CN118013502B - Data asset security protection method and system based on data elements - Google Patents
Data asset security protection method and system based on data elements Download PDFInfo
- Publication number
- CN118013502B CN118013502B CN202410282563.8A CN202410282563A CN118013502B CN 118013502 B CN118013502 B CN 118013502B CN 202410282563 A CN202410282563 A CN 202410282563A CN 118013502 B CN118013502 B CN 118013502B
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive
- category
- target
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000035945 sensitivity Effects 0.000 claims abstract description 76
- 230000002159 abnormal effect Effects 0.000 claims description 57
- 230000005856 abnormality Effects 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 18
- 238000005315 distribution function Methods 0.000 claims description 16
- 238000012550 audit Methods 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 9
- 238000013523 data management Methods 0.000 claims description 5
- 238000005070 sampling Methods 0.000 claims description 5
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 claims description 4
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000005192 partition Methods 0.000 abstract 1
- 238000004458 analytical method Methods 0.000 description 14
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011946 reduction process Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a data asset security protection method and a system based on data elements, which relate to the technical field of data security, and the method comprises the following steps: storing the non-sensitive data elements to a local storage module, and storing the sensitive data elements to a cloud storage module of a cloud computer; obtaining a target sensitive category relation network; obtaining a first target sensitivity level; storing the first sensitive category to a first storage area of the cloud storage module; and carrying out access security protection on the target data element according to the local access policy and the first access policy. The method and the device can solve the technical problems that in the prior art, due to the fact that the association exists between different data, the authority level is set inaccurately, and further, the larger data security risk exists, partition storage is carried out according to the data category and the sensitive level, and the corresponding access policy is set, so that the security protection of sensitive data access is realized, the data access efficiency is improved, and the security of the sensitive data is improved.
Description
Technical Field
The application relates to the technical field of data security, in particular to a data asset security protection method and system based on data elements.
Background
With rapid development and widespread use of information technology, data has become an important asset for users, and these data include not only conventional structured data, but also a large amount of unstructured data, streaming data, etc., and data assets may include important information such as personal privacy, enterprise technical materials, etc. Thus, there is also an increasing demand for security protection of data assets.
At present, most of common data security protection methods are used for setting access rights to data, but due to the fact that the association exists between different data, the rights level is set inaccurately, and therefore a large data security risk exists.
In summary, in the prior art, there is a technical problem that the permission level is set inaccurately due to the association between different data, so that a larger data security risk exists.
Disclosure of Invention
The application aims to provide a data asset security protection method and system based on data elements, which are used for solving the technical problems that in the prior art, due to the fact that the association exists between different data, the authority level is set inaccurately, and further, the security risk of the data is large.
In view of the above, the present application provides a data asset security protection method and system based on data elements.
In a first aspect, the present application provides a data asset security protection method based on data elements, the method being implemented by a data asset security protection system based on data elements, wherein the method comprises: marking data which accords with the preset category constraint in a target data element as a non-sensitive data element and storing the non-sensitive data element in a local storage module, marking the data which does not accord with the preset category constraint in the target data element as a sensitive data element and storing the sensitive data element in a cloud storage module of a cloud computer, wherein a local access strategy is prestored in the local storage module; calling a preset similarity probability distribution function to perform dimension reduction processing on the relation network of the plurality of sensitive categories in the sensitive data elements and the constructed sensitive categories to obtain a relation network of target sensitive categories; the first preset sensitivity level of the first sensitive category is adjusted by combining the target sensitive category relation network to obtain a first target sensitive level, wherein the first sensitive category is any one category in the target sensitive category relation network; storing the first sensitive category into a first storage area of the cloud storage module, wherein the first storage area and the first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area; and carrying out access security protection on the target data element according to the local access policy and the first access policy.
In a second aspect, the present application also provides a data element based data asset security protection system for performing the data element based data asset security method of the first aspect, wherein the system comprises: the data mark storage unit is used for marking data which accords with the preset category constraint in a target data element as a non-sensitive data element and storing the non-sensitive data element in a local storage module, marking the data which does not accord with the preset category constraint in the target data element as a sensitive data element and storing the sensitive data element in a cloud storage module of a cloud computer, wherein the local storage module is pre-stored with a local access strategy; the dimension reduction processing unit is used for calling a preset similarity probability distribution function to perform dimension reduction processing on the obtained sensitive category relation network by analyzing the multiple sensitive categories in the sensitive data elements and constructing the sensitive category relation network to obtain a target sensitive category relation network; the sensitivity level adjusting unit is used for adjusting a first preset sensitivity level of a first sensitivity category by combining the target sensitivity category relation network to obtain a first target sensitivity level, wherein the first sensitivity category is any category in the target sensitivity category relation network; the sensitive category storage unit is used for storing the first sensitive category to a first storage area of the cloud storage module, the first storage area and the first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area; and the access security protection unit is used for performing access security protection on the target data element according to the local access policy and the first access policy.
One or more technical schemes provided by the application have at least the following technical effects or advantages:
Marking data which accords with the constraint of a preset category in the target data elements as non-sensitive data elements and storing the non-sensitive data elements in the local storage module, marking the data which does not accord with the constraint of the preset category in the target data elements as sensitive data elements and storing the sensitive data elements in the cloud storage module of the cloud computer, wherein the local storage module is prestored with a local access strategy; calling a preset similarity probability distribution function to perform dimension reduction processing on the relationship network of the plurality of sensitive categories in the analysis sensitive data elements and the constructed sensitive categories to obtain a relationship network of the target sensitive categories; the first preset sensitivity level of the first sensitive category is adjusted by combining the target sensitive category relation network to obtain a first target sensitive level, wherein the first sensitive category is any one category in the target sensitive category relation network; storing a first sensitive category into a first storage area of a cloud storage module, wherein the first storage area and a first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area; and performing access security protection on the target data element according to the local access policy and the first access policy. The method comprises the steps of identifying the sensitive category of a target data element, storing the target data element by a sub-module, establishing a relation network for the sensitive data element, performing sensitive level analysis after dimension reduction, storing the target data element in a sub-area mode according to the category and the sensitive level, and setting a corresponding access strategy, so that the security protection of the sensitive data access is realized, the data access efficiency is improved, and the security of the sensitive data is improved.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent. It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the application or to delineate the scope of the application. Other features of the present application will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the application or the technical solutions of the prior art, the following brief description will be given of the drawings used in the description of the embodiments or the prior art, it being obvious that the drawings in the description below are only exemplary and that other drawings can be obtained from the drawings provided without the inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a data asset security method based on data elements of the present application;
fig. 2 is a schematic diagram of the data asset security protection system based on data elements of the present application.
Reference numerals illustrate: the system comprises a data mark storage unit 11, a dimension reduction processing unit 12, a sensitivity level adjustment unit 13, a sensitivity category storage unit 14 and an access security protection unit 15.
Detailed Description
The application solves the technical problems of inaccurate authority level setting and larger data security risk caused by the association of different data in the prior art by providing the data asset security protection method and the system based on the data elements. The method comprises the steps of identifying the sensitive category of a target data element, storing the target data element by a sub-module, establishing a relation network for the sensitive data element, performing sensitive level analysis after dimension reduction, storing the target data element in a sub-area mode according to the category and the sensitive level, and setting a corresponding access strategy, so that the security protection of the sensitive data access is realized, the data access efficiency is improved, and the security of the sensitive data is improved.
In the following, the technical solutions of the present application will be clearly and completely described with reference to the accompanying drawings, and it should be understood that the described embodiments are only some embodiments of the present application, but not all embodiments of the present application, and that the present application is not limited by the exemplary embodiments described herein. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application. It should be further noted that, for convenience of description, only some, but not all of the drawings related to the present application are shown.
Example 1
Referring to fig. 1, the present application provides a data asset security protection method based on data elements, wherein the method is applied to a data asset security protection system based on data elements, and the method specifically comprises the following steps:
Step one: marking data which accords with the preset category constraint in a target data element as a non-sensitive data element and storing the non-sensitive data element in a local storage module, marking the data which does not accord with the preset category constraint in the target data element as a sensitive data element and storing the sensitive data element in a cloud storage module of a cloud computer, wherein a local access strategy is prestored in the local storage module;
Specifically, the target data element refers to a data set to be processed, such as enterprise technical data financial data and the like; the predetermined category constraint is a rule or a condition predefined by a person skilled in the art for judging whether the data is sensitive, wherein in the embodiment, the predetermined category constraint refers to a data type of the non-sensitive data, and is set by the person skilled in the art according to the actual situation. And then traversing the target data elements, comparing the target data elements with the constraint of the preset category, marking the data meeting the constraint of the preset category as non-sensitive data elements, and storing the data in a local storage module. The local storage module is a storage space on the local computer for storing the non-sensitive data elements. The local storage module is pre-stored with a local access strategy, which is a set of rules pre-defined for controlling the access to the data in the local storage module, and conventionally, the data stored in the local storage module is non-sensitive data, namely, the data which does not need special protection, and the local access strategy is directly viewable without permission and identity verification.
And marking the data which does not meet the constraint of the preset category in the target data elements as sensitive data elements and storing the sensitive data elements into a cloud storage module of the cloud computer, wherein the sensitive data elements are data possibly containing privacy, security or other important information, so that the sensitive data elements need to be processed more carefully. The cloud storage module of the cloud computer is a storage space located in the cloud and is used for storing sensitive data elements. Cloud storage generally has higher security and expandability, and sensitive data can be better protected. Therefore, the cloud and the local separate storage of the sensitive data elements and the non-sensitive data elements are convenient for performing dimension reduction processing on the sensitive data of the cloud to perform closed security access control, so that the convenience and the security of data access are improved.
Step two: calling a preset similarity probability distribution function to perform dimension reduction processing on the relation network of the plurality of sensitive categories in the sensitive data elements and the constructed sensitive categories to obtain a relation network of target sensitive categories;
Specifically, the sensitive data element includes a plurality of sensitive categories, such as important experimental data, financial data, and the like, the correlations among the plurality of sensitive categories are analyzed, a sensitive category relation network is established, the sensitive category relation network is a graph or a network structure, wherein nodes represent the sensitive categories, and edges represent the sensitive categories and have relevance, specifically, the plurality of sensitive categories can be subjected to relevance analysis through the existing relevance analysis method, such as gray relevance, to obtain relevance among the plurality of sensitive categories, so as to construct the sensitive category relation network, and the relevance analysis is a common technical means for those skilled in the art, and is not repeated herein. Because the sensitive category relation network may be very complex and high-dimensional, direct analysis may be very difficult, and further, the predetermined similarity probability distribution function sensitive category relation network is called to perform dimension reduction processing, so that a simplified low-dimensional sensitive category relation network is obtained as a target sensitive category relation network, so that data analysis efficiency is improved.
Step three: the first preset sensitivity level of the first sensitive category is adjusted by combining the target sensitive category relation network to obtain a first target sensitive level, wherein the first sensitive category is any one category in the target sensitive category relation network;
Specifically, the first preset sensitivity level refers to the sensitivity level of the first sensitive category, in the target sensitive category relation network, the first sensitive category may have an association relation with other sensitive categories, if the preset sensitivity level of the other sensitive categories with a larger association relation is higher than the first preset sensitivity level, the first preset sensitivity level of the first sensitive category needs to be raised, specifically, the level raising number can be set by a person skilled in the art for different association difference values, so that the first preset sensitivity level is adjusted based on the association between the other sensitive categories with the association relation and the first sensitive category, the first target sensitive level is obtained, and the data of different sensitive levels are conveniently stored in a partitioned mode and different access strategies are formulated for the security of sensitive data.
Step four: storing the first sensitive category into a first storage area of the cloud storage module, wherein the first storage area and the first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area;
Specifically, the cloud storage module is divided into a plurality of storage areas for storing data with different sensitivity levels, so that the sensitivity level identification is performed on the plurality of storage areas, and the first sensitivity category is stored into a first storage area corresponding to a first target sensitivity level in the cloud storage module according to the sensitivity level identification, namely, the first storage area and the first target sensitivity level have a first mapping relation. In order to protect the data stored in the cloud storage module, an access policy is set for each storage area, that is, the first storage area is pre-stored with a corresponding first access policy, where the first access policy defines which users or systems have access to the data in the storage area, and which operations, such as reading, writing, deleting, etc., can be performed, specifically, the access policy of the storage area can be set by a person skilled in the art at his own discretion, and the higher the sensitivity level, the more complex the access policy of the storage area is.
Step five: and carrying out access security protection on the target data element according to the local access policy and the first access policy.
Specifically, the data in the local storage module is accessed according to the local access policy, and the data in the first storage area in the cloud storage module is accessed according to the first access policy, so that access security protection of sensitive data is realized, data access security is improved, and data leakage is prevented.
Further, the first step of the present application further comprises:
The non-sensitive data element comprises a plurality of non-sensitive categories; calling a first historical access log of a first non-sensitive category in the plurality of non-sensitive categories; judging whether the first non-sensitive category meets a preset special condition or not based on the first historical access log; if yes, storing the first non-sensitive category into the data element middle table in the local storage module.
Specifically, in the first step, the non-sensitive data elements are stored in a local storage module, and a data element middle table is arranged in the local storage module and is used for storing data with relatively high access frequency so as to improve the data access efficiency. Specifically, the non-sensitive data element includes a plurality of non-sensitive categories, that is, a plurality of different types of data, any one of the plurality of non-sensitive categories is taken as a first non-sensitive category, and access records of a user to the first non-sensitive category in a past period of time are taken as a first historical access log. The first historical access log comprises access time and access frequency, the preset special condition refers to a setting condition of the access frequency of a preset access period, for example, the access frequency in one week exceeds 100 times, and specifically, the data with higher access frequency in the preset access period is stored in a data element by combining actual self-setting by a person skilled in the art. And further, the first historical access log counts the access frequency in a preset access period, judges whether the access frequency meets the frequency set in the preset special condition, if so, indicates that the first non-sensitive category meets the preset special condition, and stores the first non-sensitive category to the data element middle stage in the local storage module. When the user accesses the first non-sensitive category, the user can directly access in the data element center table, so that the data access efficiency is improved.
Further, the second step of the present application further comprises:
The expression of the predetermined similarity probability distribution function is as follows:
F min=KL(P∥Q)=∑i∑jKL[P(xi x j)∥Q(yi y j) ];
The KL is used for representing the similarity degree of the sensitive category relation network and the target sensitive category relation network, the KL tends to be 0 as constraint to carry out dimension reduction treatment on the sensitive category relation network, F min represents the divergence of the similarity between the sensitive category relation network and the target sensitive category relation network, P (x i I x j) represents the similarity probability of a first category relation x i and a second category relation x j in the sensitive category relation network, and Q (y i I y j) represents the similarity probability of a third category relation y i and a fourth category relation y j in the target sensitive category relation network.
Specifically, in the second step, a predetermined similarity probability distribution function is required to be called to perform dimension reduction processing on the sensitive category relation network, that is, when dimension reduction processing is performed on the sensitive category relation network, probability distribution similarity between the target sensitive category relation network after dimension reduction and the sensitive category relation network needs to be ensured, otherwise, errors are caused in subsequent sensitivity level adjustment of sensitive data elements, and therefore access security protection effect is poor, and therefore the predetermined similarity probability distribution function is introduced to perform dimension reduction analysis. The expression of the predetermined similarity probability distribution function is: f min=KL(P∥Q)=∑i∑jKL[P(xi x j)∥Q(yi y j), wherein KL is used to characterize the similarity of the sensitive category relationship network to the target sensitive category relationship network, during dimension reduction, And each time, dimension reduction is carried out on the sensitive category relation network, the relation network before and after dimension reduction still contains the relevance among different sensitive categories, the first category relation x i is the relevance relation between any one sensitive category and other sensitive categories in the sensitive category relation network before dimension reduction, and the second category relation x j is the relevance relation between any one category and other sensitive categories except the first category in the sensitive category relation network before dimension reduction. And then the similarity calculation is carried out on the first category relation x i and the second category relation x j to obtain similarity probability P (x i I x j), And carrying out similarity calculation on the third category relation y i and the fourth category relation y j to obtain similarity probability Q (y i I y j). And in the iterative dimension reduction process, reducing the value of F min by each iteration to obtain the target sensitive category relation network. Therefore, dimension reduction processing of the sensitive category relation network is realized, and a foundation is laid for subsequent sensitive level adjustment and access security protection.
Further, the third step of the present application further comprises:
Analyzing the first sensitive category by a data management expert group based on a three-point estimation principle to obtain expert estimation sensitive level information; analyzing the expert estimated sensitivity level information to obtain a first optimistic estimated level, a first pessimistic estimated level and a first most probable estimated level, respectively; recording a level average of the first optimistic estimation level and the first pessimistic estimation level as a first average estimation level; taking the average value of the first average estimated level and the first most probable estimated level as the first preset sensitive level.
Specifically, in the third step, before the first predetermined sensitivity level is adjusted, the first predetermined sensitivity level is further determined, and the determining method is as follows:
First, a data management expert group is a program system with a large amount of knowledge and experience in a specific field, and is applied to an artificial intelligence technology, and performs reasoning and judgment according to knowledge or experience provided by one or more human experts in a certain field, so as to simulate the thinking process of solving a problem by the human experts, and in this embodiment, performs intelligent three-point estimation according to experience data provided by an expert in the field of data security protection and used for performing sensitivity level analysis through a three-point estimation principle, where three-point estimation principles generally relate to three different estimation values: optimistic, pessimistic and most probable estimates, whereby the first sensitivity category is analyzed by a data management expert group, outputting all expert-estimated optimistic, pessimistic and most probable estimate levels as expert-estimated sensitivity level information. And further analyzing the expert estimation sensitivity level information to respectively obtain the mode number in the optimistic estimation level estimated by each expert as a first optimistic estimation level, the mode number in the pessimistic estimation level estimated by each expert as a first pessimistic estimation level, and the mode number in the most probable estimation level estimated by each expert as a first most probable estimation level.
Further calculating a level mean of the first optimistic estimation level and the first pessimistic estimation level, and recording the level mean as a first average estimation level; the average of the first average estimated level and the first most likely estimated level is further calculated as the first predetermined sensitivity level. Therefore, the analysis of the preset sensitivity level is realized, support is provided for the adjustment of the sensitivity level, the safety protection of sensitive data is facilitated, and the data safety is improved.
Further, the application also comprises the following steps:
Step a: matching a first sensitive category data chain of the first sensitive category in the sensitive data element; step b: extracting a first abnormal support degree data set of first data from the first sensitive category data chain based on a random sampling consistency principle, wherein the first abnormal support degree data set comprises a plurality of abnormal support degree data, and the first data is any one data in the first sensitive category data chain; step c: comparing the plurality of abnormal support degree data with the first data to obtain a first iterative abnormal index; step d: repeating steps b to c until a predetermined number of iterations is reached, taking the first iteration abnormality index obtained therefrom as a first abnormality index; step e: judging whether the first abnormality index accords with a preset abnormality index threshold value or not; step f: if the first data does not accord with the first target sensitive category data chain, rejecting the first data in the first sensitive category data chain to obtain a first target sensitive category data chain; step g: and backing up the first target sensitive category data chain to a cloud backup module in the cloud computer.
Further, the application also comprises the following steps:
Acquiring first abnormal support degree data in the plurality of abnormal support degree data; acquiring a first deviation between the first abnormal support degree data and the first data; judging whether the first deviation belongs to a preset deviation threshold value or not; if the first abnormal support degree data belongs to the first internal point, the first abnormal support degree data is marked as a first external point, and if the first abnormal support degree data does not belong to the first internal point, the first abnormal support degree data is marked as a first external point; sequentially counting the number of outer points of the first outer points, and counting the total number of the first inner points and the first outer points; the ratio of the number of outliers to the total number is taken as the first iteration anomaly index.
Specifically, after the first sensitive category is stored in the first storage area of the cloud storage module, the user may delete the data, so that the data backup analysis can be performed on the cloud backup module for data recovery in the cloud computer, which specifically includes the following steps:
step a: and matching a first sensitive category data chain of the first sensitive category in the sensitive data element, wherein the first sensitive category data is a data set corresponding to the first sensitive category in the sensitive data element, such as unit price data of historical multiple purchases corresponding to unit price category of purchased materials. Step b: and extracting a first abnormal support data set of first data from the first sensitive category data chain based on a random sampling consistency principle, wherein the first data is any one data in the first sensitive category data chain, namely, a group of data is randomly extracted from the first sensitive category data chain, the group of data comprises a plurality of data corresponding to the same category, and then, under normal conditions, the deviation between the group of data is in a preset range and extremely no larger deviation exists, and then, deviation comparison can be carried out on the first data and other data in the group of data to obtain data with deviation larger than the preset deviation as a plurality of abnormal support data, so that the first abnormal support data set is formed, wherein the preset deviation refers to the allowed data deviation under normal conditions and is set by a person skilled in the art in combination with practical experience.
Step c: comparing the plurality of abnormal support degree data with the first data to obtain a first iteration abnormal index, wherein the specific method comprises the following steps of: firstly, any one of the plurality of abnormal support degree data is obtained to serve as first abnormal support degree data, and a difference value between the first abnormal support degree data and the first data is further calculated to serve as a first deviation. The predetermined deviation threshold is set, i.e. the deviation range that normally allows for the presence of data of the same category, by a person skilled in the art in combination with experience. And comparing the first deviation with a preset deviation threshold value, judging whether the first deviation belongs to the preset deviation threshold value, if so, recording the first abnormal support degree data as a first inner point, if not, recording the first abnormal support degree data as a first outer point, traversing a plurality of abnormal support degree data to mark inner points or outer points, and sequentially counting the number of the outer points of the first outer point based on the marking result, wherein the total number of the first inner points and the first outer points. Finally, the ratio of the number of outliers to the total number is taken as the first iteration anomaly index. Therefore, the abnormal analysis of the sensitive data elements is realized, the normal data is conveniently backed up, the abnormal data is not backed up, and because the abnormal data contains error data, the abnormal data has no need of backup, the normal data can be conveniently recovered, and the storage space is not wasted.
Step d: repeating steps b to c, namely repeatedly acquiring a first abnormal support data set according to a random sampling consistency principle, obtaining a first iteration abnormal index each time until a preset iteration number is reached, and taking the first iteration abnormal index obtained at that time as the first abnormal index, wherein the preset iteration number is set by a person skilled in the art, such as 50 times.
Step e: the predetermined abnormality index threshold refers to an abnormality index range set by a person skilled in the art in combination with actual experience, and the first data is considered to be normal data if the first abnormality index meets the predetermined abnormality index threshold.
Step f: the first abnormality index does not accord with a preset abnormality index threshold, the first data is considered to be abnormality data, the first data in the first sensitive category data chain is removed if the data acquisition is wrong or changed, and the first sensitive category data chain after the abnormality data is removed is used as a first target sensitive category data chain; step g: and backing up the first target sensitive category data chain to a cloud backup module in the cloud computer, wherein the cloud backup module is a storage space for backing up data in the cloud computer. Therefore, abnormal data is identified and removed, normal data is backed up, effective data is recovered conveniently, and meanwhile storage space is saved.
Further, the application also comprises the following steps:
if the first target sensitivity level reaches a preset sensitivity level condition, the first access strategy is adjusted to be a zero trust access strategy; performing access security monitoring on the first sensitive category based on the zero-trust access policy to obtain a first access audit record; and carrying out security protection early warning on the target data element according to the first access audit record.
Specifically, the predetermined sensitivity level condition is a higher sensitivity level set by those skilled in the art in combination with actual demands, and it is understood that the highest sensitivity level is a level for setting the most important data. If the first target sensitivity level reaches a predetermined sensitivity level condition, it is indicated that the security risk of the first sensitivity category has reached a higher level, and therefore a more strict access control policy needs to be adopted, so that the first access policy is adjusted to a zero-trust access policy, where the zero-trust access policy refers to default that any internal or external user is not trusted, and each time the first sensitivity category stored in the first storage area needs to be subjected to strict identity verification and authorization, and the access process is continuously monitored. And carrying out access security monitoring on the first sensitive category based on the zero-trust access strategy, and recording key information such as the identity, access time, accessed data type and number of the visitor to form a first access audit record. And then, carrying out security protection early warning on the target data element according to the first access audit record, specifically, adjusting the history access record of the first sensitive category, comparing the deviation between the first access audit record and the history access record, if the deviation exceeds a preset range, for example, the access data volume suddenly increases a lot, indicating that the access behavior is abnormal, immediately generating security protection early warning, and sending the security protection early warning to related personnel, so that data security inspection is facilitated, and the data security is improved.
In summary, the data asset security protection method based on the data elements provided by the application has the following technical effects:
Marking data which accords with the constraint of a preset category in the target data elements as non-sensitive data elements and storing the non-sensitive data elements in the local storage module, marking the data which does not accord with the constraint of the preset category in the target data elements as sensitive data elements and storing the sensitive data elements in the cloud storage module of the cloud computer, wherein the local storage module is prestored with a local access strategy; calling a preset similarity probability distribution function to perform dimension reduction processing on the relationship network of the plurality of sensitive categories in the analysis sensitive data elements and the constructed sensitive categories to obtain a relationship network of the target sensitive categories; the first preset sensitivity level of the first sensitive category is adjusted by combining the target sensitive category relation network to obtain a first target sensitive level, wherein the first sensitive category is any one category in the target sensitive category relation network; storing a first sensitive category into a first storage area of a cloud storage module, wherein the first storage area and a first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area; and performing access security protection on the target data element according to the local access policy and the first access policy. The method comprises the steps of identifying the sensitive category of a target data element, storing the target data element by a sub-module, establishing a relation network for the sensitive data element, performing sensitive level analysis after dimension reduction, storing the target data element in a sub-area mode according to the category and the sensitive level, and setting a corresponding access strategy, so that the security protection of the sensitive data access is realized, the data access efficiency is improved, and the security of the sensitive data is improved.
Example two
Based on the same inventive concept as the data asset security protection method based on data elements in the foregoing embodiments, the present application further provides a data asset security protection system based on data elements, referring to fig. 2, the system includes:
The data mark storage unit 11 is configured to mark data, which accords with a predetermined category constraint, in a target data element as a non-sensitive data element and store the non-sensitive data element in a local storage module, and mark data, which does not accord with the predetermined category constraint, in the target data element as a sensitive data element and store the sensitive data element in a cloud storage module of a cloud computer, where the local storage module stores a local access policy in advance;
The dimension reduction processing unit 12 is configured to call a predetermined similarity probability distribution function, and perform dimension reduction processing on the obtained sensitive category relation network by analyzing the plurality of sensitive categories in the sensitive data element and constructing the sensitive category relation network to obtain a target sensitive category relation network;
The sensitivity level adjusting unit 13 is configured to adjust a first predetermined sensitivity level of a first sensitivity class by combining the target sensitivity category relation network, so as to obtain a first target sensitivity level, where the first sensitivity category is any one category in the target sensitivity category relation network;
A sensitive category storage unit 14, where the sensitive category storage unit 14 is configured to store the first sensitive category to a first storage area of the cloud storage module, the first storage area and the first target sensitive level have a first mapping relationship, and a first access policy is pre-stored in the first storage area;
An access security protection unit 15, where the access security protection unit 15 is configured to perform access security protection on the target data element according to the local access policy and the first access policy.
Further, the data tag storage unit 11 in the system is further configured to:
The non-sensitive data element comprises a plurality of non-sensitive categories;
calling a first historical access log of a first non-sensitive category in the plurality of non-sensitive categories;
judging whether the first non-sensitive category meets a preset special condition or not based on the first historical access log;
If yes, storing the first non-sensitive category into the data element middle table in the local storage module.
Further, the dimension reduction processing unit 12 in the system further includes:
The expression of the predetermined similarity probability distribution function is as follows:
F min=KL(P∥Q)=∑i∑jKL[P(xi x j)∥Q(yi y j) ];
The KL is used for representing the similarity degree of the sensitive category relation network and the target sensitive category relation network, the KL tends to be 0 as constraint to carry out dimension reduction treatment on the sensitive category relation network, F min represents the divergence of the similarity between the sensitive category relation network and the target sensitive category relation network, P (x i I x j) represents the similarity probability of a first category relation x i and a second category relation x j in the sensitive category relation network, and Q (y i I y j) represents the similarity probability of a third category relation y i and a fourth category relation y j in the target sensitive category relation network.
Further, the sensitivity level adjustment unit 13 in the system is further configured to:
Analyzing the first sensitive category by a data management expert group based on a three-point estimation principle to obtain expert estimation sensitive level information;
Analyzing the expert estimated sensitivity level information to obtain a first optimistic estimated level, a first pessimistic estimated level and a first most probable estimated level, respectively;
recording a level average of the first optimistic estimation level and the first pessimistic estimation level as a first average estimation level;
taking the average value of the first average estimated level and the first most probable estimated level as the first preset sensitive level.
Further, the system also comprises a sensitive data backup unit for:
Step a: matching a first sensitive category data chain of the first sensitive category in the sensitive data element;
step b: extracting a first abnormal support degree data set of first data from the first sensitive category data chain based on a random sampling consistency principle, wherein the first abnormal support degree data set comprises a plurality of abnormal support degree data, and the first data is any one data in the first sensitive category data chain;
step c: comparing the plurality of abnormal support degree data with the first data to obtain a first iterative abnormal index;
step d: repeating steps b to c until a predetermined number of iterations is reached, taking the first iteration abnormality index obtained therefrom as a first abnormality index;
step e: judging whether the first abnormality index accords with a preset abnormality index threshold value or not;
Step f: if the first data does not accord with the first target sensitive category data chain, rejecting the first data in the first sensitive category data chain to obtain a first target sensitive category data chain;
Step g: and backing up the first target sensitive category data chain to a cloud backup module in the cloud computer.
Further, the sensitive data backup unit in the system is further configured to:
acquiring first abnormal support degree data in the plurality of abnormal support degree data;
acquiring a first deviation between the first abnormal support degree data and the first data;
Judging whether the first deviation belongs to a preset deviation threshold value or not;
if the first abnormal support degree data belongs to the first internal point, the first abnormal support degree data is marked as a first external point, and if the first abnormal support degree data does not belong to the first internal point, the first abnormal support degree data is marked as a first external point;
sequentially counting the number of outer points of the first outer points, and counting the total number of the first inner points and the first outer points;
The ratio of the number of outliers to the total number is taken as the first iteration anomaly index.
Further, the system also comprises a safety protection early warning unit, wherein the safety protection early warning unit is used for:
If the first target sensitivity level reaches a preset sensitivity level condition, the first access strategy is adjusted to be a zero trust access strategy;
performing access security monitoring on the first sensitive category based on the zero-trust access policy to obtain a first access audit record;
and carrying out security protection early warning on the target data element according to the first access audit record.
The embodiments of the present invention are described in a progressive manner, and each embodiment focuses on the differences from the other embodiments, so that the data asset security protection method and specific example based on data elements in the first embodiment of fig. 1 are equally applicable to the data asset security protection system based on data elements of the present embodiment, and those skilled in the art will clearly know the data asset security protection system based on data elements in the present embodiment through the foregoing detailed description of the data asset security protection method based on data elements, so that the details of the present embodiment will not be repeated herein for the sake of brevity of the present invention. For the system disclosed in the embodiment, since the system corresponds to the method disclosed in the embodiment, the description is simpler, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the present application and the equivalent techniques thereof, the present application is also intended to include such modifications and variations.
Claims (7)
1. A method of data asset security based on data elements, comprising:
marking data which accords with the preset category constraint in a target data element as a non-sensitive data element and storing the non-sensitive data element in a local storage module, marking the data which does not accord with the preset category constraint in the target data element as a sensitive data element and storing the sensitive data element in a cloud storage module of a cloud computer, wherein a local access strategy is prestored in the local storage module;
Calling a preset similarity probability distribution function to perform dimension reduction processing on the relation network of the plurality of sensitive categories which is analyzed and constructed in the sensitive data elements to obtain the relation network of the target sensitive category, wherein the expression of the preset similarity probability distribution function is as follows:
F min=KL(P∥Q)=∑i∑jKL[P(xi x j)∥Q(yi y j) ];
The method comprises the steps of using KL to represent the similarity degree of a sensitive category relation network and a target sensitive category relation network, using KL tending to 0 as constraint to perform dimension reduction treatment on the sensitive category relation network, using F min to represent the divergence of the similarity between the sensitive category relation network and the target sensitive category relation network, using P (x i I x j) to represent the similarity probability of a first category relation x i and a second category relation x j in the sensitive category relation network, and using Q (y i I y j) to represent the similarity probability of a third category relation y i and a fourth category relation y j in the target sensitive category relation network; the first preset sensitivity level of the first sensitive category is adjusted by combining the target sensitive category relation network to obtain a first target sensitive level, wherein the first sensitive category is any one category in the target sensitive category relation network;
Storing the first sensitive category into a first storage area of the cloud storage module, wherein the first storage area and the first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area;
And carrying out access security protection on the target data element according to the local access policy and the first access policy.
2. The data element-based data asset security method of claim 1, wherein the local storage module is provided with a data element middle stage, comprising:
The non-sensitive data element comprises a plurality of non-sensitive categories;
calling a first historical access log of a first non-sensitive category in the plurality of non-sensitive categories;
judging whether the first non-sensitive category meets a preset special condition or not based on the first historical access log;
If yes, storing the first non-sensitive category into the data element middle table in the local storage module.
3. The data element-based data asset security protection method of claim 1, wherein adjusting a first predetermined sensitivity level of a first sensitivity class in combination with the target sensitivity class relationship network to obtain a first target sensitivity level, further comprises:
Analyzing the first sensitive category by a data management expert group based on a three-point estimation principle to obtain expert estimation sensitive level information;
Analyzing the expert estimated sensitivity level information to obtain a first optimistic estimated level, a first pessimistic estimated level and a first most probable estimated level, respectively;
recording a level average of the first optimistic estimation level and the first pessimistic estimation level as a first average estimation level;
taking the average value of the first average estimated level and the first most probable estimated level as the first preset sensitive level.
4. The data element-based data asset security method of claim 1, wherein the method further comprises:
Step a: matching a first sensitive category data chain of the first sensitive category in the sensitive data element;
step b: extracting a first abnormal support degree data set of first data from the first sensitive category data chain based on a random sampling consistency principle, wherein the first abnormal support degree data set comprises a plurality of abnormal support degree data, and the first data is any one data in the first sensitive category data chain;
step c: comparing the plurality of abnormal support degree data with the first data to obtain a first iterative abnormal index;
step d: repeating steps b to c until a predetermined number of iterations is reached, taking the first iteration abnormality index obtained therefrom as a first abnormality index;
step e: judging whether the first abnormality index accords with a preset abnormality index threshold value or not;
Step f: if the first data does not accord with the first target sensitive category data chain, rejecting the first data in the first sensitive category data chain to obtain a first target sensitive category data chain;
Step g: and backing up the first target sensitive category data chain to a cloud backup module in the cloud computer.
5. The data element-based data asset security method of claim 4, wherein comparing the plurality of anomaly support data with the first data results in a first iterative anomaly index comprising:
acquiring first abnormal support degree data in the plurality of abnormal support degree data;
acquiring a first deviation between the first abnormal support degree data and the first data;
Judging whether the first deviation belongs to a preset deviation threshold value or not;
if the first abnormal support degree data belongs to the first internal point, the first abnormal support degree data is marked as a first external point, and if the first abnormal support degree data does not belong to the first internal point, the first abnormal support degree data is marked as a first external point;
sequentially counting the number of outer points of the first outer points, and counting the total number of the first inner points and the first outer points;
The ratio of the number of outliers to the total number is taken as the first iteration anomaly index.
6. The data element-based data asset security method of claim 1, wherein the method further comprises:
If the first target sensitivity level reaches a preset sensitivity level condition, the first access strategy is adjusted to be a zero trust access strategy;
performing access security monitoring on the first sensitive category based on the zero-trust access policy to obtain a first access audit record;
and carrying out security protection early warning on the target data element according to the first access audit record.
7. A data asset security system based on data elements, characterized by the steps for implementing the method of any one of claims 1 to 6, said system comprising:
The data mark storage unit is used for marking data which accords with the preset category constraint in a target data element as a non-sensitive data element and storing the non-sensitive data element in a local storage module, marking the data which does not accord with the preset category constraint in the target data element as a sensitive data element and storing the sensitive data element in a cloud storage module of a cloud computer, wherein the local storage module is pre-stored with a local access strategy;
The dimension reduction processing unit is used for calling a preset similarity probability distribution function to perform dimension reduction processing on the sensitivity category relation network which is obtained by analyzing the plurality of sensitivity categories in the sensitive data elements and is constructed to obtain a target sensitivity category relation network, and the expression of the preset similarity probability distribution function is as follows:
F min=KL(P∥Q)=∑i∑jKL[P(xi x j)∥Q(yi y j) ];
The method comprises the steps of using KL to represent the similarity degree of a sensitive category relation network and a target sensitive category relation network, using KL tending to 0 as constraint to perform dimension reduction treatment on the sensitive category relation network, using F min to represent the divergence of the similarity between the sensitive category relation network and the target sensitive category relation network, using P (x i I x j) to represent the similarity probability of a first category relation x i and a second category relation x j in the sensitive category relation network, and using Q (y i I y j) to represent the similarity probability of a third category relation y i and a fourth category relation y j in the target sensitive category relation network;
The sensitivity level adjusting unit is used for adjusting a first preset sensitivity level of a first sensitivity category by combining the target sensitivity category relation network to obtain a first target sensitivity level, wherein the first sensitivity category is any category in the target sensitivity category relation network;
The sensitive category storage unit is used for storing the first sensitive category to a first storage area of the cloud storage module, the first storage area and the first target sensitive level have a first mapping relation, and a first access strategy is prestored in the first storage area;
And the access security protection unit is used for performing access security protection on the target data element according to the local access policy and the first access policy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410282563.8A CN118013502B (en) | 2024-03-13 | 2024-03-13 | Data asset security protection method and system based on data elements |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410282563.8A CN118013502B (en) | 2024-03-13 | 2024-03-13 | Data asset security protection method and system based on data elements |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118013502A CN118013502A (en) | 2024-05-10 |
| CN118013502B true CN118013502B (en) | 2024-07-12 |
Family
ID=90944387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410282563.8A Active CN118013502B (en) | 2024-03-13 | 2024-03-13 | Data asset security protection method and system based on data elements |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118013502B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113507462A (en) * | 2021-07-05 | 2021-10-15 | 中国联合网络通信集团有限公司 | Zero-trust data monitoring and early warning method, device, system and storage medium |
| CN114205118A (en) * | 2021-11-17 | 2022-03-18 | 南方电网数字电网研究院有限公司 | Data access control analysis method based on data security method category |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230134781A1 (en) * | 2021-11-03 | 2023-05-04 | Disney Enterprises, Inc. | Privacy protection for enterprise systems |
| CN117195250A (en) * | 2023-08-18 | 2023-12-08 | 厦门信通慧安科技有限公司 | Data security management method and system |
-
2024
- 2024-03-13 CN CN202410282563.8A patent/CN118013502B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113507462A (en) * | 2021-07-05 | 2021-10-15 | 中国联合网络通信集团有限公司 | Zero-trust data monitoring and early warning method, device, system and storage medium |
| CN114205118A (en) * | 2021-11-17 | 2022-03-18 | 南方电网数字电网研究院有限公司 | Data access control analysis method based on data security method category |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118013502A (en) | 2024-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI595375B (en) | Anomaly detection using adaptive behavioral profiles | |
| US7555482B2 (en) | Automatic detection of abnormal data access activities | |
| CN111737101B (en) | User behavior monitoring method, device, equipment and medium based on big data | |
| US20050086529A1 (en) | Detection of misuse or abuse of data by authorized access to database | |
| CN112804196A (en) | Log data processing method and device | |
| US9251633B2 (en) | Monitoring access to a location | |
| CN113765881A (en) | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium | |
| CN112639787B (en) | System, method and computer readable medium for protecting sensitive data | |
| CN116112292B (en) | Abnormal behavior detection method, system and medium based on network flow big data | |
| CN117240614B (en) | Network information safety monitoring and early warning system based on Internet | |
| CN114338372B (en) | Network information security monitoring method and system | |
| CN113141276A (en) | Knowledge graph-based information security method | |
| Rauf et al. | A taxonomic classification of insider threats: Existing techniques, future directions & recommendations | |
| CN118013502B (en) | Data asset security protection method and system based on data elements | |
| CN115913652A (en) | Abnormal access behavior detection method and device, electronic equipment and readable storage medium | |
| CN111914255B (en) | Semi-automatic anti-climbing system based on behavior characteristics | |
| Pamuji et al. | Linear regression for prediction of excessive permissions database account traffic | |
| CN115567241A (en) | Multi-site network perception detection system | |
| CN114039837A (en) | Alarm data processing method, device, system, equipment and storage medium | |
| CN117473475B (en) | Big data security protection method, system and medium based on trusted computing | |
| CN117726435B (en) | Image data management method and system | |
| CN117633319B (en) | Database automation response method, device, computer equipment and storage medium | |
| CN116933292B (en) | Authority authentication method and system for job title review | |
| CN116644484B (en) | Computer storage security assessment method and system | |
| CN117670264B (en) | Automatic flow processing system and method for accounting data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |