JP2023170691A - Access control system, and access control method - Google Patents

Abstract

To achieve safe access control having high robustness.SOLUTION: An access control system 100 is used in a data exchange platform 1 for intermediating access restriction object data between a data requester 2 and a data provider 3. The access control system 100 includes: an access gateway 110 for performing context analysis to an access request from the data requester 2 to the access restriction object data; a trust score management part 120 for randomly selecting one or more trust parameters from a plurality of trust parameters acquired from a workflow system provided by the data exchange platform 1 on the basis of a result of the context analysis by the access gateway 110, and calculating a trust score of the access request on the basis of the selected trust parameter; and an access determination part 140 for determining the propriety of the access request on the basis of the trust score calculated by the trust score management part 120.SELECTED DRAWING: Figure 1

Description

The present invention relates to a system and method for controlling access to predetermined information.

2. Description of the Related Art Conventionally, a method called role-based access control (RBAC), for example, has been known as a technique for controlling access to protected information such as sensitive information and personal information. Role-based access control grants access privileges to each piece of protected information to each role of the user requesting access to the information, and rejects access requests from users who do not have access privileges. This is to control access to. However, in role-based access control, access control is performed according to preset access privileges, making it difficult to realize flexible access control.

A method called attribute-based access control (ABAC) is known as a method for solving the above problems. Attribute-based access control determines whether or not an access request can be made based on the attributes of the user making the access request, the attributes of the protected information for which the access request was made, and the attributes of the environment at the time of the access request, according to a preset policy. By making this determination, access to protected information is controlled. This provides more flexible access control than role-based access control.

As an example of attribute database access control, the technique disclosed in Patent Document 1 is known. Patent Document 1 describes a method of calculating reliability by weighting various types of attribute information according to their importance, and determining whether or not access is possible based on the calculation result.

Furthermore, a method called reliability-based access control (TBAC), as disclosed in Patent Document 2, has also been proposed. Patent Document 2 discloses a system that calculates a trust score based on parameters such as the number of suspicious packets and the number of fake requests from a user making an access request, and compares the calculated trust score with a predetermined threshold to determine whether or not access is possible. It describes how to judge.

China Patent Application Publication No. 113051602 China Patent Application Publication No. 112737824

In the technique of Patent Document 1, when attempting to calculate reliability using a large number of attribute information, the calculation load becomes excessive. Therefore, there is a problem that it is difficult to apply it to an actual access control system. Furthermore, the technique disclosed in Patent Document 2 has a problem in that it is impossible to prevent unauthorized access because a malicious user can easily guess the method of calculating the trust score.

The present invention has been made in view of the above problems, and its main purpose is to realize access control that is safe and highly robust.

The access control system according to the present invention is used in a data exchange platform that mediates access-restricted data between a data requester and a data provider, and is configured to control access from the data requester to the access-restricted data. an access gateway that performs a context analysis on a request; and based on the result of the context analysis by the access gateway, randomly select one or more trust parameters from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform. a trust score management unit that calculates a trust score of the access request based on the selected trust parameter; and an access judgment that determines whether the access request is acceptable based on the trust score calculated by the trust score management unit. It is equipped with a section and a section.
The access control method according to the present invention is an access control method in a data exchange platform that mediates access-restricted data between a data requester and a data provider, and the method includes: Context analysis is performed on the request, and based on the result of the context analysis, one or more trust parameters are randomly selected from a plurality of trust parameters obtained from the workflow system provided by the data exchange platform, and the selected trust parameter is A trust score of the access request is calculated based on the trust score, and it is determined whether the access request is acceptable or not based on the trust score.

According to the present invention, safe and highly robust access control can be realized.

1 is a block diagram illustrating an overview of a data exchange platform including an access control system according to an embodiment of the present invention. FIG. FIG. 1 is a block diagram showing a detailed structure of an access control system according to an embodiment of the present invention. FIG. 3 is a diagram showing an example of the progress status of the workflow system and access request information. It is a figure which shows the example of a context type. FIG. 3 is a diagram showing an example of category classification of reliability parameters. 3 is a flowchart showing the flow of access control processing. 3 is a flowchart showing the flow of access control processing. FIG. 3 is a diagram showing an example of a reliability parameter and a warning count value. It is an example of a flowchart showing the flow of trust score calculation processing. FIG. 3 is a diagram illustrating an example of multidimensional analysis of reliability parameters. It is a figure showing an example of a reliability score analysis screen. FIG. 2 is a sequence diagram showing an example of actual operation of the access control system according to an embodiment of the present invention.

Embodiments of the present invention will be described below with reference to the drawings. For clarity of explanation, the following description and drawings are omitted and simplified as appropriate. The present invention is not limited to this embodiment, and any application examples that match the idea of the present invention are included within the technical scope of the present invention. Unless specifically limited, each component may be plural or singular.

In the following explanation, processing may be explained using a "program" or its process as the subject, but a program is executed by a processor (for example, a CPU (Central Processing Unit)) to perform a predetermined process. Since the processing is performed using appropriate storage resources (for example, memory) and/or communication interface devices (for example, communication ports), the subject of the processing may be a processor. A processor operates as a functional unit that implements predetermined functions by operating according to a program. Devices and systems including processors are devices and systems including these functional units.

An embodiment of the present invention will be described below.

FIG. 1 is a block diagram showing an overview of a data exchange platform including an access control system according to an embodiment of the present invention. The data exchange platform 1 shown in Figure 1 is a type of information platform used for collaboration between different industries, and access from the general public should be restricted between the specified data requester 2 and data provider 3. Provides an environment in which data (hereinafter referred to as "access-restricted data") can be exchanged safely. The data exchange platform 1 includes various UIs (User Interfaces) for the data exchange platform 1 to be used by data requesters 2 and data providers 3 who exchange data subject to access restrictions, and a series of user interfaces related to the exchange of data subject to access restrictions. The process is packaged and provided as a workflow system. This workflow system mediates the access-restricted data between the data requester 2 and the data provider 3, thereby achieving safe and reliable delivery of the access-restricted data.

The data provider 3, through the data exchange platform 1, can access end users' personal information held by the data provider 3 (income proof, employment status, credit information, etc.) Information such as a trust score calculated when an access request is made to some access-restricted data is provided as the access-restricted data. The trust score is a value representing the reliability of an access request, and is calculated in the access control system 100 included in the data exchange platform 1 as described below. The data requester 2 requests the data exchange platform 1 to access the access-restricted data provided by the data provider 3, and if the access request is approved, the data exchange platform 1 sends the access-restricted data to the data exchange platform 1. can be obtained.

The data requester 2 corresponds to various service providing companies that provide various services to end users, end users who receive services from service providing companies, and the like. For example, when an end user signs a rental contract for real estate, the rental guarantee company, as the data requester 2, requests the end user's personal information, which is access-restricted data, and uses it to determine guarantee conditions. In addition, when an end user applies for a mortgage loan or insurance, a financial company or insurance company, as the data requester 2, requests the end user's personal information, which is data subject to access restrictions, and uses it to determine contract terms. do. However, the data requester 2 may be a company or an individual in another industry.

The data provider 3 may be an end user who provides personal information that is access-restricted data, a service provider company that holds personal information, a third party company, or the like. The access-restricted data held by the data provider 3 is collected on the data exchange platform 1 using, for example, a web-based API (Application Programming Interface) or EDI (Electronic Data Interchange), and is collected in response to an access request from the data requester 2. The data is then provided to the data requester 2.

When the data requester 2 makes an access request for access-restricted data on the workflow system, the access control system 100 calculates a trust score representing the reliability of the access request, and calculates the state of the calculated trust score and the workflow. Based on other access states in the system, it is determined whether access to the access-restricted data provided by the data provider 3 is possible. This prevents unauthorized use of access-restricted data and ensures safety in the exchange of access-restricted data between different industries.

The access control system 100 includes functional blocks of an access gateway 110, a trust score management section 120, a policy management section 130, and an access determination section 140. These functional blocks are realized by combining, for example, a computer (CPU: Central Processing Unit) that executes a predetermined program, a storage device such as an HDD (Hard Disk Drive), or an SSD (Solid State Drive). Note that some or all of these functional blocks may be implemented using a GPU (Graphics Processing Unit) or an FPGA (Field Programmable Gate Array).

FIG. 2 is a block diagram showing the detailed structure of the access control system 100 according to an embodiment of the present invention. In the access control system 100, the access gateway 110 includes a context analysis section 111, an access request information generation section 112, a log management section 113, and an access log 114. The trust score management section 120 includes a trust parameter acquisition section 121, a trust category analysis section 122, a trust parameter selection section 123, a trust score calculation section 124, a warning section 125, a trust parameter storage section 127, a trust threshold storage section 128, and a trust score storage section. 129. The policy management unit 130 includes a policy update unit 131 and a policy storage unit 132.

When the context analysis unit 111 receives a request for access to certain access-restricted data from the data requester 2, it acquires attribute information regarding the access request from the workflow system, and performs a context analysis for the access request based on this attribute information. I do. The context analysis performed by the context analysis unit 111 is to analyze (estimate) under what circumstances the data requester 2 is attempting to access the access-restricted data. The results of this context analysis are dynamically determined according to the attributes of the data requester 2, the attributes of the access-restricted data requested for access, the progress status of the workflow system, etc. Represented by one of the context types. Therefore, the context analysis unit 111 can perform context analysis by acquiring this information as attribute information regarding the access request. The attribute information of the access request acquired by the context analysis unit 111 and the result of the context analysis by the context analysis unit 111 are output to the access request information generation unit 112 and the trust score management unit 120, respectively. Note that details of the context analysis method by the context analysis unit 111 will be described later.

The access request information generation unit 112 generates attribute information of the access request acquired by the context analysis unit 111, for example, each attribute information of a subject attribute s _rt , an action attribute a _rt , a resource attribute _rt , and an environment attribute wr _t which will be described later. The trust score management unit 120 generates access request information regarding the access request received from the data requester 2 based on the trust score calculated by the trust score calculation unit 124. The access request information generated by the access request information generating section 112 is output to the access determining section 140.

The log management unit 113 records the access request from the data requester 2 and the response result to the access request in the access log 114 in combination with the attribute information acquired at that time. Access log 114 provides historical information regarding access requests made by data requester 2 . This history information is used when the reliability score calculation unit 124 calculates the reliability score.

The trust parameter acquisition unit 121 acquires trust parameters necessary for calculating the trust score, and stores them in the trust parameter storage unit 127. For example, information such as the IP address of the information device used when the data requester 2 connected to the data exchange platform 1 and made an access request, the virus protection status, the number of suspicious packets on the network, etc. is acquired as the trust parameter. . Further, information such as past access request history and response history, access time, etc. of the data requester 2 may be acquired as the reliability parameter. These trust parameters may be obtained from a security monitoring system (not shown) or may be obtained from an access request from the data requester 2. In addition to this, various information on the data exchange platform 1 can be acquired as trust parameters.

The trust category analysis unit 122 receives the results of the context analysis by the context analysis unit 111, and analyzes the trust category for the access request from the data requester 2. The trust category represents the type of trust parameter according to the context analysis result. For example, each trust category of "device", "network", "access", and "application" is set in advance in the trust score management unit 120. has been done. The trust category analysis unit 122 can select one of the above trust categories based on the context analysis result.

The trust parameter selection unit 123 receives the trust category analysis result by the trust category analysis unit 122 and selects the trust parameters stored in the trust parameter storage unit 127. In the trust score management unit 120, combinations of trust parameters corresponding to each of the above-mentioned trust categories are set in advance. The confidence parameter selection unit 123 can select a combination of confidence parameters corresponding to the confidence category selected by the confidence category analysis unit 122 in the confidence parameter storage unit 127.

The trust score calculation unit 124 uses the trust parameters selected by the trust parameter selection unit 123 and the threshold values for each trust parameter stored in the trust threshold storage unit 128 to calculate the trust score for the access request from the data requester 2. Calculate. Details of the method of calculating the reliability score by the reliability score calculation unit 124 will be described later. The trust score calculation unit 124 stores the calculation result of the trust score in the trust score storage unit 129 and outputs it to the access gateway 110.

The warning unit 125 monitors each trust parameter stored in the trust parameter storage unit 127, and outputs a warning to the administrator of the access control system 100 if there is a trust parameter whose value has decreased.

The policy storage unit 132 stores policies that describe permission conditions for access requests for various combinations of data requesters 2 and personal information. The policy stored in the policy storage unit 132 is written in accordance with, for example, XACML (eXtensible Access Control Markup Language) regulations, and is read by the access determination unit 140.

The policy update unit 131 refers to the history of access requests from the data requester 2, their response results, and attribute information recorded in the access log 114, and based on these reference results, updates are stored in the policy storage unit 132. Dynamically update policies that are currently in use. For example, when a new access request is made from the data requester 2 or when new personal information is provided from the data provider 3, the policy is updated to reflect these contents. Thereby, even if there is a change in the participants (data requester 2 or data provider 3) in the workflow system, the content of the policy can be appropriately updated in accordance with the change.

The access determination unit 140 refers to the policy stored in the policy storage unit 132 based on the access request information input from the access request information generation unit 112 and determines whether the access request is acceptable. The result of the determination by the access determination unit 140 as to whether the access request is acceptable or not is output to the access gateway 110. The access gateway 110 determines a response to the access request from the data requester 2 based on the determination result from the access determination unit 140, and if the access request is permitted, the specified access restricted data is transferred to the data requester. Send to person 2.

FIG. 3 is a diagram illustrating the progress of the workflow system in the data exchange platform 1 and an example of access request information generated by the access control system 100. The workflow system is a series of procedures for correctly implementing data transactions on the data exchange platform 1, and various participants who participate in the data exchange platform 1 as data requesters 2 and data providers 3, Each represents a process to be executed. The workflow system 150 shown in FIG. 3 uses the data exchange platform 1 by a real estate company, a rental guarantee company, and an insurance company to enable a user A, who is an end user, to determine contract conditions when signing a rental contract. An example of a workflow system for exchanging personal information of A is shown.

In the workflow system 150 , a real estate company that receives an application for a rental contract from user A inputs user A's personal information into the workflow system 150 . The entered personal information of user A is transmitted to the rental guarantee company via the workflow system 150, and is used by the rental guarantee company to determine contract conditions. At this time, in order to determine the contract conditions to be applied to User A, the insurance company, as the data requester 2, requests access to User A's personal information such as an application form for a rental guarantee contract and income proof.

If the rental guarantee company is considering the contract terms, the workflow system 150 puts the rental guarantee company's procedures on hold. At this time, at time t1, when receiving a request for access to user A's personal information from the insurance company, the access control system 100 uses the access request information generation unit 112 to generate access request information as indicated by the reference numeral 151, for example. In this access request information 151, the value indicating the progress status of the workflow system 150 is "pending" to indicate that the rental guarantee company's procedure is pending.

Thereafter, when the rental guarantee company determines the contract conditions at time t2, the workflow system 150 completes the procedures of the rental guarantee company. After time t2, when receiving a request for access to user A's personal information from the insurance company, the access control system 100 uses the access request information generation unit 112 to generate access request information as shown at 152, for example. In this access request information 152, the value indicating the progress status of the workflow system 150 is "completed" to indicate that the rental guarantee company's procedures have been completed.

Further, at time t2, in the access control system 100, the policy is updated by the policy updating unit 131 to reflect that the progress status of the workflow system 150 has changed from "pending" to "completed". At this time, the policy update unit 131 executes, for example, an instruction indicated by reference numeral 153.

As described above, the access control system 100 can generate access request information by reflecting the progress status of the workflow system in real time, and use this access request information to determine whether the access request is acceptable.

Note that if the progress status of the workflow system cannot be confirmed for some reason, the access control system 100 may return "failed" as a value indicating the progress status of the workflow system 150. In this case, unless the progress status of the workflow system 150 becomes "completed", the access request from the insurance company is rejected by the access control system 100. In this way, for example, when the rental guarantee company decides to cancel the contract, the entire procedure up to that point in the workflow system 150 can be invalidated, thereby preventing unintentional leakage of personal information.

FIG. 4 is a diagram illustrating an example of context types determined by context analysis performed by the context analysis unit 111. In the access control system 100, when the context analysis unit 111 receives an access request from the data requester 2 as described above, it performs a context analysis for the access request. At this time, the context analysis unit 111 performs context analysis by determining which of three context types, Ct1, Ct2, and Ct3, the access request corresponds to, based on the attribute information acquired from the workflow system. Can be done.

In FIG. 4, a portion indicated by reference numeral 401 shows an example of an access request corresponding to the context type Ct1. In this case, for example, an insurance company or a rental guarantee company becomes the data requester 2, and requests access to end users' personal information held by these data providers 3 to end users and third-party companies, who are the data providers 3. is performed via the data exchange platform 1.

A portion indicated by reference numeral 402 shows an example of an access request corresponding to the context type Ct2. In this case, for example, a financial company or an insurance company that provides a service to an end user becomes the data requester 2, and the real estate company provides a different service to the same end user. An access request is made via the data exchange platform 1 for the trust score calculated for the access request made in the past.

A portion indicated by reference numeral 403 shows an example of an access request corresponding to context type Ct3. In this case, for example, the end user becomes the data requester 2, and the insurance company has asked the insurance company that provides services to the end user about whether or not to receive services from this insurance company. An access request is made via the data exchange platform 1 for the trust score calculated for the access request.

Note that in each of the context types Ct1 to Ct3 explained above, the contents of the data requester 2 and the data provider 3 may be different. As long as it can be determined which of the above three context types it falls under, it can be applied to any data transaction format. Further, the context types that the context analysis unit 111 can determine are not limited to Ct1 to Ct3, and may include other context types to determine which context type this corresponds to.

FIG. 5 is a diagram illustrating an example of category classification of confidence parameters in the confidence category analysis unit 122. In the trust category analysis unit 122, for example, the trust categories 500 include a category 501 corresponding to "device," a category 502 corresponding to "network," a category 503 corresponding to "access," and a category corresponding to "application." 504 is set. Categories 501 to 504 are associated with the aforementioned context types Ct1 to Ct3, respectively, and information representing these relationships is stored in advance in reliable category analysis unit 122. Based on this information, the trust category analysis unit 122 can dynamically select one of the categories 501 to 504 from the context analysis results by the context analysis unit 111.

A category 501 corresponding to “device” is a category that summarizes trust parameters regarding the security status of the device to which the data requester 2 has made an access request to the data exchange platform 1. Category 501 includes, for example, the update status of security patches for the device, whether the IP address of the device is on a blacklist, the vulnerability of the device to viruses and malware, and the adoption of other security measures for the device. Contains trust parameters related to the situation, etc. The values of these confidence parameters are expressed as either 1 (positive) or -1 (negative), for example.

The category 502 corresponding to "Network" is a category that summarizes trust parameters related to the security status of the network used by the data requester 2 to connect the data exchange platform 1 when making an access request. The category 502 includes, for example, trust parameters regarding the presence or absence of suspicious packets from the network, the presence or absence of encryption measures in the network, and the like. The values of these confidence parameters are expressed as either 1 (positive) or -1 (negative), for example.

The category 503 corresponding to “access” is a category that summarizes trust parameters related to the access status from the data requester 2, and is obtained from the access log 114 recorded in the access gateway 110. The category 503 includes, for example, the access attempt rate and the access frequency, which are each calculated using the following formulas.
Access attempt rate = (number of invalid access attempts) / (total number of access attempts)
Access frequency = (number of access attempts) / (total number of access attempts per unit time)

A category 504 corresponding to “Application” is a category that summarizes trust parameters related to internal processing of the data exchange platform 1. The category 504 includes, for example, feedback to the data requester registered by the administrator regarding the popularity and service quality of the data requester 2 who made the access request, the processing speed for the access request of the data requester 2, and the data exchange platform. Confidence parameters related to recommendation history and the like representing the popularity of the data requester 2 in 1 are included.

Note that the contents of the categories 501 to 504 in the trust category 500 described above are merely examples, and other trust parameters may be included in each category. Furthermore, the categorization of reliability parameters in the reliability category analysis unit 122 is not limited to the reliability category 500 illustrated in FIG. 5, and other categorizations may be adopted.

6 and 7 are flowcharts showing the flow of access control processing executed by the access control system 100.

In step S101, the access gateway 110 receives an access request from the data requester 2.

In step S102, the context analysis unit 111 of the access gateway 110 acquires attribute information of the access request received in step S101 from the workflow system. Specifically, for example, the subject attribute s _rt represents the attributes of the data requester 2, the action attribute a _rt represents the type of access request (viewing, editing, deletion, etc.), and the access-restricted data that is the subject of the access request. Attribute information such as the resource attribute r _rt representing the resource attribute and the environment attribute w _rt representing the state of the workflow system at the time of the access request is acquired from the workflow system in real time. Note that this attribute information is used in the standard XACML processing model.

In step S103, the context analysis unit 111 performs a context analysis based on the attribute information acquired in step S102. Here, for example, one of the aforementioned context types Ct1 to Ct3 is selected according to the relationship between each attribute information set in advance and the context type. After selecting one of the context types in step S103, the context analysis unit 111 outputs the selection result to the trust score management unit 120.

In step S104, the trust category analysis unit 122 of the trust score management unit 120 determines which of the context types Ct1 to Ct3 is the context type selected by the context analysis unit 111 in step S103. As a result, if the context type is Ct1, the process proceeds to step S105, if the context type Ct2, the process proceeds to step S106, and if the context type Ct3, the process proceeds to step S107.

In step S105, the trust category analysis unit 122 selects the trust categories 501 to 503 that correspond to "device," "network," and "access," respectively, from among the categories 501 to 504 illustrated in FIG. 5.

In step S106, the trust category analysis unit 122 selects the trust categories 503 and 504 that correspond to "access" and "application", respectively, from among the categories 501 to 504 illustrated in FIG.

In step S107, the trust category analysis unit 122 selects the trust category of category 504 that corresponds to "application" from among the categories 501 to 504 illustrated in FIG.

After executing any of steps S105 to S107, the process advances to step S108. In step S108, the trust parameter selection unit 123 selects the trust parameters corresponding to the trust categories selected in steps S105 to S107, according to the combinations of trust parameters corresponding to the categories 501 to 504 illustrated in FIG. 5, respectively.

In step S109, the reliability score calculation unit 124 calculates a reliability score based on the reliability parameter selected in step S108. Here, based on the selection result of the context type in step S103, a trust score can be calculated from the trust parameters, for example, by a method described later. After calculating the trust score in step S109, the trust score calculation unit 124 stores the calculation result in the trust score storage unit 129 and outputs it to the access gateway 110.

In step S110, the access request information generation unit 112 of the access gateway 110 generates attribute information of the access request acquired by the context analysis unit ₁₁₁ in step S102, such as the aforementioned subject attribute s _rt , action attribute art , resource attribute r _rt , environment attribute w _rt is acquired from the context analysis unit 111. Further, in step S109, the calculation result of the reliability score calculated by the reliability score calculation unit 124, for example, a reliability score value of "satisfied" or "not satisfied", which will be described later, is obtained. Then, based on the acquired information, access request information is generated, and the generated access request information is output to the access determination unit 140.

In step S111, the access determination unit 140 executes access determination for the access request received in step S101 based on the access request information received from the access request information generation unit 112 in step S110. Thereby, based on the trust score calculated by the trust score calculation unit 124 in step S109, it is possible to determine whether or not the access request is acceptable. The result of the access determination in step S111 is output from the access determination unit 140 to the access gateway 110.

In step S112, the access gateway 110 determines whether or not to permit the data requester 2 to access the access-restricted data based on the access determination result received from the access determination unit 140 in step S111. If it is determined that access is permitted, the process advances to step S113; if it is determined that access is not permitted, the process advances to step S114.

In step S113, the access gateway 110 transmits the access-restricted data corresponding to the access request to the data requester 2 as a response to the access request received in step S101.

In step S114, the access gateway 110 rejects the access request received in step S101, and blocks access to the access-restricted data specified by the data requester 2.

After executing the process in step S113 or step S114, in the subsequent step S115, the log management unit 113 stores the attribute information acquired in step S102, the result of the context analysis performed in step S103, and the access determination result in step S111. In combination, these contents are recorded in the access log 114. After executing the process of step S115, the flowcharts of FIGS. 6 and 7 are ended.

When the access control system 100 receives an access request from the data requester 2, the access control system 100 executes the access control processing described above to determine whether or not the access request is permitted, and if the access request is permitted, the access control system 100 performs the access request specified in the access request. The access-restricted data, such as personal information, is returned to the data requester 2. Thereby, safe mediation of access-restricted data can be realized between the data requester 2 and the data provider 3 using the workflow system.

FIG. 8 is a diagram showing an example of reliability parameters and warning count values. FIG. 8A shows an example of trust parameters acquired by the trust parameter acquisition unit 121 and stored in the trust parameter storage unit 127. For example, as shown in FIG. 8A, the reliability parameter storage unit 127 stores the parameter values P1, P2, P5, and P7 of each of the acquired reliability parameters, as well as the respective trust categories and weights W1, W2, W5, and W7. Stored in table format in order of weight. The weights W1, W2, W5, and W7 of each reliability parameter are set, for example, in the range of 0 to 100, depending on the importance of each.

FIG. 8B shows an example of a warning count value used when the warning unit 125 outputs a warning. For example, as shown in FIG. 8(b), the warning unit 125 calculates the product of the parameter values P1, P2, P5, P7 of each reliability parameter and the weights W1, W2, W5, W7, and the respective threshold values Th1, Th2, Th5. , Th7 is performed in order of weight, and if the product is less than the threshold, the warning count value is incremented by one. Then, when the warning count value reaches a predetermined upper limit, a warning is output to the administrator. Note that, as shown in FIG. 8A, the warning count value of each reliability parameter is stored in the reliability parameter storage unit 127 together with parameter values P1, P2, P5, P7 and weights W1, W2, W5, W7.

The above weights W1, W2, W5, W7 and thresholds Th1, Th2, Th5, Th7 are preset in the access control system 100, and may be dynamically changed depending on the nature of each trust parameter. For example, in the case of access frequency, which is one of the reliability parameters, the access frequency during peak hours is higher than at other times, so the parameter value changes periodically. Therefore, in this case, it is preferable to change the weight and threshold value for the access frequency depending on the time period. In addition to this, it is possible to dynamically change weights and thresholds according to arbitrary rules depending on the properties of each reliability parameter.

Next, a method for calculating the confidence score will be explained. FIG. 9 is an example of a flowchart showing the flow of confidence score calculation processing. For example, when the context analysis unit 111 selects the context type Ct1 described above, the confidence score calculation unit 124 executes the process shown in the flowchart of FIG. 9 to calculate a confidence score.

In step S201, the reliability score calculation unit 124 obtains the number N of reliability parameters. Here, the total number of reliability parameters selected by the reliability parameter selection unit 123 in step S108 of FIG. 6 is obtained as the number N of reliability parameters.

In step S202, the confidence score calculation unit 124 randomly selects (x-n+1) confidence parameters Pn to Px from among the confidence parameters selected by the confidence parameter selection unit 123 in step S108 of FIG. do. Here, for example, the values of x and n that satisfy the condition of 0<n≦x≦N are randomly selected, and the values of “device”, “network”, and “access” selected by the trust parameter selection unit 123 are selected at random. The trust parameters of the categories may be arranged in order of weight, and each of the nth to xth trust parameters may be selected as the trust parameters Pn to Px. Besides this, the trust parameters Pn to Px can be randomly selected using any method.

After selecting the reliability parameters Pn to Px in step S202, the reliability score calculation unit 124 repeatedly executes the following loop processing of steps S203 to S205 from i=n to i=x.

In step S203, the confidence score calculation unit 124 obtains the threshold Thi of the confidence parameter Pi (i=n to x) from the confidence threshold storage unit 128.

In step S204, the reliability score calculation unit 124 compares the reliability parameter Pi with the threshold value Thi obtained in step S203, and determines whether the condition Pi≧Thi is satisfied. As a result, if the conditions are met, that is, if the confidence parameter Pi is equal to or greater than the threshold Thi, the process proceeds to step S205, increments the count value Cn of the confidence score by 1, and then proceeds to the next loop process. On the other hand, if the condition is not satisfied, that is, if the confidence parameter Pi is less than the threshold Thi, the count value Cn of the confidence score is left unchanged and the process moves to the next loop.

After completing the loop processing of steps S203 to S205, in step S206, the confidence score calculation unit 124 calculates that the count value Cn of the confidence score finally obtained in the loop processing is equal to (x-n+1) confidence parameters. It is determined whether or not the total value is equal to or greater than a predetermined ratio (for example, 0.6) when all the values are 1. If the count value Cn is 0.6(x-n+1) or more, that is, if 60% or more of the randomly selected confidence scores represent positive determination results, the process advances to step S207. On the other hand, if the count value Cn is less than 0.6(x-n+1), the process advances to step S208.

In step S207, the trust score calculation unit 124 calculates “satisfied”, which is a trust score value indicating “reliable”, as a calculation result of the trust score for the access request from the data requester 2, for example, in JSON (JavaScript (registered) (Trademark) Object Notation) format message to the access gateway 110.

In step S208, the trust score calculation unit 124 sends "not satisfied", which is a trust score value representing "no reliability", to a message in, for example, JSON format, as a trust score calculation result for the access request from the data requester 2. , and sends it to the access gateway 110.

After performing the process of step S207 or S208, the reliability score calculation unit 124 ends the reliability score calculation process shown in the flowchart of FIG.

In the trust score calculation process described above, by dynamically selecting the values of x and n, the trust parameters Pn to Px used in calculating the trust score are randomly selected. This makes it difficult to guess the access determination pattern in the access control system 100, thereby making it possible to prevent attacks from attackers such as malicious hackers.

Alternatively, the confidence score may be calculated by the method described below. For example, when the context analysis unit 111 selects the context type Ct2 or Ct3, the confidence score calculation unit 124 calculates the confidence score using the following method.

The reliability score calculation unit 124 can calculate the reliability score Ts using, for example, the following equation (1). In equation (1), N represents the aforementioned number of reliability parameters, and Pj represents the value of the j-th reliability parameter among the reliability parameters selected by the reliability parameter selection unit 123 in step S108 of FIG. Further, Wj represents a weight preset for the j-th reliability parameter.

The confidence score Ts calculated by the above equation (1) corresponds to weighted addition of all selected confidence parameters. That is, the trust score calculation unit 124 calculates the categories corresponding to "access" and "application", which are preset corresponding to the context type Ct2, among the trust parameters corresponding to the categories 501 to 504 illustrated in FIG. The trust score Ts can be calculated by weighting and adding each of the trust parameters 503 and 504, or the trust parameters of the category 504 that corresponds to "application" that has been set in advance corresponding to the context type Ct3. Note that the trust score Ts may be normalized within the range of 0 to 1 in order to facilitate comparison between the trust scores.

As mentioned above, in context types Ct2 and Ct3, past trust scores of various service providers (financial companies, insurance companies, etc.) are provided as access-restricted data in order to consider contract conditions and service provision to end users. Ru. Therefore, unlike the case of the context type Ct1 in which it is determined whether or not to request access to the end user's personal information, there is little need to make it difficult to guess the access determination pattern. Therefore, by weighting and adding all the selected trust parameters using equation (1), the trust score is calculated while appropriately reflecting the situation at the time of the access request.

Next, a method for analyzing reliability parameters will be explained. For example, when the context analysis unit 111 selects the context type Ct2 or Ct3, the access gateway 110 provides the end user with a user interface for performing multidimensional analysis of the trust parameters used to calculate the trust score. In this user interface, the end user can receive information necessary for analyzing trust parameters from the access control system 100 by setting desired conditions.

FIG. 10 is a diagram illustrating an example of multidimensional analysis of confidence parameters. FIG. 10(a) shows an example of a user interface displayed on an end user's terminal when performing multidimensional analysis of trust parameters. In FIG. 10A, a diagram 1000 shows the value of the number of unauthorized access attempts, which is one of the trust parameters used to calculate a company's trust score, for each branch and month. Further, a graphic 1005 shows the number of unauthorized access attempts for the same company by region and year. These figures 1000 and 1005 have a three-dimensional shape, in which one dimension represents the organizational hierarchy of the service provider company, such as branches and regions, and the other dimension represents the organizational hierarchy of the company that is the service provider. , represents the acquisition period of the number of unauthorized access attempts, which is a trust parameter, such as month or year.

FIG. 10(b) shows an example of item selection for each dimension in figures 1000 and 1005. On the screen displayed on the terminal, the end user can drill down to the upper hierarchy (drill up) or lower hierarchy (drill up) for each dimension of these shapes, such as company name, region, and branch. down) can be selected as appropriate. Similarly, regarding other dimensions, each item of year, quarter, and month can be selected as appropriate toward an upper hierarchy (drill up) or toward a lower hierarchy (drill down).

Note that the user interface illustrated in FIG. 10 may be provided not only to end users but also to, for example, an administrator of the access control system 100. The trust parameters used to calculate the trust score change depending on various levels such as user level, role level, company level, etc. By using the information shown in the user interface of FIG. 10, the administrator can send warnings about changes in trust parameters to each company connected to the access control system 100 as data requesters 2 and data providers 3. This can be done as appropriate.

Next, a method for analyzing the confidence score will be explained. Access gateway 110 provides an end user with a user interface for analyzing trust scores, for example. In this user interface, the end user can receive information necessary for analyzing the trust score from the access control system 100 by selecting a desired item.

FIG. 11 is a diagram showing an example of a confidence score analysis screen. A trust score analysis screen 1100 shown in FIG. 11 is a screen displayed on an end user's terminal by, for example, the access gateway 110, and includes selection frames 1101, 1102, 1103 and a trust score graph 1104. For example, when considering a contract for a new service, the end user requests the access control system 100 to display a trust score analysis screen 1100 as shown in FIG. 11 in order to analyze the trust score of each company providing the service. Display can be requested.

A selection frame 1101 is a frame for the end user to select the type of service whose reliability score is to be analyzed. In this selection frame 1101, the end user can select the target of the trust score analysis displayed on the trust score analysis screen 1100 by selecting, for example, the type of company according to the service type.

A selection frame 1102 is a frame for the end user to select the security level and other requirements. In this selection pane 1102, the end user can select various requirements related to the confidence score.

The selection frame 1103 is a frame for the end user to select the hierarchical level of the service provider company. In this selection frame 1103, the end user can select the hierarchical level of the service providing company whose trust score is to be analyzed from among various hierarchical levels such as company name, region, branch office, etc.

The confidence score graph 1104 is a graphical representation of the confidence score values corresponding to the items selected in the selection frames 1101 to 1103, respectively. By referring to the trust score graph 1104, the end user can compare the trust scores of each service provider company and consider which service provider company to contract for a new service with.

In the real estate industry, in order to obtain approval for a loan from a financial company, the real estate company collects documents such as income proof and employment status of the end user (customer or tenant) without informing the end user. It is known that there is a fraudulent act of tampering with. Below, an example of actual operation of the access control system 100 for preventing such fraudulent acts will be described with reference to FIG. 12.

FIG. 12 is a sequence diagram showing an example of actual operation of the access control system 100 according to an embodiment of the present invention. When the end user submits personal information such as income proof and employment status to the real estate company, the real estate company inputs the personal information to the data exchange platform 1 on behalf of the user. The access control system 100 manages the policy and workflow system based on the input personal information, and also notifies the financial company that an application for a new loan has been received. Upon receiving this notification, the financial company confirms the application content from the end user made via the access control system 100, and performs a trust score analysis on the real estate company that entered the application, as necessary, to provide a loan. Approval (OK) or denial (NG) is determined. The determination result by the financial company is notified to the end user via the access control system 100.

According to the embodiment of the present invention described above, the following effects are achieved.

(1) The access control system 100 is used in the data exchange platform 1 that mediates access-restricted data between the data requester 2 and the data provider 3. The access control system 100 includes an access gateway 110 that performs context analysis in response to an access request from a data requester 2 to access-restricted data, and a workflow provided by the data exchange platform 1 based on the result of the context analysis by the access gateway 110. Calculated by the trust score management unit 120 and the trust score management unit 120 that randomly selects one or more trust parameters from a plurality of trust parameters obtained from the system and calculates the trust score of the access request based on the selected trust parameters. and an access determination unit 140 that determines whether or not to make an access request based on the reliability score obtained. By doing this, it is possible to realize access control that is safe and highly robust.

(2) In the context analysis, the access gateway 110 acquires attribute information including the attributes of the data requester 2, the attributes of the access-restricted data, and the progress status of the workflow system (step S102), and based on the acquired attribute information, , it is determined whether the access request corresponds to the first context (context type Ct1), the second context (context type Ct2), or the third context (context type Ct3) (step S103). As shown by reference numerals 401 to 403 in FIG. 4, in context type Ct1, data requester 2 is a service provider that provides services to end users, and data provider 3 is a service provider that provides services to end users. or an end user, and the access-restricted data is personal information about the end user. In addition, in context type Ct2, data requester 2 is a service provider, data provider 3 is another service provider, and access-restricted data is a data requester that has been previously used by another service provider. This is information regarding the trust score calculated when the access request was made as the data requester 2. In addition, in context type Ct3, data requester 2 is an end user, data provider 3 is a service provider, and access-restricted data is a data requester 2 who has been a data requester in the past. This is information regarding the trust score calculated when an access request is made. By doing this, it is possible to appropriately perform a context analysis on an access request from the data requester 2 to the access-restricted data.

(3) When the access gateway 110 determines that the access request corresponds to the context type Ct1 (step S105), the trust score management unit 120 selects a predetermined value that is set in advance corresponding to the context type Ct1 among the plurality of trust parameters. A randomly determined number of trust parameters is selected from among the number of trust parameters in order of priority (step S202), and a determination is made as to whether there is a predetermined percentage or more of trust parameters that are equal to or higher than a predetermined threshold value among the selected trust parameters. A reliability score is calculated (steps S207, S208) by determining whether the information is reliable (steps S203 to S206). Further, when the access gateway 110 determines that the access request corresponds to the context type Ct2 or the context type Ct3 (steps S106, S107), the trust score management unit 120 selects the context type Ct2 or the context type Ct3 from among the plurality of trust parameters. A reliability score is calculated by weighting and adding each reliability parameter set in advance according to equation (1). By doing this, it is possible to appropriately calculate the trust score depending on the situation at the time of the access request.

(4) When the access gateway 110 determines that the access request corresponds to the context type Ct2 or the context type Ct3, the access gateway 110 multiplies the trust parameters used to calculate the trust score, for example, as shown in figures 1000 and 1005 in FIG. Provide end users with a user interface for dimensional analysis. This user interface includes a section for selecting the service provider's organizational hierarchy or trust parameter acquisition period on the screen. This allows the end user to receive information necessary for analyzing the trust parameters from the access control system 100.

(5) The trust score management unit 120 selects one of a plurality of preset trust categories (categories 501 to 504) based on the results of the context analysis, and selects one of the preset trust categories (categories 501 to 504) and The reliability parameters are selected by randomly selecting one or more reliability parameters from the combination of reliability parameters (step S108). By doing this, it is possible to reliably select trust parameters suitable for calculating the trust score by using the results of the context analysis.

(6) The access gateway 110 uses the trust score and the attribute information (subject attribute s _rt , action attribute ar _t , resource attribute _rt , environment attribute wr _t ) of the access request according to the progress status of the workflow system. , has an access request information generation unit 112 that generates access request information corresponding to an access request. The access request information generation unit 112 transmits the generated access request information to the access determination unit 140 (step S110). The access determination unit 140 determines whether the access request is acceptable based on the access request information received from the access request information generation unit 112 (step S111). By doing this, it is possible to accurately determine whether or not to grant an access request by reflecting the trust score and the progress status of the workflow.

(7) The access control system 100 includes a policy storage unit 132 in which a policy describing permission conditions for access requests is stored and which allows the access determination unit 140 to refer to the policy, and a policy that updates the policy stored in the policy storage unit 132. The update unit 131 is also provided. The policy update unit 131 updates the policy in response to changes in participants in the workflow system. By doing this, even if there is a change in the data requester 2 or data provider 3 in the workflow system, it is possible to appropriately update the contents of the policy according to the change.

(8) The access control method by the access control system 100 is an access control method in the data exchange platform 1 that mediates access-restricted data between the data requester 2 and the data provider 3. In this access control method, a context analysis is performed on the access request from the data requester 2 to the access-restricted data (step S103), and based on the result of the context analysis, the access control method One or more trust parameters are randomly selected from the plurality of trust parameters (step S108). Then, a trust score of the access request is calculated based on the selected trust parameter (step S109), and it is determined whether the access request is acceptable or not based on the trust score (step S111). By doing this, it is possible to realize access control that is safe and highly robust.

It should be noted that the present invention is not limited to the above-described embodiments, and can be implemented using arbitrary components within the scope of the invention. The embodiments and modifications described above are merely examples, and the present invention is not limited to these contents as long as the characteristics of the invention are not impaired. Furthermore, although various embodiments and modifications have been described above, the present invention is not limited to these. Other embodiments considered within the technical spirit of the present invention are also included within the scope of the present invention.

DESCRIPTION OF SYMBOLS 1... Data exchange platform, 2... Data requester, 3... Data provider, 100... Access control system, 110... Access gateway, 111... Context analysis section, 112... Access request information generation section, 113... Log management section, 114 ...Access log, 120...Trust score management section, 121...Trust parameter acquisition section, 122...Trust category analysis section, 123...Trust parameter selection section, 124...Trust score calculation section, 125...Warning section, 127...Trust parameter storage section , 128...Trust threshold storage section, 129...Trust score storage section, 130...Policy management section, 131...Policy update section, 132...Policy storage section, 140...Access judgment section, 150...Workflow system

Claims (8)

An access control system used in a data exchange platform that mediates access-restricted data between a data requester and a data provider, the system comprising:
an access gateway that performs a context analysis on an access request from the data requester to the access-restricted data;
Based on the results of the context analysis by the access gateway, one or more trust parameters are randomly selected from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform; a trust score management unit that calculates a trust score of an access request;
An access control system comprising: an access determination unit that determines whether or not the access request is permitted based on the trust score calculated by the trust score management unit. The access control system according to claim 1,
In the context analysis, the access gateway obtains attribute information including the attributes of the data requester, the attributes of the access-restricted data, and the progress status of the workflow system, and determines the access based on the obtained attribute information. determining whether the request falls into a first context, a second context, or a third context;
In the first context, the data requester is a service provider that provides a service to an end user, the data provider is another service provider or the end user, and the access restriction target is Data is information regarding the end user;
In the second context, the data requester is the service provider, the data provider is the other service provider, and the access-restricted data is the other service provider. information regarding the trust score calculated when the person made the access request as the data requester in the past;
In the third context, the data requester is the end user, the data provider is the service provider, and the access-restricted data is the data that the service provider has previously An access control system that is information regarding the trust score calculated when the access request is made as a data requester. The access control system according to claim 2,
When the access gateway determines that the access request corresponds to the first context, the trust score management unit determines a predetermined number of trust parameters that are preset corresponding to the first context among the plurality of trust parameters. A randomly determined number of trust parameters are selected from among the trust parameters in order of priority, and it is determined whether there is a predetermined percentage or more of trust parameters that are equal to or higher than a predetermined threshold value among the selected trust parameters. Calculate the confidence score by
When the access gateway determines that the access request corresponds to the second context or the third context, the trust score management unit determines whether the access request corresponds to the second context or the third context among the plurality of trust parameters. An access control system that calculates the trust score by weighting and adding each trust parameter that is set in advance in accordance with the context of the access control system. The access control system according to claim 3,
When the access gateway determines that the access request falls under the second context or the third context, the access gateway provides a user interface for performing multidimensional analysis of the trust parameters used to calculate the trust score. providing to said end user;
The user interface is an access control system including a section for selecting an organizational hierarchy of the service provider or an acquisition period of the trust parameter on the screen. The access control system according to claim 1,
The trust score management unit selects one of a plurality of preset trust categories based on the result of the context analysis, and selects one of the trust parameter combinations preset for the selected trust category. An access control system that selects the trust parameter by randomly selecting one or more trust parameters. The access control system according to claim 1,
The access gateway includes an access request information generation unit that generates access request information corresponding to the access request based on the trust score and attribute information of the access request according to the progress status of the workflow system. ,
The access request information generation unit transmits the generated access request information to the access determination unit,
The access determination unit is an access control system that determines whether or not the access request can be made based on the access request information received from the access request information generation unit. The access control system according to claim 1,
a policy storage unit that stores a policy that describes permission conditions for the access request, and causes the access determination unit to refer to the policy;
a policy updating unit that updates the policy stored in the policy storage unit;
The policy update unit is an access control system that updates the policy in response to a change in participants of the workflow system. An access control method in a data exchange platform that mediates access-restricted data between a data requester and a data provider, the method comprising:
Performing a context analysis on the access request from the data requester to the access-restricted data;
Randomly selecting one or more trust parameters from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform based on the results of the context analysis;
calculating a trust score for the access request based on a selected trust parameter;
An access control method that determines whether or not the access request is granted based on the trust score.

Images