data traffic in the daily operational data;
ACL rules for virtual networks are created based on access control levels, and ACL rules for sub-virtual networks are created based on the number of sub-virtual networks within the same virtual network.
By applying the technical scheme, daily operation data and daily business processes are received, the daily operation data are divided according to business categories, and initial daily operation data categories are obtained; calculating the contribution degree of each initial daily operation data category to the daily business process respectively, and carrying out secondary division on daily operation data according to the contribution degree of each initial daily operation data category to obtain daily operation data value categories; defining attribute categories of daily operation data, and determining attribute information of each daily operation data value category; dividing the attribute category into a first attribute and a second attribute, and labeling the sensitivity level corresponding to each daily operation data value category through the first attribute; setting an isolation strategy according to the value class and the sensitivity level of the daily operation data, and establishing an isolation environment based on the isolation strategy and the second attribute; and placing the daily operation data in the corresponding isolation environment according to the value category of the daily operation data, and controlling the access control of the daily operation data. According to the method and the device, the daily operation data are divided for the second time according to the contribution degree of each initial daily operation data category, so that the daily operation data value category is obtained, the tight connection between the daily operation data and the business process is improved, and the data value category is accurately divided. The sensitivity level corresponding to each daily operation data value category is marked through the first attribute, and an isolation environment is established based on the isolation strategy and the second attribute, so that the accuracy of the isolation of the daily operation data is improved, the isolation effect of the data is ensured, and powerful guarantee is provided for the interaction between the data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a schematic flow chart of a daily operation data isolation method according to an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
An embodiment of the present application provides a daily operation data isolation method, as shown in fig. 1, including the following steps:
step S101, daily operation data and daily business processes are received, the daily operation data are divided according to business categories, and initial daily operation data categories are obtained.
In this embodiment, daily operation data and daily business processes are associated, and initial data categories are divided.
Step S102, the contribution degree of each initial daily operation data category to the daily business process is calculated respectively, and daily operation data is divided for the second time according to the contribution degree of each initial daily operation data category, so that the daily operation data value category is obtained.
In this embodiment, the contribution degree of data to the flow is taken as the value of the data, and the data value categories are divided.
In some embodiments of the present application, calculating a contribution degree of each initial daily operation data category to a daily business process includes:
determining a main link and a secondary link in a daily business process;
calculating the contribution degree of each initial daily operation data category to the main link and the secondary link, thereby determining the contribution degree of each initial daily operation data category to the daily business process;
;
wherein P is the contribution degree to the daily business process,the contribution weight of the main links, n is the number of the main links, < >>Weight corresponding to the ith main link, < ->Contribution degree for the ith main link, < ->The contribution weight of the secondary links, m is the number of secondary links, < >>Weight corresponding to the jth secondary link, < ->The contribution degree of the j-th secondary link.
In this embodiment, the daily business process is divided into a main link and a secondary link, and the other links are not involved.
In some embodiments of the present application, the performing secondary division on the daily operation data according to the contribution degree of each initial daily operation data category to obtain a daily operation data value category includes:
presetting standard quantity of daily operation data value categories and initial daily operation data categories corresponding to different contribution degree intervals;
determining the actual number of the initial daily operation data categories corresponding to each contribution degree interval according to the contribution degree interval in which the contribution degree of the initial daily operation data categories is located;
if the actual number of the initial daily operation data categories corresponding to the same contribution degree interval does not exceed the standard number of the initial daily operation data categories, determining the daily operation data value categories according to the interval where the contribution degree is located;
otherwise, defining the intermediate value of each contribution interval as a representative value thereof, recording the contribution interval as a contribution interval to be divided, and sorting the initial daily operation data category of the contribution interval to be divided according to the contribution size to obtain an overall sorting;
determining the intermediate sequence of the overall sequence according to the standard quantity, and removing the intermediate sequence from the overall sequence to obtain a front sequence and a rear sequence respectively;
and correspondingly dividing each initial daily operation data category in the front sequencing and the rear sequencing of the contribution degree intervals adjacent to the two sides of the contribution degree interval to be divided.
In some embodiments of the present application, the performing, in a pre-sorting and a post-sorting of contribution intervals adjacent to two sides of the contribution interval to be divided, a corresponding division of each initial daily operation data category includes:
the contribution degree interval at the left side of the contribution degree interval to be divided is recorded as a first interval, and the contribution degree interval at the right side of the contribution degree interval to be divided is recorded as a second interval;
if the difference between the contribution degree in the front sorting and the rear sorting and the representative value of the first interval is larger than the difference between the contribution degree in the front sorting and the rear sorting and the representative value of the second interval, dividing the initial daily operation data category corresponding to the contribution degree into the second interval;
otherwise, dividing the initial daily operation data category corresponding to the contribution degree into a first interval.
In this embodiment, in order to avoid that the data types in one contribution interval are too many, resulting in higher data dimension, the corresponding relation between the contribution and the number of data types is adjusted.
Step S103, defining attribute categories of daily operation data, and determining attribute information of each daily operation data value category.
In this embodiment, the attribute types of the daily operation data include features and attributes of the daily operation data such as instantaneity, access frequency, and temporary property.
In some embodiments of the present application, classifying attribute categories into a first attribute and a second attribute includes;
acquiring information of each attribute category of historical daily operation data, and predetermining a data sensitivity index and an isolation effect index;
calculating the association degree of the information of each attribute category, the data sensitivity index and the isolation effect index respectively, and recording the association degree as a first association degree and a second association degree;
and dividing attribute categories exceeding a first threshold in the first association degree into first attributes, and dividing attribute categories exceeding a second threshold in the second association degree into second attributes.
In this embodiment, the first attribute is used to mark the sensitivity level of the data, and the second attribute is used to establish the isolation environment.
In this embodiment, the data sensitivity index is a representative index for measuring data sensitivity, and the isolation effect index is a representative index for measuring isolation effect.
And step S104, dividing the attribute categories into a first attribute and a second attribute, and labeling the sensitivity level corresponding to each daily operation data value category through the first attribute.
In this embodiment, the sensitivity level corresponding to each daily operation data value category is determined through the first attribute.
In some embodiments of the present application, labeling, by a first attribute, a sensitivity level corresponding to each daily operation data value class includes:
associating the data sensitivity indexes with the data evaluation indexes, screening out various data sensitivity evaluation indexes, and obtaining comprehensive data sensitivity evaluation indexes;
carrying out quantization processing on each first attribute, and establishing a data sensitivity change relation curve corresponding to each first attribute by taking the first attribute as an abscissa and taking a comprehensive data sensitivity evaluation index as an ordinate;
determining an average comprehensive data sensitivity evaluation index corresponding to each first attribute based on the characteristic values in the data sensitivity change relation curve;
determining a sensitivity level based on the average comprehensive data sensitivity evaluation index and the daily operation data value class;
;
wherein L is a sensitivity level, D is an average comprehensive data sensitivity evaluation index, exp is an exponential function, v is an intermediate value corresponding to the daily operation data value class,is a first constant, +>Is a second constant []To round the symbol.
In this embodiment, associating the data sensitive index with the data evaluation index means that other evaluation indexes also include indexes related to the sensitive index, such as a data privacy index, a data security protection index, and the like.
In this embodiment, an average comprehensive data sensitivity evaluation index corresponding to each first attribute is determined based on a characteristic value in a data sensitivity change relation curve, where the characteristic value refers to a representative parameter such as a maximum value, a median value, and a value with a maximum occurrence frequency in the curve. And determining the average comprehensive data sensitivity evaluation index according to the sensitivity evaluation index.
In the present embodiment of the present invention,and (5) representing the correction of the sensitivity evaluation index of the class data value to the average comprehensive data.
Step S105, setting an isolation policy according to the value class and the sensitivity level of the daily operation data, and establishing an isolation environment based on the isolation policy and the second attribute.
In this embodiment, the step of establishing the isolation environment is as follows:
1. dividing network areas: first, the isolation requirements for different levels of data are determined. For example, data is classified into levels of public data, internal data, and sensitive data.
Vlan (virtual local area network) configuration: using VLAN technology, different levels of data are partitioned into different virtual networks. This may be achieved by configuration of network devices, such as switches.
3. Subnet partitioning (sub-virtual network): within each VLAN, a sub-network may be further partitioned to improve network isolation and security. Each subnet may have its own IP address range and gateway.
4. Access Control List (ACL): ACLs are used to limit traffic between different VLANs, allowing only authorized traffic to pass through. This ensures that sensitive data does not propagate across different levels of networks.
5. Firewall rules: firewalls are used at network boundaries to further control traffic. Firewall rules should be configured to prevent unnecessary access as needed for different data levels.
Vpn isolation: if remote access is necessary, it is ensured that a Virtual Private Network (VPN) is used to isolate different levels of remote users and authentication is required.
In some embodiments of the present application, setting an isolation policy according to a daily operational data value class and a sensitivity level includes:
the isolation policy includes an encryption level, a monitoring level, and an access control level;
finding a corresponding isolation policy level in a preset isolation policy table through the value class and the sensitivity level of the daily operation data;
the daily operation data value class and the sensitivity level are commonly corresponding to an isolation policy level, and each isolation policy level is corresponding to an encryption level, a monitoring level and an access control level.
In this embodiment, a higher level indicates a higher degree of protection.
In some embodiments of the present application, establishing an isolation environment based on an isolation policy and a second attribute includes:
dividing a network area through different isolation strategy levels, and dividing the isolation strategies of different levels into different virtual networks;
if multiple daily operation data value categories exist in the same virtual network and the differences among the multiple daily operation data value categories are larger than a value threshold, the virtual network is further divided according to the daily operation data value categories to obtain multiple sub virtual networks;
corresponding network isolation environments are established based on second attributes of data within the virtual network and within the sub-virtual network.
In this embodiment, corresponding network isolation environments are established based on the second attribute of the data in the virtual network and the sub-virtual network, for example, real-time performance of daily operation data, and for data generated in real time, it is necessary to ensure that the isolation environments have sufficient performance and throughput to process and analyze real-time data streams.
And S106, placing the daily operation data in the corresponding isolation environment according to the value category of the daily operation data, and controlling the access control of the daily operation data.
In this embodiment, the access control includes the following specific contents:
identifying sensitive data traffic: a determination is made as to which VLANs or subnets contain sensitive data. This may include VLANs for sensitive information such as financial, medical, personal identification information, etc.
Identifying trusted sources and targets: a determination is made as to which VLANs or subnets contain trusted sources and targets that can communicate with each other. In general, devices in the management network and DMZ may need to communicate with other VLANs, but need to be restricted.
Creating ACL rules: based on the above information, ACL rules are created, specifying which types of traffic are allowed or denied through. ACL rules typically include the following elements:
source address and destination address: a source VLAN and a destination VLAN or IP address are specified.
Protocol: the allowable protocol (e.g., TCP, UDP, ICMP) is specified.
The port: an allowable port range is specified, such as HTTP (port 80) or HTTPs (port 443), etc.
The actions are as follows: whether to allow or reject such traffic is specified.
Implementing the least privileged principle: following the least privileged principle, access rights are granted only to ensure business needs (limiting the number of authorized passes), avoiding too loosely configuring ACLs, thereby creating security vulnerabilities.
In some embodiments of the present application, and controlling access control of daily operational data, the method includes:
identifying trusted and untrusted data traffic in the daily operational data;
ACL rules for virtual networks are created based on access control levels, and ACL rules for sub-virtual networks are created based on the number of sub-virtual networks within the same virtual network.
In this embodiment, the ACL rule of creating the virtual network based on the access control level refers to that there is one authorized passing number and source VLAN and destination VLAN or IP address for different access control levels. The ACL rule of the sub virtual network is established based on the number of the sub virtual networks in the same virtual network, which means that the corresponding authorized passing number, source VLAN and target VLAN or IP address are determined through the number of the sub virtual networks.
It should be noted that the above corresponding relationship may be determined according to experience or some calculation basis, and will not be described herein.
By applying the technical scheme, daily operation data and daily business processes are received, the daily operation data are divided according to business categories, and initial daily operation data categories are obtained; calculating the contribution degree of each initial daily operation data category to the daily business process respectively, and carrying out secondary division on daily operation data according to the contribution degree of each initial daily operation data category to obtain daily operation data value categories; defining attribute categories of daily operation data, and determining attribute information of each daily operation data value category; dividing the attribute category into a first attribute and a second attribute, and labeling the sensitivity level corresponding to each daily operation data value category through the first attribute; setting an isolation strategy according to the value class and the sensitivity level of the daily operation data, and establishing an isolation environment based on the isolation strategy and the second attribute; and placing the daily operation data in the corresponding isolation environment according to the value category of the daily operation data, and controlling the access control of the daily operation data. According to the method and the device, the daily operation data are divided for the second time according to the contribution degree of each initial daily operation data category, so that the daily operation data value category is obtained, the tight connection between the daily operation data and the business process is improved, and the data value category is accurately divided. The sensitivity level corresponding to each daily operation data value category is marked through the first attribute, and an isolation environment is established based on the isolation strategy and the second attribute, so that the accuracy of the isolation of the daily operation data is improved, the isolation effect of the data is ensured, and powerful guarantee is provided for the interaction between the data.
From the above description of the embodiments, it will be clear to those skilled in the art that the present invention may be implemented in hardware, or may be implemented by means of software plus necessary general hardware platforms. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective implementation scenario of the present invention.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, one of ordinary skill in the art will appreciate that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not drive the essence of the corresponding technical solutions to depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (6)
1. A method of daily operational data isolation, the method comprising:
receiving daily operation data and daily business processes, and dividing the daily operation data according to business categories to obtain initial daily operation data categories;
calculating the contribution degree of each initial daily operation data category to the daily business process respectively, and carrying out secondary division on daily operation data according to the contribution degree of each initial daily operation data category to obtain daily operation data value categories;
defining attribute categories of daily operation data, and determining attribute information of each daily operation data value category;
dividing the attribute category into a first attribute and a second attribute, and labeling the sensitivity level corresponding to each daily operation data value category through the first attribute;
setting an isolation strategy according to the value class and the sensitivity level of the daily operation data, and establishing an isolation environment based on the isolation strategy and the second attribute;
placing the daily operation data in a corresponding isolation environment according to the value category of the daily operation data, and controlling the access control of the daily operation data;
the method for obtaining the daily operation data value category comprises the following steps of:
presetting standard quantity of daily operation data value categories and initial daily operation data categories corresponding to different contribution degree intervals;
determining the actual number of the initial daily operation data categories corresponding to each contribution degree interval according to the contribution degree interval in which the contribution degree of the initial daily operation data categories is located;
if the actual number of the initial daily operation data categories corresponding to the same contribution degree interval does not exceed the standard number of the initial daily operation data categories, determining the daily operation data value categories according to the interval where the contribution degree is located;
otherwise, defining the intermediate value of each contribution interval as a representative value thereof, recording the contribution interval as a contribution interval to be divided, and sorting the initial daily operation data category of the contribution interval to be divided according to the contribution size to obtain an overall sorting;
determining the intermediate sequence of the overall sequence according to the standard quantity, and removing the intermediate sequence from the overall sequence to obtain a front sequence and a rear sequence respectively;
correspondingly dividing each initial daily operation data category in the front sequencing and the rear sequencing of contribution intervals close to two adjacent sides of the contribution interval to be divided;
correspondingly dividing each initial daily operation data category in the front sequencing and the rear sequencing of contribution degree intervals close to two adjacent sides of the contribution degree interval to be divided, wherein the method comprises the following steps:
the contribution degree interval at the left side of the contribution degree interval to be divided is recorded as a first interval, and the contribution degree interval at the right side of the contribution degree interval to be divided is recorded as a second interval;
if the difference between the contribution degree in the front sorting and the rear sorting and the representative value of the first interval is larger than the difference between the contribution degree in the front sorting and the rear sorting and the representative value of the second interval, dividing the initial daily operation data category corresponding to the contribution degree into the second interval;
otherwise, dividing the initial daily operation data category corresponding to the contribution degree into a first interval;
dividing the attribute categories into first attributes and second attributes, comprising:
acquiring information of each attribute category of historical daily operation data, and predetermining a data sensitivity index and an isolation effect index;
calculating the association degree of the information of each attribute category, the data sensitivity index and the isolation effect index respectively, and recording the association degree as a first association degree and a second association degree;
and dividing attribute categories exceeding a first threshold in the first association degree into first attributes, and dividing attribute categories exceeding a second threshold in the second association degree into second attributes.
2. The daily operational data isolation method of claim 1, wherein calculating the contribution of each initial daily operational data category to the daily business process, respectively, comprises:
determining a main link and a secondary link in a daily business process;
calculating the contribution degree of each initial daily operation data category to the main link and the secondary link, thereby determining the contribution degree of each initial daily operation data category to the daily business process;
;
wherein P is the contribution degree to the daily business process,the contribution weight of the main links, n is the number of the main links,Weight corresponding to the ith main link, < ->Contribution degree for the ith main link, < ->The contribution weight of the secondary links, m is the number of secondary links, < >>Weight corresponding to the jth secondary link, < ->The contribution degree of the j-th secondary link.
3. The method for isolating daily operational data as defined in claim 1, wherein labeling the sensitivity level corresponding to each daily operational data value category with a first attribute comprises:
associating the data sensitivity indexes with the data evaluation indexes, screening out various data sensitivity evaluation indexes, and obtaining comprehensive data sensitivity evaluation indexes;
carrying out quantization processing on each first attribute, and establishing a data sensitivity change relation curve corresponding to each first attribute by taking the first attribute as an abscissa and taking a comprehensive data sensitivity evaluation index as an ordinate;
determining an average comprehensive data sensitivity evaluation index corresponding to each first attribute based on the characteristic values in the data sensitivity change relation curve;
determining a sensitivity level based on the average comprehensive data sensitivity evaluation index and the daily operation data value class;
;
wherein L is a sensitive levelIn addition, D is an average comprehensive data sensitivity evaluation index, exp is an exponential function, v is an intermediate value corresponding to the daily operation data value class,is a first constant, +>Is a second constant []To round the symbol.
4. The daily operational data isolation method of claim 1, wherein setting the isolation policy based on the daily operational data value class and the sensitivity level comprises:
the isolation policy includes an encryption level, a monitoring level, and an access control level;
finding a corresponding isolation policy level in a preset isolation policy table through the value class and the sensitivity level of the daily operation data;
the daily operation data value class and the sensitivity level are commonly corresponding to an isolation policy level, and each isolation policy level is corresponding to an encryption level, a monitoring level and an access control level.
5. The daily operational data isolation method of claim 4, wherein establishing an isolation environment based on the isolation policy and the second attribute comprises:
dividing a network area through different isolation strategy levels, and dividing the isolation strategies of different levels into different virtual networks;
if multiple daily operation data value categories exist in the same virtual network and the differences among the multiple daily operation data value categories are larger than a value threshold, the virtual network is further divided according to the daily operation data value categories to obtain multiple sub virtual networks;
corresponding network isolation environments are established based on second attributes of data within the virtual network and within the sub-virtual network.
6. The daily operational data isolation method of claim 5, wherein the controlling the access to the daily operational data comprises:
identifying trusted and untrusted data traffic in the daily operational data;
ACL rules for virtual networks are created based on access control levels, and ACL rules for sub-virtual networks are created based on the number of sub-virtual networks within the same virtual network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311744362.7A CN117421758B (en) | 2023-12-19 | 2023-12-19 | Daily operation data isolation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311744362.7A CN117421758B (en) | 2023-12-19 | 2023-12-19 | Daily operation data isolation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117421758A CN117421758A (en) | 2024-01-19 |
| CN117421758B true CN117421758B (en) | 2024-03-22 |
Family
ID=89530672
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311744362.7A Active CN117421758B (en) | 2023-12-19 | 2023-12-19 | Daily operation data isolation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117421758B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107992887A (en) * | 2017-11-28 | 2018-05-04 | 东软集团股份有限公司 | Classifier generation method, sorting technique, device, electronic equipment and storage medium |
| CN115587017A (en) * | 2022-10-31 | 2023-01-10 | 广州亚信技术有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN115982765A (en) * | 2022-12-28 | 2023-04-18 | 中移信息技术有限公司 | Data desensitization method, device, equipment and computer readable storage medium |
| CN116226108A (en) * | 2023-02-23 | 2023-06-06 | 广州大学 | Data management method and system capable of realizing different management degrees |
| CN116738444A (en) * | 2023-08-15 | 2023-09-12 | 山东省计算中心(国家超级计算济南中心) | Xia Puli value-based multi-party contribution degree evaluation method for data security sharing platform |
| CN116962090A (en) * | 2023-09-21 | 2023-10-27 | 华能信息技术有限公司 | Industrial Internet security control method and system |
| CN117009115A (en) * | 2022-04-22 | 2023-11-07 | 中国移动通信集团北京有限公司 | Fault positioning method and device, electronic equipment and computer storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10237240B2 (en) * | 2016-07-21 | 2019-03-19 | AT&T Global Network Services (U.K.) B.V. | Assessing risk associated with firewall rules |
| US11140194B2 (en) * | 2019-12-18 | 2021-10-05 | Cyberark Software Ltd. | Measuring and comparing security efficiency and importance in virtualized environments |
-
2023
- 2023-12-19 CN CN202311744362.7A patent/CN117421758B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107992887A (en) * | 2017-11-28 | 2018-05-04 | 东软集团股份有限公司 | Classifier generation method, sorting technique, device, electronic equipment and storage medium |
| CN117009115A (en) * | 2022-04-22 | 2023-11-07 | 中国移动通信集团北京有限公司 | Fault positioning method and device, electronic equipment and computer storage medium |
| CN115587017A (en) * | 2022-10-31 | 2023-01-10 | 广州亚信技术有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN115982765A (en) * | 2022-12-28 | 2023-04-18 | 中移信息技术有限公司 | Data desensitization method, device, equipment and computer readable storage medium |
| CN116226108A (en) * | 2023-02-23 | 2023-06-06 | 广州大学 | Data management method and system capable of realizing different management degrees |
| CN116738444A (en) * | 2023-08-15 | 2023-09-12 | 山东省计算中心(国家超级计算济南中心) | Xia Puli value-based multi-party contribution degree evaluation method for data security sharing platform |
| CN116962090A (en) * | 2023-09-21 | 2023-10-27 | 华能信息技术有限公司 | Industrial Internet security control method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于数据敏感性的大数据存储安全技术;胡志达;;移动通信;20200815(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117421758A (en) | 2024-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Stafford | Zero trust architecture | |
| Teerakanok et al. | Migrating to zero trust architecture: Reviews and challenges | |
| US9122990B2 (en) | Method and system for management of security rule set | |
| US8490171B2 (en) | Method of configuring a security gateway and system thereof | |
| US7937353B2 (en) | Method and system for determining whether to alter a firewall configuration | |
| US10691796B1 (en) | Prioritizing security risks for a computer system based on historical events collected from the computer system environment | |
| EP3149582B1 (en) | Method and apparatus for a scoring service for security threat management | |
| US11128670B2 (en) | Methods, systems, and computer readable media for dynamically remediating a security system entity | |
| CN117081868B (en) | Network security operation method based on security policy | |
| JP2023506004A (en) | Programmable switching devices for network infrastructure | |
| Jorquera Valero et al. | Design of a security and trust framework for 5G multi-domain scenarios | |
| Conklin et al. | Principles of computer security: Comptia security+ and beyond | |
| CN117421758B (en) | Daily operation data isolation method | |
| WO2022010970A1 (en) | Federated security for multi-enterprise communications | |
| US20220086649A1 (en) | Partial limitation of a mobile network device | |
| Lamarca | Cybersecurity Risk Assessment of the University of Northern Philippines using PRISM Approach | |
| Kahraman | Evaluating IT security performance with quantifiable metrics | |
| Lemeshko et al. | Cyber Resilience and Fault Tolerance of Artificial Intelligence Systems: EU Standards, Guidelines, and Reports. | |
| Sheikh | CompTIA Security+ Certification Study Guide | |
| CN115622808B (en) | Method for secure isolation, electronic device, computer readable medium | |
| US20230388347A1 (en) | Policy creation and adjustment methods | |
| Pecena | Can I Really Protect My Broadcast Plant From a Cybersecurity Attack? | |
| CN113191917B (en) | Power plant industrial control system network security threat classification method based on radial basis function algorithm | |
| McCallam | An analysis of cyber reference architectures | |
| Munuo | Protecting Personal Identifiable Information in the Financial Services Sector With Zero Trust Architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |