WO2023224016A1 - Access control system and access control method - Google Patents

Access control system and access control method Download PDF

Info

Publication number
WO2023224016A1
WO2023224016A1 PCT/JP2023/018177 JP2023018177W WO2023224016A1 WO 2023224016 A1 WO2023224016 A1 WO 2023224016A1 JP 2023018177 W JP2023018177 W JP 2023018177W WO 2023224016 A1 WO2023224016 A1 WO 2023224016A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
trust
data
context
access request
Prior art date
Application number
PCT/JP2023/018177
Other languages
French (fr)
Japanese (ja)
Inventor
アンジャリ ラジト
壮希 櫻井
Original Assignee
株式会社日立システムズ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立システムズ filed Critical 株式会社日立システムズ
Publication of WO2023224016A1 publication Critical patent/WO2023224016A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to a system and method for controlling access to predetermined information.
  • Role-based access control grants access privileges to each piece of protected information to each role of the user requesting access to the information, and rejects access requests from users who do not have access privileges. This is to control access to.
  • role-based access control access control is performed according to preset access privileges, making it difficult to implement flexible access control.
  • Attribute-based access control determines whether or not an access request can be made based on the attributes of the user making the access request, the attributes of the protected information for which the access request was made, and the attributes of the environment at the time of the access request, according to a preset policy. By making this determination, access to protected information is controlled. This provides more flexible access control than role-based access control.
  • Patent Document 1 As an example of attribute database access control, the technology of Patent Document 1 is known. Patent Document 1 describes a method of calculating reliability by weighting various types of attribute information according to their importance, and determining whether or not access is possible based on the calculation result.
  • Patent Document 2 discloses a system that calculates a trust score based on parameters such as the number of suspicious packets and the number of fake requests from a user making an access request, and compares the calculated trust score with a predetermined threshold to determine whether or not access is possible. It describes how to judge.
  • Patent Document 1 when attempting to calculate reliability using a large number of attribute information, the calculation load becomes excessive. Therefore, there is a problem that it is difficult to apply it to an actual access control system. Furthermore, the technique disclosed in Patent Document 2 has a problem in that it is impossible to prevent unauthorized access because a malicious user can easily guess the method of calculating the trust score.
  • the present invention has been made in view of the above problems, and its main purpose is to realize access control that is safe and highly robust.
  • the access control system is used in a data exchange platform that mediates access-restricted data between a data requester and a data provider, and is configured to control access from the data requester to the access-restricted data.
  • an access gateway that performs a context analysis on a request; and based on the result of the context analysis by the access gateway, randomly select one or more trust parameters from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform.
  • a trust score management unit that calculates a trust score of the access request based on the selected trust parameter; and an access judgment that determines whether the access request is acceptable based on the trust score calculated by the trust score management unit. It is equipped with a section and a section.
  • the access control method is an access control method in a data exchange platform that mediates access-restricted data between a data requester and a data provider, and the method includes: Context analysis is performed on the request, and based on the result of the context analysis, one or more trust parameters are randomly selected from a plurality of trust parameters obtained from the workflow system provided by the data exchange platform, and the selected trust parameter is A trust score of the access request is calculated based on the trust score, and it is determined whether the access request is acceptable or not based on the trust score.
  • FIG. 1 is a block diagram illustrating an overview of a data exchange platform including an access control system according to an embodiment of the present invention.
  • FIG. FIG. 1 is a block diagram showing a detailed structure of an access control system according to an embodiment of the present invention.
  • FIG. 3 is a diagram showing an example of the progress status of the workflow system and access request information. It is a figure which shows the example of a context type.
  • FIG. 3 is a diagram showing an example of category classification of reliability parameters.
  • 3 is a flowchart showing the flow of access control processing.
  • 3 is a flowchart showing the flow of access control processing.
  • FIG. 3 is a diagram showing an example of a reliability parameter and a warning count value. It is an example of a flowchart showing the flow of trust score calculation processing.
  • FIG. 3 is a diagram illustrating an example of multidimensional analysis of reliability parameters. It is a figure showing an example of a reliability score analysis screen.
  • FIG. 2 is a sequence diagram showing an example of actual operation of the
  • processing may be explained using a "program” or its process as the subject, but a program is executed by a processor (for example, a CPU (Central Processing Unit)) to perform a predetermined process. Since the processing is performed using appropriate storage resources (for example, memory) and/or communication interface devices (for example, communication ports), the subject of the processing may be a processor.
  • a processor operates as a functional unit that implements a predetermined function by operating according to a program.
  • Devices and systems that include processors are devices and systems that include these functional units.
  • FIG. 1 is a block diagram showing an overview of a data exchange platform including an access control system according to an embodiment of the present invention.
  • the data exchange platform 1 shown in Figure 1 is a type of information platform used for collaboration between different industries, and access from the general public should be restricted between the specified data requester 2 and data provider 3.
  • the data exchange platform 1 includes various UIs (User Interfaces) for the data exchange platform 1 to be used by data requesters 2 and data providers 3 who exchange data subject to access restrictions, and a series of user interfaces related to the exchange of data subject to access restrictions.
  • the process is packaged and provided as a workflow system. This workflow system mediates the access-restricted data between the data requester 2 and the data provider 3, thereby achieving safe and reliable delivery of the access-restricted data.
  • the data provider 3, through the data exchange platform 1, can access end users' personal information held by the data provider 3 (income proof, employment status, credit information, etc.) Information such as a trust score calculated when an access request is made to some access-restricted data is provided as the access-restricted data.
  • the trust score is a value representing the reliability of an access request, and is calculated in the access control system 100 included in the data exchange platform 1 as described below.
  • the data requester 2 requests the data exchange platform 1 to access the access-restricted data provided by the data provider 3, and if the access request is approved, the data exchange platform 1 sends the access-restricted data to the data exchange platform 1. can be obtained.
  • the data requester 2 corresponds to various service providing companies that provide various services to end users, end users who receive services from service providing companies, and the like. For example, when an end user signs a rental contract for real estate, the rental guarantee company, as the data requester 2, requests the end user's personal information, which is access-restricted data, and uses it to determine guarantee conditions. In addition, when an end user applies for a mortgage loan or insurance, a financial company or insurance company, as the data requester 2, requests the end user's personal information, which is data subject to access restrictions, and uses it to determine contract terms. do. However, the data requester 2 may be a company or an individual in another industry.
  • the data provider 3 is an end user who provides personal information that is access-restricted data, a service provider company that holds personal information, a third party company, etc.
  • the access-restricted data held by the data provider 3 is collected on the data exchange platform 1 using, for example, a web-based API (Application Programming Interface) or EDI (Electronic Data Interchange), and is collected in response to an access request from the data requester 2. The data is then provided to the data requester 2.
  • a web-based API Application Programming Interface
  • EDI Electronic Data Interchange
  • the access control system 100 calculates a trust score representing the reliability of the access request, and calculates the state of the calculated trust score and the workflow. Based on other access states in the system, it is determined whether access to the access-restricted data provided by the data provider 3 is possible. This prevents unauthorized use of access-restricted data and ensures safety in the exchange of access-restricted data between different industries.
  • the access control system 100 includes functional blocks of an access gateway 110, a trust score management section 120, a policy management section 130, and an access determination section 140. These functional blocks are realized by combining, for example, a computer (CPU: Central Processing Unit) that executes a predetermined program, a storage device such as an HDD (Hard Disk Drive), or an SSD (Solid State Drive). Note that some or all of these functional blocks may be implemented using a GPU (Graphics Processing Unit) or an FPGA (Field Programmable Gate Array).
  • CPU Central Processing Unit
  • HDD Hard Disk Drive
  • SSD Solid State Drive
  • FIG. 2 is a block diagram showing the detailed structure of the access control system 100 according to an embodiment of the present invention.
  • the access gateway 110 includes a context analysis section 111, an access request information generation section 112, a log management section 113, and an access log 114.
  • the trust score management section 120 includes a trust parameter acquisition section 121, a trust category analysis section 122, a trust parameter selection section 123, a trust score calculation section 124, a warning section 125, a trust parameter storage section 127, a trust threshold storage section 128, and a trust score storage section. 129.
  • the policy management unit 130 includes a policy update unit 131 and a policy storage unit 132.
  • the context analysis unit 111 When the context analysis unit 111 receives a request for access to certain access-restricted data from the data requester 2, it acquires attribute information regarding the access request from the workflow system, and performs a context analysis for the access request based on this attribute information. I do.
  • the context analysis performed by the context analysis unit 111 is to analyze (estimate) under what circumstances the data requester 2 is attempting to access the access-restricted data.
  • the results of this context analysis are dynamically determined according to the attributes of the data requester 2, the attributes of the access-restricted data requested for access, the progress status of the workflow system, etc. Represented by one of the context types. Therefore, the context analysis unit 111 can perform context analysis by acquiring this information as attribute information regarding the access request.
  • the attribute information of the access request acquired by the context analysis unit 111 and the result of the context analysis by the context analysis unit 111 are output to the access request information generation unit 112 and the trust score management unit 120, respectively. Note that details of the context analysis method by the context analysis unit 111 will be described later.
  • the access request information generation unit 112 generates attribute information of the access request acquired by the context analysis unit 111, for example, each attribute information of a subject attribute s rt , an action attribute a rt , a resource attribute rt , and an environment attribute wr t which will be described later.
  • the trust score management unit 120 generates access request information regarding the access request received from the data requester 2 based on the trust score calculated by the trust score calculation unit 124.
  • the access request information generated by the access request information generating section 112 is output to the access determining section 140.
  • the log management unit 113 records the access request from the data requester 2 and the response result to the access request in the access log 114 in combination with the attribute information acquired at that time.
  • Access log 114 provides historical information regarding access requests made by data requester 2 . This history information is used when the reliability score calculation unit 124 calculates the reliability score.
  • the trust parameter acquisition unit 121 acquires the trust parameters necessary for calculating the trust score, and stores them in the trust parameter storage unit 127. For example, information such as the IP address of the information device used when the data requester 2 connected to the data exchange platform 1 and made an access request, the virus protection status, the number of suspicious packets on the network, etc. is acquired as the trust parameter. . Further, information such as past access request history and response history, access time, etc. of the data requester 2 may be acquired as the reliability parameter. These trust parameters may be obtained from a security monitoring system (not shown) or may be obtained from an access request from the data requester 2. In addition to this, various information on the data exchange platform 1 can be acquired as trust parameters.
  • the trust category analysis unit 122 receives the results of the context analysis by the context analysis unit 111 and analyzes the trust category for the access request from the data requester 2.
  • the trust category represents the type of trust parameter according to the context analysis result. For example, each trust category of "device”, “network”, “access”, and “application” is set in advance in the trust score management unit 120. has been done.
  • the trust category analysis unit 122 can select one of the above trust categories based on the context analysis result.
  • the trust parameter selection unit 123 receives the trust category analysis result by the trust category analysis unit 122 and selects the trust parameters stored in the trust parameter storage unit 127. In the trust score management unit 120, combinations of trust parameters corresponding to each of the above-mentioned trust categories are set in advance. The confidence parameter selection unit 123 can select a combination of confidence parameters corresponding to the confidence category selected by the confidence category analysis unit 122 in the confidence parameter storage unit 127.
  • the trust score calculation unit 124 uses the trust parameters selected by the trust parameter selection unit 123 and the threshold values for each trust parameter stored in the trust threshold storage unit 128 to calculate the trust score for the access request from the data requester 2. Calculate. Details of the method of calculating the reliability score by the reliability score calculation unit 124 will be described later.
  • the trust score calculation unit 124 stores the calculation result of the trust score in the trust score storage unit 129 and outputs it to the access gateway 110.
  • the warning unit 125 monitors each trust parameter stored in the trust parameter storage unit 127, and outputs a warning to the administrator of the access control system 100 if there is a trust parameter whose value has decreased.
  • the policy storage unit 132 stores policies that describe permission conditions for access requests for various combinations of data requesters 2 and personal information.
  • the policy stored in the policy storage unit 132 is written in accordance with, for example, XACML (eXtensible Access Control Markup Language) regulations, and is read by the access determination unit 140.
  • XACML eXtensible Access Control Markup Language
  • the policy update unit 131 refers to the history of access requests from the data requester 2, their response results, and attribute information recorded in the access log 114, and based on these reference results, updates are stored in the policy storage unit 132. Dynamically update policies that are currently in use. For example, when a new access request is made from the data requester 2 or when new personal information is provided from the data provider 3, the policy is updated to reflect these contents. Thereby, even if there is a change in the participants (data requester 2 or data provider 3) in the workflow system, the content of the policy can be appropriately updated in accordance with the change.
  • the access determination unit 140 refers to the policy stored in the policy storage unit 132 based on the access request information input from the access request information generation unit 112 and determines whether the access request is acceptable. The result of the determination by the access determination unit 140 as to whether the access request is acceptable or not is output to the access gateway 110.
  • the access gateway 110 determines a response to the access request from the data requester 2 based on the determination result from the access determination unit 140, and if the access request is permitted, the specified access restricted data is transferred to the data requester. Send to person 2.
  • FIG. 3 is a diagram showing the progress status of the workflow system in the data exchange platform 1 and an example of access request information generated by the access control system 100.
  • the workflow system is a series of procedures for correctly implementing data transactions on the data exchange platform 1, and various participants who participate in the data exchange platform 1 as data requesters 2 and data providers 3, Each represents a process to be executed.
  • the workflow system 150 shown in FIG. 3 uses the data exchange platform 1 by a real estate company, a rental guarantee company, and an insurance company to enable a user A, who is an end user, to determine contract conditions when signing a rental contract.
  • An example of a workflow system for exchanging personal information of A is shown.
  • the real estate company that receives the rental contract application from user A inputs user A's personal information into the workflow system 150.
  • the entered personal information of user A is transmitted to the rental guarantee company via the workflow system 150, and is used by the rental guarantee company to determine contract conditions.
  • the insurance company in order to determine the contract conditions to be applied to User A, the insurance company, as the data requester 2, requests access to User A's personal information such as an application form for a rental guarantee contract and income proof.
  • the workflow system 150 puts the rental guarantee company's procedures on hold.
  • the access control system 100 uses the access request information generation unit 112 to generate access request information as indicated by the reference numeral 151, for example.
  • the value indicating the progress status of the workflow system 150 is "pending" to indicate that the rental guarantee company's procedure is pending.
  • the workflow system 150 completes the rental guarantee company's procedures.
  • the access control system 100 uses the access request information generation unit 112 to generate access request information as shown at 152, for example.
  • the value indicating the progress status of the workflow system 150 is "completed" to indicate that the rental guarantee company's procedures have been completed.
  • the policy is updated by the policy update unit 131 to reflect that the progress status of the workflow system 150 has changed from "pending" to "completed".
  • the policy update unit 131 executes, for example, an instruction indicated by reference numeral 153.
  • the progress status of the workflow system is reflected in real time to generate access request information, and this access request information can be used to determine whether the access request is acceptable.
  • the access control system 100 may return "failed" as a value indicating the progress status of the workflow system 150. In this case, the access request from the insurance company is rejected by the access control system 100 unless the progress status of the workflow system 150 becomes "completed". In this way, for example, when the rental guarantee company decides to cancel the contract, the entire procedure up to that point in the workflow system 150 can be invalidated, thereby preventing unintentional leakage of personal information.
  • FIG. 4 is a diagram showing an example of the context type determined by the context analysis performed by the context analysis unit 111.
  • the context analysis unit 111 receives an access request from the data requester 2 as described above, it performs a context analysis for the access request.
  • the context analysis unit 111 performs context analysis by determining which of three context types, Ct1, Ct2, and Ct3, the access request corresponds to, based on the attribute information acquired from the workflow system. Can be done.
  • the part indicated by reference numeral 401 shows an example of an access request that corresponds to context type Ct1.
  • an insurance company or a rental guarantee company becomes the data requester 2, and requests access to end users' personal information held by these data providers 3 to end users and third-party companies, who are the data providers 3. is performed via the data exchange platform 1.
  • the part indicated by reference numeral 402 shows an example of an access request that corresponds to context type Ct2.
  • a financial company or an insurance company that provides a service to an end user becomes the data requester 2, and the real estate company provides a different service to the same end user.
  • An access request is made via the data exchange platform 1 for the trust score calculated for the access request made in the past.
  • the part indicated by reference numeral 403 shows an example of an access request that corresponds to context type Ct3.
  • the end user becomes the data requester 2, and the insurance company has asked the insurance company that provides services to the end user about whether or not to receive services from this insurance company.
  • An access request is made via the data exchange platform 1 for the trust score calculated for the access request.
  • the contents of the data requester 2 and data provider 3 may be different. As long as it can be determined which of the above three context types it falls under, it can be applied to any data transaction format. Further, the context types that the context analysis unit 111 can determine are not limited to Ct1 to Ct3, and may include other context types to determine which context type this corresponds to.
  • FIG. 5 is a diagram showing an example of category classification of reliability parameters in the reliability category analysis unit 122.
  • the trust categories 500 include a category 501 corresponding to "device,” a category 502 corresponding to "network,” a category 503 corresponding to "access,” and a category corresponding to "application.” 504 is set.
  • Categories 501 to 504 are associated with the aforementioned context types Ct1 to Ct3, respectively, and information representing these relationships is stored in advance in reliable category analysis unit 122. Based on this information, the trust category analysis unit 122 can dynamically select one of the categories 501 to 504 from the context analysis results by the context analysis unit 111.
  • a category 501 corresponding to "device” is a category that summarizes trust parameters related to the security status of the device to which the data requester 2 has made an access request to the data exchange platform 1.
  • Category 501 includes, for example, the update status of security patches for the device, whether the IP address of the device is on a blacklist, the vulnerability of the device to viruses and malware, and the adoption of other security measures for the device. Contains trust parameters related to the situation, etc. The values of these confidence parameters are expressed as either 1 (positive) or -1 (negative), for example.
  • the category 502 corresponding to "Network” is a category that summarizes trust parameters related to the security status of the network used by the data requester 2 to connect the data exchange platform 1 when making an access request.
  • the category 502 includes, for example, trust parameters regarding the presence or absence of suspicious packets from the network, the presence or absence of encryption measures in the network, and the like.
  • the values of these confidence parameters are expressed as either 1 (positive) or -1 (negative), for example.
  • the category 503 corresponding to “access” is a category that summarizes trust parameters related to the access status from the data requester 2, and is obtained from the access log 114 recorded in the access gateway 110.
  • the category 504 corresponding to "Application” is a category that summarizes trust parameters related to internal processing of the data exchange platform 1.
  • the category 504 includes, for example, feedback to the data requester registered by the administrator regarding the popularity and service quality of the data requester 2 who made the access request, the processing speed for the access request of the data requester 2, and the data exchange platform. Confidence parameters related to recommendation history and the like representing the popularity of the data requester 2 in 1 are included.
  • the contents of categories 501 to 504 in the trust category 500 described above are merely examples, and other trust parameters may be included in each category.
  • the categorization of reliability parameters in the reliability category analysis unit 122 is not limited to the reliability category 500 illustrated in FIG. 5, and other categorizations may be adopted.
  • 6 and 7 are flowcharts showing the flow of access control processing executed by the access control system 100.
  • step S101 the access gateway 110 receives an access request from the data requester 2.
  • the context analysis unit 111 of the access gateway 110 acquires attribute information of the access request received in step S101 from the workflow system.
  • the subject attribute s rt represents the attributes of the data requester 2
  • the action attribute a rt represents the type of access request (viewing, editing, deletion, etc.)
  • the access-restricted data that is the subject of the access request.
  • Attribute information such as the resource attribute r rt representing the resource attribute and the environment attribute w rt representing the state of the workflow system at the time of the access request is acquired from the workflow system in real time. Note that this attribute information is used in the standard XACML processing model.
  • step S103 the context analysis unit 111 performs context analysis based on the attribute information acquired in step S102.
  • one of the aforementioned context types Ct1 to Ct3 is selected according to the relationship between each attribute information set in advance and the context type.
  • the context analysis unit 111 outputs the selection result to the trust score management unit 120.
  • step S104 the trust category analysis unit 122 of the trust score management unit 120 determines which of the context types Ct1 to Ct3 is the context type selected by the context analysis unit 111 in step S103. As a result, if the context type is Ct1, the process proceeds to step S105, if the context type Ct2, the process proceeds to step S106, and if the context type Ct3, the process proceeds to step S107.
  • step S105 the trust category analysis unit 122 selects the trust categories 501 to 503 that correspond to "device,” “network,” and “access,” respectively, from among the categories 501 to 504 illustrated in FIG. 5.
  • step S106 the trust category analysis unit 122 selects the trust categories 503 and 504 that correspond to "access” and “application”, respectively, from the categories 501 to 504 illustrated in FIG.
  • step S107 the trust category analysis unit 122 selects the trust category 504 that corresponds to "application” from among the categories 501 to 504 illustrated in FIG.
  • step S108 the trust parameter selection unit 123 selects the trust parameters corresponding to the trust categories selected in steps S105 to S107, according to the combinations of trust parameters corresponding to the categories 501 to 504 illustrated in FIG. 5, respectively.
  • step S109 the reliability score calculation unit 124 calculates a reliability score based on the reliability parameter selected in step S108.
  • a trust score can be calculated from the trust parameters, for example, by a method described later.
  • the trust score calculation unit 124 stores the calculation result in the trust score storage unit 129 and outputs it to the access gateway 110.
  • step S110 the access request information generation unit 112 of the access gateway 110 generates attribute information of the access request acquired by the context analysis unit 111 in step S102, such as the aforementioned subject attribute s rt , action attribute art , resource attribute r rt , environment attribute w rt is acquired from the context analysis unit 111. Further, in step S109, the calculation result of the reliability score calculated by the reliability score calculation unit 124, for example, a reliability score value of "satisfied" or "not satisfied", which will be described later, is obtained. Then, based on the acquired information, access request information is generated, and the generated access request information is output to the access determination unit 140.
  • attribute information of the access request acquired by the context analysis unit 111 such as the aforementioned subject attribute s rt , action attribute art , resource attribute r rt , environment attribute w rt is acquired from the context analysis unit 111.
  • step S109 the calculation result of the reliability score calculated by the reliability score calculation unit 124, for example,
  • step S111 the access determination unit 140 executes access determination for the access request received in step S101 based on the access request information received from the access request information generation unit 112 in step S110. Thereby, based on the trust score calculated by the trust score calculation unit 124 in step S109, it is possible to determine whether or not the access request is acceptable.
  • the result of the access determination in step S111 is output from the access determination unit 140 to the access gateway 110.
  • step S112 the access gateway 110 determines whether or not to permit access to the access-restricted data from the data requester 2, based on the access determination result received from the access determination unit 140 in step S111. If it is determined that access is permitted, the process advances to step S113; if it is determined that access is not permitted, the process advances to step S114.
  • step S113 the access gateway 110 transmits the access-restricted data corresponding to the access request to the data requester 2 as a response to the access request received in step S101.
  • step S114 the access gateway 110 rejects the access request received in step S101 and blocks access to the access-restricted data specified by the data requester 2.
  • step S115 After executing the process in step S113 or step S114, in the subsequent step S115, the log management unit 113 stores the attribute information acquired in step S102, the result of the context analysis performed in step S103, and the access determination result in step S111. In combination, these contents are recorded in the access log 114. After executing the process of step S115, the flowcharts of FIGS. 6 and 7 are ended.
  • the access control system 100 When the access control system 100 receives an access request from the data requester 2, the access control system 100 executes the access control processing described above to determine whether or not the access request is permitted, and if the access request is permitted, the access control system 100 performs the access request specified in the access request.
  • the access-restricted data such as personal information, is returned to the data requester 2. Thereby, safe mediation of access-restricted data can be realized between the data requester 2 and the data provider 3 using the workflow system.
  • FIG. 8 is a diagram showing an example of reliability parameters and warning count values.
  • FIG. 8A shows an example of trust parameters acquired by the trust parameter acquisition unit 121 and stored in the trust parameter storage unit 127.
  • the reliability parameter storage unit 127 stores the parameter values P1, P2, P5, and P7 of each of the acquired reliability parameters, as well as the respective trust categories and weights W1, W2, W5, and W7. Stored in table format in order of weight.
  • the weights W1, W2, W5, and W7 of each reliability parameter are set, for example, in the range of 0 to 100, depending on the importance of each.
  • FIG. 8(b) shows an example of a warning count value used when the warning unit 125 outputs a warning.
  • the warning unit 125 calculates the product of the parameter values P1, P2, P5, P7 of each reliability parameter and the weights W1, W2, W5, W7, and the respective threshold values Th1, Th2, Th5. , Th7 is performed in order of weight, and if the product is less than the threshold, the warning count value is incremented by one. Then, when the warning count value reaches a predetermined upper limit, a warning is output to the administrator.
  • the warning count value of each reliability parameter is stored in the reliability parameter storage unit 127 together with parameter values P1, P2, P5, P7 and weights W1, W2, W5, W7.
  • the above weights W1, W2, W5, W7 and thresholds Th1, Th2, Th5, Th7 are preset in the access control system 100, and may be dynamically changed according to the nature of each trust parameter. For example, in the case of access frequency, which is one of the reliability parameters, the access frequency during peak hours is higher than at other times, so the parameter value changes periodically. Therefore, in this case, it is preferable to change the weight and threshold value for the access frequency depending on the time period. In addition to this, it is possible to dynamically change weights and thresholds according to arbitrary rules depending on the properties of each reliability parameter.
  • FIG. 9 is an example of a flowchart showing the flow of confidence score calculation processing.
  • the confidence score calculation unit 124 executes the process shown in the flowchart of FIG. 9 to calculate a confidence score.
  • step S201 the reliability score calculation unit 124 obtains the number N of reliability parameters.
  • the total number of reliability parameters selected by the reliability parameter selection unit 123 in step S108 of FIG. 6 is obtained as the number N of reliability parameters.
  • step S202 the confidence score calculation unit 124 randomly selects (x-n+1) confidence parameters Pn to Px from among the confidence parameters selected by the confidence parameter selection unit 123 in step S108 of FIG. do.
  • the values of x and n that satisfy the condition of 0 ⁇ n ⁇ x ⁇ N are randomly selected, and the values of “device”, “network”, and “access” selected by the trust parameter selection unit 123 are selected at random.
  • the trust parameters of the categories may be arranged in order of weight, and each of the nth to xth trust parameters may be selected as the trust parameters Pn to Px. Besides this, the trust parameters Pn to Px can be randomly selected using any method.
  • step S204 the reliability score calculation unit 124 compares the reliability parameter Pi with the threshold value Thi obtained in step S203, and determines whether the condition Pi ⁇ Thi is satisfied. As a result, if the conditions are met, that is, if the confidence parameter Pi is equal to or greater than the threshold Thi, the process proceeds to step S205, increments the count value Cn of the confidence score by 1, and then proceeds to the next loop process. On the other hand, if the condition is not satisfied, that is, if the confidence parameter Pi is less than the threshold Thi, the count value Cn of the confidence score is left unchanged and the process moves to the next loop.
  • step S206 the confidence score calculation unit 124 calculates that the count value Cn of the confidence score finally obtained in the loop processing is equal to (x-n+1) confidence parameters. It is determined whether or not the total value is equal to or greater than a predetermined ratio (for example, 0.6) when all the values are 1. If the count value Cn is 0.6(x-n+1) or more, that is, if 60% or more of the randomly selected confidence scores represent positive determination results, the process advances to step S207. On the other hand, if the count value Cn is less than 0.6(x-n+1), the process advances to step S208.
  • a predetermined ratio for example, 0.6
  • step S207 the trust score calculation unit 124 calculates “satisfied”, which is a trust score value indicating “reliable”, as a calculation result of the trust score for the access request from the data requester 2, for example, in JSON (JavaScript (registered) Object Notation) format message is sent to the access gateway 110.
  • JSON JavaScript (registered) Object Notation
  • step S208 the trust score calculation unit 124 sends "not satisfied", which is a trust score value representing "no reliability", to a message in JSON format, for example, as a trust score calculation result for the access request from the data requester 2. , and sends it to the access gateway 110.
  • the reliability score calculation unit 124 After performing the process of step S207 or S208, the reliability score calculation unit 124 ends the reliability score calculation process shown in the flowchart of FIG.
  • the trust parameters Pn to Px used in the trust score calculation are randomly selected by dynamically selecting the values of x and n. This makes it difficult to guess the access determination pattern in the access control system 100, thereby making it possible to prevent attacks from attackers such as malicious hackers.
  • the confidence score may be calculated by the method described below.
  • the confidence score calculation unit 124 calculates the confidence score using the following method.
  • the reliability score calculation unit 124 can calculate the reliability score Ts using, for example, the following equation (1).
  • N represents the aforementioned number of reliability parameters
  • Pj represents the value of the j-th reliability parameter among the reliability parameters selected by the reliability parameter selection unit 123 in step S108 of FIG.
  • Wj represents a weight preset for the j-th reliability parameter.
  • the reliability score Ts calculated by the above formula (1) corresponds to weighted addition of all the selected reliability parameters. That is, the trust score calculation unit 124 calculates the categories corresponding to "access" and "application", which are preset corresponding to the context type Ct2, among the trust parameters corresponding to the categories 501 to 504 illustrated in FIG.
  • the trust score Ts can be calculated by weighting and adding each of the trust parameters 503 and 504, or the trust parameters of the category 504 that corresponds to "application” that has been set in advance corresponding to the context type Ct3. Note that the trust score Ts may be normalized within the range of 0 to 1 in order to facilitate comparison between the trust scores.
  • the access gateway 110 provides the end user with a user interface for performing multidimensional analysis of the trust parameters used to calculate the trust score.
  • the end user can receive information necessary for analyzing trust parameters from the access control system 100 by setting desired conditions.
  • FIG. 10 is a diagram showing an example of multidimensional analysis of reliability parameters.
  • FIG. 10(a) shows an example of a user interface displayed on an end user's terminal when performing multidimensional analysis of trust parameters.
  • a diagram 1000 shows the value of the number of unauthorized access attempts, which is one of the trust parameters used to calculate a company's trust score, for each branch and month.
  • a graphic 1005 shows the number of unauthorized access attempts for the same company by region and year.
  • These figures 1000 and 1005 have a three-dimensional shape, in which one dimension represents the organizational hierarchy of the service provider company, such as branches and regions, and the other dimension represents the organizational hierarchy of the company that is the service provider. , represents the acquisition period of the number of unauthorized access attempts, which is a trust parameter, such as month or year.
  • FIG. 10(b) shows an example of item selection for each dimension in figures 1000 and 1005.
  • the end user can drill down to the upper hierarchy (drill up) or lower hierarchy (drill up) for each dimension of these shapes, such as company name, region, and branch. down) can be selected as appropriate.
  • each item of year, quarter, and month can be selected as appropriate toward an upper hierarchy (drill up) or toward a lower hierarchy (drill down).
  • the user interface illustrated in FIG. 10 may be provided not only to end users but also to, for example, the administrator of the access control system 100.
  • the trust parameters used to calculate the trust score change depending on various levels such as user level, role level, company level, etc.
  • the administrator can send warnings about changes in trust parameters to each company connected to the access control system 100 as data requesters 2 and data providers 3. This can be done as appropriate.
  • Access gateway 110 provides an end user with a user interface for analyzing trust scores, for example.
  • the end user can receive information necessary for analyzing the trust score from the access control system 100 by selecting a desired item.
  • FIG. 11 is a diagram showing an example of a confidence score analysis screen.
  • a trust score analysis screen 1100 shown in FIG. 11 is a screen displayed on an end user's terminal by, for example, the access gateway 110, and includes selection frames 1101, 1102, 1103 and a trust score graph 1104.
  • the end user requests the access control system 100 to display a trust score analysis screen 1100 as shown in FIG. 11 in order to analyze the trust score of each company providing the service. Display can be requested.
  • the selection frame 1101 is a frame for the end user to select the type of service whose reliability score is to be analyzed.
  • the end user can select the target of the trust score analysis displayed on the trust score analysis screen 1100 by selecting, for example, the type of company according to the service type.
  • the selection frame 1102 is a frame for the end user to select the security level and other requirements.
  • the end user can select various requirements related to the confidence score.
  • the selection frame 1103 is a frame for the end user to select the hierarchical level of the service provider company.
  • the end user can select the hierarchical level of the service providing company whose trust score is to be analyzed from among various hierarchical levels such as company name, region, branch office, etc.
  • the reliability score graph 1104 is a visualization of the reliability score values corresponding to the items selected in the selection frames 1101 to 1103 on a graph.
  • the end user can compare the trust scores of each service provider company and consider which service provider company to contract for a new service with.
  • the real estate company in order to obtain approval for a loan from a financial company, the real estate company collects documents such as income proof and employment status of the end user (customer or tenant) without informing the end user. It is known that there is a fraudulent act of tampering with. Below, an example of actual operation of the access control system 100 for preventing such fraudulent acts will be described with reference to FIG. 12.
  • FIG. 12 is a sequence diagram showing an example of actual operation of the access control system 100 according to an embodiment of the present invention.
  • the real estate company inputs the personal information to the data exchange platform 1 on behalf of the user.
  • the access control system 100 manages the policy and workflow system based on the input personal information, and also notifies the financial company that an application for a new loan has been received.
  • the financial company confirms the application content from the end user made via the access control system 100, and performs a trust score analysis on the real estate company that entered the application, as necessary, to provide a loan. Approval (OK) or denial (NG) is determined. The determination result by the financial company is notified to the end user via the access control system 100.
  • the access control system 100 is used in the data exchange platform 1 that mediates access-restricted data between the data requester 2 and the data provider 3.
  • the access control system 100 includes an access gateway 110 that performs context analysis in response to an access request from a data requester 2 to access-restricted data, and a workflow provided by the data exchange platform 1 based on the result of the context analysis by the access gateway 110.
  • Calculated by the trust score management unit 120 and the trust score management unit 120 that randomly selects one or more trust parameters from a plurality of trust parameters obtained from the system and calculates the trust score of the access request based on the selected trust parameters.
  • an access determination unit 140 that determines whether or not to make an access request based on the reliability score obtained.
  • the access gateway 110 acquires attribute information including the attributes of the data requester 2, the attributes of the access-restricted data, and the progress status of the workflow system (step S102), and based on the acquired attribute information, , it is determined whether the access request corresponds to the first context (context type Ct1), the second context (context type Ct2), or the third context (context type Ct3) (step S103).
  • context type Ct1 data requester 2 is a service provider that provides services to end users
  • data provider 3 is a service provider that provides services to end users. or an end user
  • the access-restricted data is personal information about the end user.
  • data requester 2 is a service provider
  • data provider 3 is another service provider
  • access-restricted data is a data requester that has been previously used by another service provider. This is information regarding the trust score calculated when the access request was made as the data requester 2.
  • data requester 2 is an end user
  • data provider 3 is a service provider
  • access-restricted data is a data requester 2 who has been a data requester in the past. This is information regarding the trust score calculated when an access request is made. By doing this, it is possible to appropriately perform a context analysis on an access request from the data requester 2 to the access-restricted data.
  • the trust score management unit 120 selects a predetermined value that is set in advance corresponding to the context type Ct1 among the plurality of trust parameters.
  • a randomly determined number of trust parameters is selected from among the number of trust parameters in order of priority (step S202), and a determination is made as to whether there is a predetermined percentage or more of trust parameters that are equal to or higher than a predetermined threshold value among the selected trust parameters.
  • a reliability score is calculated (steps S207, S208) by determining whether the information is reliable (steps S203 to S206).
  • the trust score management unit 120 selects the context type Ct2 or the context type Ct3 from among the plurality of trust parameters.
  • a reliability score is calculated by weighting and adding each reliability parameter set in advance according to equation (1). By doing this, it is possible to appropriately calculate the trust score depending on the situation at the time of the access request.
  • the access gateway 110 multiplies the trust parameters used to calculate the trust score, for example, as shown in figures 1000 and 1005 in FIG.
  • This user interface includes a section for selecting the service provider's organizational hierarchy or trust parameter acquisition period on the screen. This allows the end user to receive information necessary for analyzing the trust parameters from the access control system 100.
  • the trust score management unit 120 selects one of a plurality of preset trust categories (categories 501 to 504) based on the results of the context analysis, and selects one of the preset trust categories (categories 501 to 504) and The reliability parameters are selected by randomly selecting one or more reliability parameters from the combination of reliability parameters (step S108). By doing this, it is possible to reliably select trust parameters suitable for calculating the trust score by using the results of the context analysis.
  • the access gateway 110 uses the trust score and the attribute information (subject attribute s rt , action attribute ar t , resource attribute rt , environment attribute wr t ) of the access request according to the progress status of the workflow system. , has an access request information generation unit 112 that generates access request information corresponding to an access request.
  • the access request information generation unit 112 transmits the generated access request information to the access determination unit 140 (step S110).
  • the access determination unit 140 determines whether the access request is acceptable based on the access request information received from the access request information generation unit 112 (step S111). By doing this, it is possible to accurately determine whether or not to grant an access request by reflecting the trust score and the progress status of the workflow.
  • the access control system 100 includes a policy storage unit 132 that stores a policy that describes permission conditions for access requests and allows the access determination unit 140 to refer to the policy, and a policy that updates the policy stored in the policy storage unit 132.
  • the update unit 131 is also provided.
  • the policy update unit 131 updates the policy in response to changes in participants in the workflow system. By doing this, even if there is a change in the data requester 2 or data provider 3 in the workflow system, it is possible to appropriately update the contents of the policy according to the change.
  • the access control method by the access control system 100 is an access control method in the data exchange platform 1 that mediates access-restricted data between the data requester 2 and the data provider 3.
  • a context analysis is performed on the access request from the data requester 2 to the access-restricted data (step S103), and based on the result of the context analysis, the access control method
  • One or more trust parameters are randomly selected from the plurality of trust parameters (step S108).
  • a trust score of the access request is calculated based on the selected trust parameter (step S109), and it is determined whether the access request is acceptable or not based on the trust score (step S111). By doing this, it is possible to realize access control that is safe and highly robust.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

This access control system is used on a data exchange platform that mediates access-controlled data between a data requester and a data provider, the access control system comprising: an access gateway that analyzes the context with respect to a request from the data requester to access the access-controlled data; a trust score management unit that, on the basis of a result of the context analysis by the access gateway, randomly selects one or more trust parameters from a plurality of trust parameters acquired from a workflow system provided by the data exchange platform, and calculates a trust score for the access request on the basis of the selected trust parameters; and an access determination unit that determines whether to accept or deny the access request on the basis of the trust score calculated by the trust score management unit.

Description

アクセス制御システム、アクセス制御方法Access control system, access control method
 本発明は、所定の情報に対するアクセスを制御するシステムおよび方法に関する。 The present invention relates to a system and method for controlling access to predetermined information.
 従来、機微情報や個人情報等の保護対象情報へのアクセス制御を行う技術として、例えばロールベースアクセス制御(RBAC)と呼ばれる手法が知られている。ロールベースアクセス制御は、各保護対象情報へのアクセス権限を、当該情報へのアクセス要求を行うユーザの役割ごとに付与し、アクセス権限のないユーザからのアクセス要求を拒否することにより、保護対象情報へのアクセス制御を行うものである。しかしながら、ロールベースアクセス制御では、予め設定されたアクセス権限に従ってアクセス制御が行われるため、柔軟なアクセス制御の実現が困難であった。 Conventionally, a method called role-based access control (RBAC), for example, has been known as a technique for controlling access to protected information such as sensitive information and personal information. Role-based access control grants access privileges to each piece of protected information to each role of the user requesting access to the information, and rejects access requests from users who do not have access privileges. This is to control access to. However, in role-based access control, access control is performed according to preset access privileges, making it difficult to implement flexible access control.
 上記課題を解決するものとして、属性ベースアクセス制御(ABAC)と呼ばれる手法が知られている。属性ベースアクセス制御は、予め設定されたポリシーに従い、アクセス要求を行うユーザの属性や、アクセス要求が行われた保護対象情報の属性、アクセス要求時の環境の属性などに基づいてアクセス要求の可否を判断することにより、保護対象情報へのアクセス制御を行うものである。これにより、ロールベースアクセス制御と比べて柔軟なアクセス制御を実現している。 A technique called attribute-based access control (ABAC) is known as a solution to the above problems. Attribute-based access control determines whether or not an access request can be made based on the attributes of the user making the access request, the attributes of the protected information for which the access request was made, and the attributes of the environment at the time of the access request, according to a preset policy. By making this determination, access to protected information is controlled. This provides more flexible access control than role-based access control.
 属性データベースアクセス制御の例として、特許文献1の技術が知られている。特許文献1には、各種の属性情報をそれぞれの重要度に応じて重み付け計算することで信頼度を計算し、その計算結果に基づいてアクセスの可否を判断する方法が記載されている。 As an example of attribute database access control, the technology of Patent Document 1 is known. Patent Document 1 describes a method of calculating reliability by weighting various types of attribute information according to their importance, and determining whether or not access is possible based on the calculation result.
 また、例えば特許文献2のような信頼度ベースアクセス制御(TBAC)と呼ばれる手法も提案されている。特許文献2には、アクセス要求を行うユーザからの不審パケット数や偽リクエスト数などのパラメータに基づいて信頼スコアを計算し、計算された信頼スコアを所定の閾値と比較することでアクセスの可否を判断する方法が記載されている。 Additionally, a method called reliability-based access control (TBAC) has also been proposed, for example as in Patent Document 2. Patent Document 2 discloses a system that calculates a trust score based on parameters such as the number of suspicious packets and the number of fake requests from a user making an access request, and compares the calculated trust score with a predetermined threshold to determine whether or not access is possible. It describes how to judge.
中国特許出願公開第113051602号明細書China Patent Application Publication No. 113051602 中国特許出願公開第112737824号明細書China Patent Application Publication No. 112737824
 特許文献1の技術では、多数の属性情報を用いて信頼度を計算しようとすると、計算負荷が過大となる。そのため、実際のアクセス制御システムへの適用が困難という課題がある。また、特許文献2の技術では、悪意のあるユーザが信頼スコアの計算方法を容易に推測できてしまうため、不正なアクセスを防止できないという課題がある。 In the technique of Patent Document 1, when attempting to calculate reliability using a large number of attribute information, the calculation load becomes excessive. Therefore, there is a problem that it is difficult to apply it to an actual access control system. Furthermore, the technique disclosed in Patent Document 2 has a problem in that it is impossible to prevent unauthorized access because a malicious user can easily guess the method of calculating the trust score.
 本発明は、上記課題に鑑みてなされたものであり、その主な目的は、安全で堅牢性が高いアクセス制御を実現することにある。 The present invention has been made in view of the above problems, and its main purpose is to realize access control that is safe and highly robust.
 本発明によるアクセス制御システムは、データ要求者とデータ提供者の間でアクセス制限対象データを仲介するデータ交換プラットフォームにおいて用いられるものであって、前記アクセス制限対象データへの前記データ要求者からのアクセス要求に対するコンテクスト解析を行うアクセスゲートウェイと、前記アクセスゲートウェイによる前記コンテクスト解析の結果に基づいて、前記データ交換プラットフォームが提供するワークフローシステムから取得した複数の信頼パラメータから1つ以上の信頼パラメータをランダムに選択し、選択した信頼パラメータに基づいて前記アクセス要求の信頼スコアを算出する信頼スコア管理部と、前記信頼スコア管理部により算出された前記信頼スコアに基づいて、前記アクセス要求の可否を判断するアクセス判断部と、を備える。
 本発明によるアクセス制御方法は、データ要求者とデータ提供者の間でアクセス制限対象データを仲介するデータ交換プラットフォームにおけるアクセス制御方法であって、前記アクセス制限対象データへの前記データ要求者からのアクセス要求に対するコンテクスト解析を行い、前記コンテクスト解析の結果に基づいて、前記データ交換プラットフォームが提供するワークフローシステムから取得した複数の信頼パラメータから1つ以上の信頼パラメータをランダムに選択し、選択した信頼パラメータに基づいて前記アクセス要求の信頼スコアを算出し、前記信頼スコアに基づいて前記アクセス要求の可否を判断する。 The access control system according to the present invention is used in a data exchange platform that mediates access-restricted data between a data requester and a data provider, and is configured to control access from the data requester to the access-restricted data. an access gateway that performs a context analysis on a request; and based on the result of the context analysis by the access gateway, randomly select one or more trust parameters from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform. a trust score management unit that calculates a trust score of the access request based on the selected trust parameter; and an access judgment that determines whether the access request is acceptable based on the trust score calculated by the trust score management unit. It is equipped with a section and a section.
The access control method according to the present invention is an access control method in a data exchange platform that mediates access-restricted data between a data requester and a data provider, and the method includes: Context analysis is performed on the request, and based on the result of the context analysis, one or more trust parameters are randomly selected from a plurality of trust parameters obtained from the workflow system provided by the data exchange platform, and the selected trust parameter is A trust score of the access request is calculated based on the trust score, and it is determined whether the access request is acceptable or not based on the trust score.
 本発明によれば、安全で堅牢性が高いアクセス制御を実現することができる。 According to the present invention, safe and highly robust access control can be realized.
本発明の一実施形態に係るアクセス制御システムを含むデータ交換プラットフォームの概要を示すブロック図である。1 is a block diagram illustrating an overview of a data exchange platform including an access control system according to an embodiment of the present invention. FIG. 本発明の一実施形態に係るアクセス制御システムの詳細構造を示すブロック図である。FIG. 1 is a block diagram showing a detailed structure of an access control system according to an embodiment of the present invention. ワークフローシステムの進行状況とアクセス要求情報の例を示す図である。FIG. 3 is a diagram showing an example of the progress status of the workflow system and access request information. コンテクスト種別の例を示す図である。It is a figure which shows the example of a context type. 信頼パラメータのカテゴリ分類例を示す図である。FIG. 3 is a diagram showing an example of category classification of reliability parameters. アクセス制御処理の流れを示すフローチャートである。3 is a flowchart showing the flow of access control processing. アクセス制御処理の流れを示すフローチャートである。3 is a flowchart showing the flow of access control processing. 信頼パラメータと警告カウント値の例を示す図である。FIG. 3 is a diagram showing an example of a reliability parameter and a warning count value. 信頼スコア計算処理の流れを示すフローチャートの例である。It is an example of a flowchart showing the flow of trust score calculation processing. 信頼パラメータの多次元解析の例を示す図である。FIG. 3 is a diagram illustrating an example of multidimensional analysis of reliability parameters. 信頼スコア解析画面の例を示す図である。It is a figure showing an example of a reliability score analysis screen. 本発明の一実施形態に係るアクセス制御システムの実運用例を示すシーケンス図である。FIG. 2 is a sequence diagram showing an example of actual operation of the access control system according to an embodiment of the present invention.
 以下、図面を参照して本発明の実施形態を説明する。説明の明確化のため、以下の記載及び図面は、適宜、省略及び簡略化がなされている。本発明が本実施形態に制限されることは無く、本発明の思想に合致するあらゆる応用例が本発明の技術的範囲に含まれる。特に限定しない限り、各構成要素は複数でも単数でも構わない。 Hereinafter, embodiments of the present invention will be described with reference to the drawings. For clarity of explanation, the following description and drawings are omitted and simplified as appropriate. The present invention is not limited to this embodiment, and any application examples that match the idea of the present invention are included within the technical scope of the present invention. Unless specifically limited, each component may be plural or singular.
 以下の説明では、「プログラム」あるいはそのプロセスを主語として処理を説明する場合があるが、プログラムは、プロセッサ(例えば、CPU(Central Processing Unit))によって実行されることで、定められた処理を、適宜に記憶資源(例えば、メモリ)及び/又は通信インタフェース装置(例えば、通信ポート)を用いながら行うため、処理の主語がプロセッサであってもよい。プロセッサは、プログラムに従って動作することによって、所定の機能を実現する機能部として動作する。プロセッサを含む装置及びシステムは、これらの機能部を含む装置及びシステムである。 In the following explanation, processing may be explained using a "program" or its process as the subject, but a program is executed by a processor (for example, a CPU (Central Processing Unit)) to perform a predetermined process. Since the processing is performed using appropriate storage resources (for example, memory) and/or communication interface devices (for example, communication ports), the subject of the processing may be a processor. A processor operates as a functional unit that implements a predetermined function by operating according to a program. Devices and systems that include processors are devices and systems that include these functional units.
 以下、本発明の一実施形態について説明する。 An embodiment of the present invention will be described below.
 図1は、本発明の一実施形態に係るアクセス制御システムを含むデータ交換プラットフォームの概要を示すブロック図である。図1に示すデータ交換プラットフォーム1は、異業種間の協業に用いられる情報プラットフォームの一種であり、規定のデータ要求者2とデータ提供者3の間において、不特定多数からのアクセスを制限すべきデータ(以下、「アクセス制限対象データ」と称する)を相互に安全に交換可能な環境を提供する。データ交換プラットフォーム1は、アクセス制限対象データの交換を行うデータ要求者2やデータ提供者3がデータ交換プラットフォーム1を利用するための各種UI(User Interface)や、アクセス制限対象データの交換に関する一連の処理をパッケージングしたものを、ワークフローシステムとして提供する。このワークフローシステムがデータ要求者2とデータ提供者3の間でアクセス制限対象データを仲介することにより、安全で確実なアクセス制限対象データの受け渡しを実現している。 FIG. 1 is a block diagram showing an overview of a data exchange platform including an access control system according to an embodiment of the present invention. The data exchange platform 1 shown in Figure 1 is a type of information platform used for collaboration between different industries, and access from the general public should be restricted between the specified data requester 2 and data provider 3. Provides an environment in which data (hereinafter referred to as "access-restricted data") can be exchanged safely. The data exchange platform 1 includes various UIs (User Interfaces) for the data exchange platform 1 to be used by data requesters 2 and data providers 3 who exchange data subject to access restrictions, and a series of user interfaces related to the exchange of data subject to access restrictions. The process is packaged and provided as a workflow system. This workflow system mediates the access-restricted data between the data requester 2 and the data provider 3, thereby achieving safe and reliable delivery of the access-restricted data.
 データ提供者3は、データ交換プラットフォーム1を介して、データ提供者3が保有するエンドユーザの個人情報(所得証明、雇用形態、信用情報等)や、データ提供者3がデータ要求者として過去に何らかのアクセス制限対象データへのアクセス要求を行ったときに計算された信頼スコアなどの情報を、アクセス制限対象データとして提供する。信頼スコアとは、アクセス要求の信頼性を表す値であり、データ交換プラットフォーム1が有するアクセス制御システム100において、後述のようにして計算される。データ要求者2は、データ提供者3から提供されるアクセス制限対象データへのアクセスをデータ交換プラットフォーム1へ要求し、アクセス要求が許可された場合は、データ交換プラットフォーム1を介してアクセス制限対象データを入手することができる。 The data provider 3, through the data exchange platform 1, can access end users' personal information held by the data provider 3 (income proof, employment status, credit information, etc.) Information such as a trust score calculated when an access request is made to some access-restricted data is provided as the access-restricted data. The trust score is a value representing the reliability of an access request, and is calculated in the access control system 100 included in the data exchange platform 1 as described below. The data requester 2 requests the data exchange platform 1 to access the access-restricted data provided by the data provider 3, and if the access request is approved, the data exchange platform 1 sends the access-restricted data to the data exchange platform 1. can be obtained.
 データ要求者2は、エンドユーザに対して様々なサービスを提供する各種サービス提供会社や、サービス提供会社からサービスの提供を受けるエンドユーザなどが該当する。例えば、エンドユーザが不動産の賃貸契約を結ぶ際に、賃貸保証会社がデータ要求者2として、アクセス制限対象データである当該エンドユーザの個人情報を要求し、保証条件の決定に利用する。また、エンドユーザが住宅ローンの融資や保険を申し込む際に、金融会社や保険会社がデータ要求者2として、アクセス制限対象データである当該エンドユーザの個人情報を要求し、契約条件の決定に利用する。ただし、他の業種の会社や個人をデータ要求者2としてもよい。 The data requester 2 corresponds to various service providing companies that provide various services to end users, end users who receive services from service providing companies, and the like. For example, when an end user signs a rental contract for real estate, the rental guarantee company, as the data requester 2, requests the end user's personal information, which is access-restricted data, and uses it to determine guarantee conditions. In addition, when an end user applies for a mortgage loan or insurance, a financial company or insurance company, as the data requester 2, requests the end user's personal information, which is data subject to access restrictions, and uses it to determine contract terms. do. However, the data requester 2 may be a company or an individual in another industry.
 データ提供者3は、アクセス制限対象データである個人情報を提供するエンドユーザ本人や、個人情報を保有するサービス提供会社、サードパーティ会社などが該当する。データ提供者3が保有するアクセス制限対象データは、データ交換プラットフォーム1において、例えばWebベースのAPI(Application Programming Interface)やEDI(Electronic Data Interchange)により収集され、データ要求者2からのアクセス要求に応じてデータ要求者2へと提供される。 The data provider 3 is an end user who provides personal information that is access-restricted data, a service provider company that holds personal information, a third party company, etc. The access-restricted data held by the data provider 3 is collected on the data exchange platform 1 using, for example, a web-based API (Application Programming Interface) or EDI (Electronic Data Interchange), and is collected in response to an access request from the data requester 2. The data is then provided to the data requester 2.
 アクセス制御システム100は、データ要求者2からアクセス制限対象データに対するアクセス要求がワークフローシステム上で行われると、当該アクセス要求の信頼性を表す信頼スコアを算出し、算出された信頼スコアの状態およびワークフローシステムにおける他のアクセス状態に基づいて、データ提供者3から提供されたアクセス制限対象データへのアクセスの可否を判断する。これにより、アクセス制限対象データの不正利用を防止し、異業種間でのアクセス制限対象データのやり取りに対する安全性を確保している。 When the data requester 2 makes an access request for access-restricted data on the workflow system, the access control system 100 calculates a trust score representing the reliability of the access request, and calculates the state of the calculated trust score and the workflow. Based on other access states in the system, it is determined whether access to the access-restricted data provided by the data provider 3 is possible. This prevents unauthorized use of access-restricted data and ensures safety in the exchange of access-restricted data between different industries.
 アクセス制御システム100は、アクセスゲートウェイ110、信頼スコア管理部120、ポリシー管理部130およびアクセス判断部140の各機能ブロックを備える。これらの機能ブロックは、例えば、所定のプログラムを実行するコンピュータ(CPU:Central Processing Unit)や、HDD(Hard Disk Drive)、SSD(Solid State Drive)等の記憶装置などを組み合わせて実現される。なお、これらの機能ブロックの一部または全部を、GPU(Graphics Processing Unit)やFPGA(Field Programmable Gate Array)を用いて実現してもよい。 The access control system 100 includes functional blocks of an access gateway 110, a trust score management section 120, a policy management section 130, and an access determination section 140. These functional blocks are realized by combining, for example, a computer (CPU: Central Processing Unit) that executes a predetermined program, a storage device such as an HDD (Hard Disk Drive), or an SSD (Solid State Drive). Note that some or all of these functional blocks may be implemented using a GPU (Graphics Processing Unit) or an FPGA (Field Programmable Gate Array).
 図2は、本発明の一実施形態に係るアクセス制御システム100の詳細構造を示すブロック図である。アクセス制御システム100において、アクセスゲートウェイ110は、コンテクスト解析部111、アクセス要求情報生成部112、ログ管理部113およびアクセスログ114を備える。信頼スコア管理部120は、信頼パラメータ取得部121、信頼カテゴリ分析部122、信頼パラメータ選択部123、信頼スコア計算部124、警告部125、信頼パラメータ格納部127、信頼閾値格納部128および信頼スコア格納部129を備える。ポリシー管理部130は、ポリシー更新部131およびポリシー格納部132を備える。 FIG. 2 is a block diagram showing the detailed structure of the access control system 100 according to an embodiment of the present invention. In the access control system 100, the access gateway 110 includes a context analysis section 111, an access request information generation section 112, a log management section 113, and an access log 114. The trust score management section 120 includes a trust parameter acquisition section 121, a trust category analysis section 122, a trust parameter selection section 123, a trust score calculation section 124, a warning section 125, a trust parameter storage section 127, a trust threshold storage section 128, and a trust score storage section. 129. The policy management unit 130 includes a policy update unit 131 and a policy storage unit 132.
 コンテクスト解析部111は、データ要求者2からあるアクセス制限対象データへのアクセス要求を受けると、当該アクセス要求に関する属性情報をワークフローシステムから取得し、この属性情報に基づいて、当該アクセス要求に対するコンテクスト解析を行う。コンテクスト解析部111が行うコンテクスト解析とは、データ要求者2がどのような状況でアクセス制限対象データにアクセスしようとしているかを解析(推定)することである。このコンテクスト解析の結果は、データ要求者2の属性や、アクセス要求されたアクセス制限対象データの属性、ワークフローシステムの進行状況などに応じて動的に定まり、例えばCt1、Ct2、Ct3の3種類のコンテクスト種別のいずれかで表される。そのため、コンテクスト解析部111は、これらの情報をアクセス要求に関する属性情報として取得することで、コンテクスト解析を行うことができる。コンテクスト解析部111が取得したアクセス要求の属性情報と、コンテクスト解析部111によるコンテクスト解析の結果は、アクセス要求情報生成部112と信頼スコア管理部120へそれぞれ出力される。なお、コンテクスト解析部111によるコンテクスト解析方法の詳細については後述する。 When the context analysis unit 111 receives a request for access to certain access-restricted data from the data requester 2, it acquires attribute information regarding the access request from the workflow system, and performs a context analysis for the access request based on this attribute information. I do. The context analysis performed by the context analysis unit 111 is to analyze (estimate) under what circumstances the data requester 2 is attempting to access the access-restricted data. The results of this context analysis are dynamically determined according to the attributes of the data requester 2, the attributes of the access-restricted data requested for access, the progress status of the workflow system, etc. Represented by one of the context types. Therefore, the context analysis unit 111 can perform context analysis by acquiring this information as attribute information regarding the access request. The attribute information of the access request acquired by the context analysis unit 111 and the result of the context analysis by the context analysis unit 111 are output to the access request information generation unit 112 and the trust score management unit 120, respectively. Note that details of the context analysis method by the context analysis unit 111 will be described later.
 アクセス要求情報生成部112は、コンテクスト解析部111により取得されたアクセス要求の属性情報、例えば後述するサブジェクト属性srt、アクション属性art、リソース属性rrt、環境属性wrtの各属性情報と、信頼スコア管理部120において信頼スコア計算部124により計算される信頼スコアとに基づき、データ要求者2から受信したアクセス要求に関するアクセス要求情報を生成する。アクセス要求情報生成部112が生成したアクセス要求情報は、アクセス判断部140へ出力される。 The access request information generation unit 112 generates attribute information of the access request acquired by the context analysis unit 111, for example, each attribute information of a subject attribute s rt , an action attribute a rt , a resource attribute rt , and an environment attribute wr t which will be described later. The trust score management unit 120 generates access request information regarding the access request received from the data requester 2 based on the trust score calculated by the trust score calculation unit 124. The access request information generated by the access request information generating section 112 is output to the access determining section 140.
 ログ管理部113は、データ要求者2からのアクセス要求と、そのアクセス要求に対する応答結果とを、そのとき取得された属性情報と組み合わせて、アクセスログ114に記録する。アクセスログ114は、データ要求者2により行われたアクセス要求に関する履歴情報を提供する。この履歴情報は、信頼スコア計算部124が信頼スコアの計算を行う際に利用される。 The log management unit 113 records the access request from the data requester 2 and the response result to the access request in the access log 114 in combination with the attribute information acquired at that time. Access log 114 provides historical information regarding access requests made by data requester 2 . This history information is used when the reliability score calculation unit 124 calculates the reliability score.
 信頼パラメータ取得部121は、信頼スコアの算出に必要な信頼パラメータを取得し、信頼パラメータ格納部127に格納する。例えば、データ要求者2がデータ交換プラットフォーム1に接続してアクセス要求を行ったときに用いた情報機器のIPアドレスやウィルス保護状況、ネットワーク上の不審パケット数などの情報を、信頼パラメータとして取得する。また、当該データ要求者2の過去のアクセス要求履歴と応答履歴、アクセス時間などの情報を、信頼パラメータとして取得してもよい。これらの信頼パラメータは、不図示のセキュリティ監視システムから取得してもよいし、データ要求者2のアクセス要求から取得してもよい。これ以外にも、データ交換プラットフォーム1における様々な情報を信頼パラメータとして取得することができる。 The trust parameter acquisition unit 121 acquires the trust parameters necessary for calculating the trust score, and stores them in the trust parameter storage unit 127. For example, information such as the IP address of the information device used when the data requester 2 connected to the data exchange platform 1 and made an access request, the virus protection status, the number of suspicious packets on the network, etc. is acquired as the trust parameter. . Further, information such as past access request history and response history, access time, etc. of the data requester 2 may be acquired as the reliability parameter. These trust parameters may be obtained from a security monitoring system (not shown) or may be obtained from an access request from the data requester 2. In addition to this, various information on the data exchange platform 1 can be acquired as trust parameters.
 信頼カテゴリ分析部122は、コンテクスト解析部111によるコンテクスト解析の結果を受けて、データ要求者2からのアクセス要求に対する信頼カテゴリの分析を行う。信頼カテゴリとは、コンテクスト解析結果に応じた信頼パラメータの種類を表すものであり、例えば「装置」、「ネットワーク」、「アクセス」、「アプリケーション」の各信頼カテゴリが信頼スコア管理部120において予め設定されている。信頼カテゴリ分析部122は、コンテクスト解析結果に基づいて、上記の各信頼カテゴリのいずれかを選択することができる。 The trust category analysis unit 122 receives the results of the context analysis by the context analysis unit 111 and analyzes the trust category for the access request from the data requester 2. The trust category represents the type of trust parameter according to the context analysis result. For example, each trust category of "device", "network", "access", and "application" is set in advance in the trust score management unit 120. has been done. The trust category analysis unit 122 can select one of the above trust categories based on the context analysis result.
 信頼パラメータ選択部123は、信頼カテゴリ分析部122による信頼カテゴリの分析結果を受けて、信頼パラメータ格納部127に格納された信頼パラメータを選択する。信頼スコア管理部120では、前述の各信頼カテゴリに対応する信頼パラメータの組み合わせが予め設定されている。信頼パラメータ選択部123は、信頼カテゴリ分析部122により選択された信頼カテゴリに対応する信頼パラメータの組み合わせを、信頼パラメータ格納部127において選択することができる。 The trust parameter selection unit 123 receives the trust category analysis result by the trust category analysis unit 122 and selects the trust parameters stored in the trust parameter storage unit 127. In the trust score management unit 120, combinations of trust parameters corresponding to each of the above-mentioned trust categories are set in advance. The confidence parameter selection unit 123 can select a combination of confidence parameters corresponding to the confidence category selected by the confidence category analysis unit 122 in the confidence parameter storage unit 127.
 信頼スコア計算部124は、信頼パラメータ選択部123により選択された信頼パラメータと、信頼閾値格納部128に格納された信頼パラメータごとの閾値とを用いて、データ要求者2からのアクセス要求に対する信頼スコアを計算する。信頼スコア計算部124による信頼スコアの計算方法の詳細については後述する。信頼スコア計算部124は、信頼スコアの計算結果を信頼スコア格納部129へ格納するとともに、アクセスゲートウェイ110へ出力する。 The trust score calculation unit 124 uses the trust parameters selected by the trust parameter selection unit 123 and the threshold values for each trust parameter stored in the trust threshold storage unit 128 to calculate the trust score for the access request from the data requester 2. Calculate. Details of the method of calculating the reliability score by the reliability score calculation unit 124 will be described later. The trust score calculation unit 124 stores the calculation result of the trust score in the trust score storage unit 129 and outputs it to the access gateway 110.
 警告部125は、信頼パラメータ格納部127に格納された各信頼パラメータを監視し、その値が低下している信頼パラメータがある場合は、アクセス制御システム100の管理者に対して警告を出力する。 The warning unit 125 monitors each trust parameter stored in the trust parameter storage unit 127, and outputs a warning to the administrator of the access control system 100 if there is a trust parameter whose value has decreased.
 ポリシー格納部132には、様々なデータ要求者2と個人情報の組み合わせに対するアクセス要求の許可条件を記述したポリシーが格納されている。ポリシー格納部132に格納されているポリシーは、例えばXACML(eXtensible Access Control Markup Language)の規定に従って記述されており、アクセス判断部140によって読み出される。 The policy storage unit 132 stores policies that describe permission conditions for access requests for various combinations of data requesters 2 and personal information. The policy stored in the policy storage unit 132 is written in accordance with, for example, XACML (eXtensible Access Control Markup Language) regulations, and is read by the access determination unit 140.
 ポリシー更新部131は、アクセスログ114に記録されたデータ要求者2からのアクセス要求とその応答結果および属性情報の履歴を参照し、これらの参照結果に基づいて、ポリシー格納部132に格納されているポリシーを動的に更新する。例えば、新たなデータ要求者2からのアクセス要求が行われた場合や、データ提供者3から新たな個人情報が提供された場合に、これらの内容を反映してポリシーを更新する。これにより、ワークフローシステムにおける参加者(データ要求者2またはデータ提供者3)の変更があった場合でも、その変更内容に応じてポリシーの内容を適切に更新することができる。 The policy update unit 131 refers to the history of access requests from the data requester 2, their response results, and attribute information recorded in the access log 114, and based on these reference results, updates are stored in the policy storage unit 132. Dynamically update policies that are currently in use. For example, when a new access request is made from the data requester 2 or when new personal information is provided from the data provider 3, the policy is updated to reflect these contents. Thereby, even if there is a change in the participants (data requester 2 or data provider 3) in the workflow system, the content of the policy can be appropriately updated in accordance with the change.
 アクセス判断部140は、アクセス要求情報生成部112から入力されるアクセス要求情報に基づいて、ポリシー格納部132に格納されているポリシーを参照し、アクセス要求の可否を判断する。アクセス判断部140によるアクセス要求可否の判断結果は、アクセスゲートウェイ110へ出力される。アクセスゲートウェイ110では、このアクセス判断部140からの判断結果に基づいて、データ要求者2からのアクセス要求に対する応答を決定し、アクセス要求を許可した場合は、指定されたアクセス制限対象データをデータ要求者2へ送信する。 The access determination unit 140 refers to the policy stored in the policy storage unit 132 based on the access request information input from the access request information generation unit 112 and determines whether the access request is acceptable. The result of the determination by the access determination unit 140 as to whether the access request is acceptable or not is output to the access gateway 110. The access gateway 110 determines a response to the access request from the data requester 2 based on the determination result from the access determination unit 140, and if the access request is permitted, the specified access restricted data is transferred to the data requester. Send to person 2.
 図3は、データ交換プラットフォーム1におけるワークフローシステムの進行状況とアクセス制御システム100で生成されるアクセス要求情報の例を示す図である。ワークフローシステムとは、データ交換プラットフォーム1におけるデータの取引を正しく実施するための一連の手続きのことであり、データ要求者2やデータ提供者3としてデータ交換プラットフォーム1に参加する様々な参加者が、それぞれ実行すべき処理を表している。図3に示すワークフローシステム150は、不動産会社、賃貸保証会社および保険会社がデータ交換プラットフォーム1を利用して、エンドユーザであるユーザAが賃貸契約を行う際の契約条件を決定するために、ユーザAの個人情報をやり取りする場合のワークフローシステムの例を示している。 FIG. 3 is a diagram showing the progress status of the workflow system in the data exchange platform 1 and an example of access request information generated by the access control system 100. The workflow system is a series of procedures for correctly implementing data transactions on the data exchange platform 1, and various participants who participate in the data exchange platform 1 as data requesters 2 and data providers 3, Each represents a process to be executed. The workflow system 150 shown in FIG. 3 uses the data exchange platform 1 by a real estate company, a rental guarantee company, and an insurance company to enable a user A, who is an end user, to determine contract conditions when signing a rental contract. An example of a workflow system for exchanging personal information of A is shown.
 ワークフローシステム150において、ユーザAから賃貸契約の申込みを受けた不動産会社は、ユーザAの個人情報をワークフローシステム150に入力する。入力されたユーザAの個人情報は、ワークフローシステム150を介して賃貸保証会社へ送信され、賃貸保証会社において契約条件の決定に利用される。このとき保険会社は、ユーザAに対して適用する契約条件を決定するために、データ要求者2として、ユーザAの賃貸保証契約の申込書や所得証明などの個人情報に対するアクセス要求を行う。 In the workflow system 150, the real estate company that receives the rental contract application from user A inputs user A's personal information into the workflow system 150. The entered personal information of user A is transmitted to the rental guarantee company via the workflow system 150, and is used by the rental guarantee company to determine contract conditions. At this time, in order to determine the contract conditions to be applied to User A, the insurance company, as the data requester 2, requests access to User A's personal information such as an application form for a rental guarantee contract and income proof.
 賃貸保証会社が契約条件を検討中である場合、ワークフローシステム150では、賃貸保証会社の手続きを保留中とする。このとき時刻t1において、保険会社からユーザAの個人情報に対するアクセス要求を受けると、アクセス制御システム100は、アクセス要求情報生成部112により、例えば符号151に示すようなアクセス要求情報を生成する。このアクセス要求情報151では、賃貸保証会社の手続きが保留中であることを示すために、ワークフローシステム150の進行状況を示す値が“pending”となっている。 If the rental guarantee company is considering the contract terms, the workflow system 150 puts the rental guarantee company's procedures on hold. At this time, at time t1, when receiving a request for access to user A's personal information from the insurance company, the access control system 100 uses the access request information generation unit 112 to generate access request information as indicated by the reference numeral 151, for example. In this access request information 151, the value indicating the progress status of the workflow system 150 is "pending" to indicate that the rental guarantee company's procedure is pending.
 その後、時刻t2において賃貸保証会社が契約条件を決定すると、ワークフローシステム150では、賃貸保証会社の手続きを完了とする。時刻t2以降において、保険会社からユーザAの個人情報に対するアクセス要求を受けると、アクセス制御システム100は、アクセス要求情報生成部112により、例えば符号152に示すようなアクセス要求情報を生成する。このアクセス要求情報152では、賃貸保証会社の手続きが完了したことを示すために、ワークフローシステム150の進行状況を示す値が“completed”となっている。 Thereafter, when the rental guarantee company determines the contract conditions at time t2, the workflow system 150 completes the rental guarantee company's procedures. After time t2, when receiving a request for access to user A's personal information from the insurance company, the access control system 100 uses the access request information generation unit 112 to generate access request information as shown at 152, for example. In this access request information 152, the value indicating the progress status of the workflow system 150 is "completed" to indicate that the rental guarantee company's procedures have been completed.
 また、時刻t2では、アクセス制御システム100において、ワークフローシステム150の進行状況が“pending”から“completed”に変化したことを反映し、ポリシー更新部131によりポリシーが更新される。このときポリシー更新部131では、例えば符号153に示す命令が実行される。 Furthermore, at time t2, in the access control system 100, the policy is updated by the policy update unit 131 to reflect that the progress status of the workflow system 150 has changed from "pending" to "completed". At this time, the policy update unit 131 executes, for example, an instruction indicated by reference numeral 153.
 アクセス制御システム100では、以上説明したように、ワークフローシステムの進行状況をリアルタイムに反映してアクセス要求情報を生成し、このアクセス要求情報を用いて、アクセス要求の可否を判断することができる。 As explained above, in the access control system 100, the progress status of the workflow system is reflected in real time to generate access request information, and this access request information can be used to determine whether the access request is acceptable.
 なお、何らかの理由によってワークフローシステムの進行状況を確認できない場合、アクセス制御システム100は、ワークフローシステム150の進行状況を示す値として“failed”を返してもよい。この場合、ワークフローシステム150の進行状況が“completed”とならない限り、保険会社からのアクセス要求はアクセス制御システム100において拒否される。このようにすれば、例えば賃貸保証会社が契約の取り下げを決定した場合に、ワークフローシステム150におけるそれまでの手続きの全体を無効として、意図しない個人情報の漏洩を防ぐことができる。 Note that if the progress status of the workflow system cannot be confirmed for some reason, the access control system 100 may return "failed" as a value indicating the progress status of the workflow system 150. In this case, the access request from the insurance company is rejected by the access control system 100 unless the progress status of the workflow system 150 becomes "completed". In this way, for example, when the rental guarantee company decides to cancel the contract, the entire procedure up to that point in the workflow system 150 can be invalidated, thereby preventing unintentional leakage of personal information.
 図4は、コンテクスト解析部111が行うコンテクスト解析によって判断されるコンテクスト種別の例を示す図である。アクセス制御システム100において、コンテクスト解析部111は、前述のようにデータ要求者2からのアクセス要求を受けると、そのアクセス要求に対するコンテクスト解析を行う。このときコンテクスト解析部111は、ワークフローシステムから取得した属性情報に基づき、アクセス要求が例えばCt1、Ct2、Ct3の3種類のコンテクスト種別のいずれに該当するかを判断することで、コンテクスト解析を行うことができる。 FIG. 4 is a diagram showing an example of the context type determined by the context analysis performed by the context analysis unit 111. In the access control system 100, when the context analysis unit 111 receives an access request from the data requester 2 as described above, it performs a context analysis for the access request. At this time, the context analysis unit 111 performs context analysis by determining which of three context types, Ct1, Ct2, and Ct3, the access request corresponds to, based on the attribute information acquired from the workflow system. Can be done.
 図4において、符号401に示す部分は、コンテクスト種別Ct1に該当するアクセス要求の例を示している。この場合、例えば保険会社や賃貸保証会社がデータ要求者2となり、データ提供者3であるエンドユーザやサードパーティ会社に対して、これらのデータ提供者3が保有するエンドユーザの個人情報に対するアクセス要求を、データ交換プラットフォーム1を介して行う。 In FIG. 4, the part indicated by reference numeral 401 shows an example of an access request that corresponds to context type Ct1. In this case, for example, an insurance company or a rental guarantee company becomes the data requester 2, and requests access to end users' personal information held by these data providers 3 to end users and third-party companies, who are the data providers 3. is performed via the data exchange platform 1.
 符号402に示す部分は、コンテクスト種別Ct2に該当するアクセス要求の例を示している。この場合、例えばエンドユーザにサービスを提供する金融会社や保険会社がデータ要求者2となり、同じエンドユーザに別のサービスを提供する不動産会社に対して、契約条件の検討のために、不動産会社が過去に行ったアクセス要求に対して計算された信頼スコアに対するアクセス要求を、データ交換プラットフォーム1を介して行う。 The part indicated by reference numeral 402 shows an example of an access request that corresponds to context type Ct2. In this case, for example, a financial company or an insurance company that provides a service to an end user becomes the data requester 2, and the real estate company provides a different service to the same end user. An access request is made via the data exchange platform 1 for the trust score calculated for the access request made in the past.
 符号403に示す部分は、コンテクスト種別Ct3に該当するアクセス要求の例を示している。この場合、例えばエンドユーザがデータ要求者2となり、エンドユーザにサービスを提供する保険会社に対して、この保険会社からサービスの提供を受けるかどうかを検討するために、保険会社が過去に行ったアクセス要求に対して計算された信頼スコアに対するアクセス要求を、データ交換プラットフォーム1を介して行う。 The part indicated by reference numeral 403 shows an example of an access request that corresponds to context type Ct3. In this case, for example, the end user becomes the data requester 2, and the insurance company has asked the insurance company that provides services to the end user about whether or not to receive services from this insurance company. An access request is made via the data exchange platform 1 for the trust score calculated for the access request.
 なお、以上説明したコンテクスト種別Ct1~Ct3の各例において、データ要求者2やデータ提供者3の内容はそれぞれ異なっていてもよい。上記3種類のコンテクスト種別のいずれに該当するかを判断できれば、任意のデータ取引形態に対して適用可能である。また、コンテクスト解析部111が判断可能なコンテクスト種別はCt1~Ct3に限らず、他のコンテクスト種別を含めて、いずれのコンテクスト種別に該当するかを判断してもよい。 Note that in each of the context types Ct1 to Ct3 explained above, the contents of the data requester 2 and data provider 3 may be different. As long as it can be determined which of the above three context types it falls under, it can be applied to any data transaction format. Further, the context types that the context analysis unit 111 can determine are not limited to Ct1 to Ct3, and may include other context types to determine which context type this corresponds to.
 図5は、信頼カテゴリ分析部122における信頼パラメータのカテゴリ分類例を示す図である。信頼カテゴリ分析部122では、例えば信頼カテゴリ500として、「装置」に該当するカテゴリ501と、「ネットワーク」に該当するカテゴリ502と、「アクセス」に該当するカテゴリ503と、「アプリケーション」に該当するカテゴリ504とが設定されている。カテゴリ501~504は、前述のコンテクスト種別Ct1~Ct3にそれぞれ対応付けされており、これらの対応関係を表す情報が信頼カテゴリ分析部122に予め記憶されている。この情報に基づき、信頼カテゴリ分析部122は、コンテクスト解析部111によるコンテクスト解析結果から、カテゴリ501~504のいずれかを動的に選択することができる。 FIG. 5 is a diagram showing an example of category classification of reliability parameters in the reliability category analysis unit 122. In the trust category analysis unit 122, for example, the trust categories 500 include a category 501 corresponding to "device," a category 502 corresponding to "network," a category 503 corresponding to "access," and a category corresponding to "application." 504 is set. Categories 501 to 504 are associated with the aforementioned context types Ct1 to Ct3, respectively, and information representing these relationships is stored in advance in reliable category analysis unit 122. Based on this information, the trust category analysis unit 122 can dynamically select one of the categories 501 to 504 from the context analysis results by the context analysis unit 111.
 「装置」に該当するカテゴリ501は、データ要求者2がデータ交換プラットフォーム1に対してアクセス要求を行った装置のセキュリティ状況に関する信頼パラメータをまとめたカテゴリである。カテゴリ501には、例えば、当該装置のセキュリティパッチの更新状況、当該装置のIPアドレスがブラックリストに載っているか否か、当該装置のウィルスやマルウェアに対する脆弱性、当該装置における他のセキュリティ対策の採用状況などに関する信頼パラメータが含まれる。これらの信頼パラメータの値は、例えば1(ポジティブ)または-1(ネガティブ)のいずれかで表される。 A category 501 corresponding to "device" is a category that summarizes trust parameters related to the security status of the device to which the data requester 2 has made an access request to the data exchange platform 1. Category 501 includes, for example, the update status of security patches for the device, whether the IP address of the device is on a blacklist, the vulnerability of the device to viruses and malware, and the adoption of other security measures for the device. Contains trust parameters related to the situation, etc. The values of these confidence parameters are expressed as either 1 (positive) or -1 (negative), for example.
 「ネットワーク」に該当するカテゴリ502は、データ要求者2がアクセス要求の際にデータ交換プラットフォーム1の接続に用いたネットワークのセキュリティ状況に関する信頼パラメータをまとめたカテゴリである。カテゴリ502には、例えば、当該ネットワークからの不審パケットの有無、当該ネットワークにおける暗号化対策の有無などに関する信頼パラメータが含まれる。これらの信頼パラメータの値は、例えば1(ポジティブ)または-1(ネガティブ)のいずれかで表される。 The category 502 corresponding to "Network" is a category that summarizes trust parameters related to the security status of the network used by the data requester 2 to connect the data exchange platform 1 when making an access request. The category 502 includes, for example, trust parameters regarding the presence or absence of suspicious packets from the network, the presence or absence of encryption measures in the network, and the like. The values of these confidence parameters are expressed as either 1 (positive) or -1 (negative), for example.
 「アクセス」に該当するカテゴリ503は、データ要求者2からのアクセス状況に関する信頼パラメータをまとめたカテゴリであり、アクセスゲートウェイ110に記録されたアクセスログ114から得られる。カテゴリ503には、例えば、下記の式でそれぞれ計算されるアクセス試行率とアクセス頻度が含まれる。
 アクセス試行率=(無効アクセス試行回数)/(合計アクセス試行回数)
 アクセス頻度=(アクセス試行回数)/(単位時間当たりの合計アクセス試行回数) The category 503 corresponding to “access” is a category that summarizes trust parameters related to the access status from the data requester 2, and is obtained from the access log 114 recorded in the access gateway 110. The category 503 includes, for example, the access attempt rate and the access frequency, which are each calculated using the following formulas.
Access attempt rate = (number of invalid access attempts) / (total number of access attempts)
Access frequency = (number of access attempts) / (total number of access attempts per unit time)
 「アプリケーション」に該当するカテゴリ504は、データ交換プラットフォーム1の内部処理に関する信頼パラメータをまとめたカテゴリである。カテゴリ504には、例えば、アクセス要求を行ったデータ要求者2の知名度やサービス品質等に関して管理者により登録された当該データ要求者に対するフィードバック、データ要求者2のアクセス要求に対する処理速度、データ交換プラットフォーム1におけるデータ要求者2の人気度を表す推奨履歴などに関する信頼パラメータが含まれる。 The category 504 corresponding to "Application" is a category that summarizes trust parameters related to internal processing of the data exchange platform 1. The category 504 includes, for example, feedback to the data requester registered by the administrator regarding the popularity and service quality of the data requester 2 who made the access request, the processing speed for the access request of the data requester 2, and the data exchange platform. Confidence parameters related to recommendation history and the like representing the popularity of the data requester 2 in 1 are included.
 なお、以上説明した信頼カテゴリ500におけるカテゴリ501~504の内容は一例であり、他の信頼パラメータを各カテゴリに含めてもよい。また、信頼カテゴリ分析部122における信頼パラメータのカテゴリ分類は、図5に例示した信頼カテゴリ500に限らず、他のカテゴリ分類を採用してもよい。 Note that the contents of categories 501 to 504 in the trust category 500 described above are merely examples, and other trust parameters may be included in each category. Furthermore, the categorization of reliability parameters in the reliability category analysis unit 122 is not limited to the reliability category 500 illustrated in FIG. 5, and other categorizations may be adopted.
 図6および図7は、アクセス制御システム100により実行されるアクセス制御処理の流れを示すフローチャートである。 6 and 7 are flowcharts showing the flow of access control processing executed by the access control system 100.
 ステップS101において、アクセスゲートウェイ110は、データ要求者2からのアクセス要求を受信する。 In step S101, the access gateway 110 receives an access request from the data requester 2.
 ステップS102において、アクセスゲートウェイ110のコンテクスト解析部111は、ステップS101で受信したアクセス要求の属性情報をワークフローシステムから取得する。具体的には、例えば、データ要求者2の属性を表すサブジェクト属性srt、アクセス要求の種類(閲覧、編集、削除等)を表すアクション属性art、アクセス要求の対象であるアクセス制限対象データを表すリソース属性rrt、アクセス要求時のワークフローシステムの状態を表す環境属性wrtなどの属性情報を、ワークフローシステムからリアルタイムに取得する。なお、これらの属性情報は、標準的なXACML処理モデルにおいて使用されるものである。 In step S102, the context analysis unit 111 of the access gateway 110 acquires attribute information of the access request received in step S101 from the workflow system. Specifically, for example, the subject attribute s rt represents the attributes of the data requester 2, the action attribute a rt represents the type of access request (viewing, editing, deletion, etc.), and the access-restricted data that is the subject of the access request. Attribute information such as the resource attribute r rt representing the resource attribute and the environment attribute w rt representing the state of the workflow system at the time of the access request is acquired from the workflow system in real time. Note that this attribute information is used in the standard XACML processing model.
 ステップS103において、コンテクスト解析部111は、ステップS102で取得した属性情報に基づくコンテクスト解析を実行する。ここでは、予め設定された各属性情報とコンテクスト種別との関係性に従って、例えば前述のコンテクスト種別Ct1~Ct3のいずれかを選択する。ステップS103でいずれかのコンテクスト種別を選択したら、コンテクスト解析部111は、その選択結果を信頼スコア管理部120へ出力する。 In step S103, the context analysis unit 111 performs context analysis based on the attribute information acquired in step S102. Here, for example, one of the aforementioned context types Ct1 to Ct3 is selected according to the relationship between each attribute information set in advance and the context type. After selecting one of the context types in step S103, the context analysis unit 111 outputs the selection result to the trust score management unit 120.
 ステップS104において、信頼スコア管理部120の信頼カテゴリ分析部122は、ステップS103でコンテクスト解析部111により選択されたコンテクスト種別が、コンテクスト種別Ct1~Ct3のいずれであるかを判定する。その結果、コンテクスト種別Ct1である場合はステップS105へ、コンテクスト種別Ct2である場合はステップS106へ、コンテクスト種別Ct3である場合はステップS107へそれぞれ進む。 In step S104, the trust category analysis unit 122 of the trust score management unit 120 determines which of the context types Ct1 to Ct3 is the context type selected by the context analysis unit 111 in step S103. As a result, if the context type is Ct1, the process proceeds to step S105, if the context type Ct2, the process proceeds to step S106, and if the context type Ct3, the process proceeds to step S107.
 ステップS105において、信頼カテゴリ分析部122は、図5に例示したカテゴリ501~504のうち、「装置」、「ネットワーク」、「アクセス」にそれぞれ該当するカテゴリ501~503の各信頼カテゴリを選択する。 In step S105, the trust category analysis unit 122 selects the trust categories 501 to 503 that correspond to "device," "network," and "access," respectively, from among the categories 501 to 504 illustrated in FIG. 5.
 ステップS106において、信頼カテゴリ分析部122は、図5に例示したカテゴリ501~504のうち、「アクセス」、「アプリケーション」にそれぞれ該当するカテゴリ503、504の各信頼カテゴリを選択する。 In step S106, the trust category analysis unit 122 selects the trust categories 503 and 504 that correspond to "access" and "application", respectively, from the categories 501 to 504 illustrated in FIG.
 ステップS107において、信頼カテゴリ分析部122は、図5に例示したカテゴリ501~504のうち、「アプリケーション」に該当するカテゴリ504の信頼カテゴリを選択する。 In step S107, the trust category analysis unit 122 selects the trust category 504 that corresponds to "application" from among the categories 501 to 504 illustrated in FIG.
 ステップS105~S107のいずれかを実行したら、処理をステップS108に進める。ステップS108において、信頼パラメータ選択部123は、図5に例示したカテゴリ501~504にそれぞれ対応する信頼パラメータの組み合わせに従って、ステップS105~S107で選択した信頼カテゴリに対応する信頼パラメータを選択する。 After executing any of steps S105 to S107, the process advances to step S108. In step S108, the trust parameter selection unit 123 selects the trust parameters corresponding to the trust categories selected in steps S105 to S107, according to the combinations of trust parameters corresponding to the categories 501 to 504 illustrated in FIG. 5, respectively.
 ステップS109において、信頼スコア計算部124は、ステップS108で選択した信頼パラメータに基づいて、信頼スコアの計算を行う。ここでは、ステップS103におけるコンテクスト種別の選択結果に基づき、例えば後述するような方法で、信頼パラメータから信頼スコアを計算することができる。ステップS109で信頼スコアを計算したら、信頼スコア計算部124は、その計算結果を信頼スコア格納部129へ格納するとともに、アクセスゲートウェイ110へ出力する。 In step S109, the reliability score calculation unit 124 calculates a reliability score based on the reliability parameter selected in step S108. Here, based on the selection result of the context type in step S103, a trust score can be calculated from the trust parameters, for example, by a method described later. After calculating the trust score in step S109, the trust score calculation unit 124 stores the calculation result in the trust score storage unit 129 and outputs it to the access gateway 110.
 ステップS110において、アクセスゲートウェイ110のアクセス要求情報生成部112は、ステップS102でコンテクスト解析部111により取得されたアクセス要求の属性情報、例えば前述のサブジェクト属性srt、アクション属性art、リソース属性rrt、環境属性wrtの各属性情報を、コンテクスト解析部111から取得する。また、ステップS109で信頼スコア計算部124により計算された信頼スコアの計算結果、例えば後述する”satisfied”または”not satisfied”の信頼スコア値を取得する。そして、取得したこれらの情報に基づいて、アクセス要求情報を生成し、生成したアクセス要求情報をアクセス判断部140へ出力する。 In step S110, the access request information generation unit 112 of the access gateway 110 generates attribute information of the access request acquired by the context analysis unit 111 in step S102, such as the aforementioned subject attribute s rt , action attribute art , resource attribute r rt , environment attribute w rt is acquired from the context analysis unit 111. Further, in step S109, the calculation result of the reliability score calculated by the reliability score calculation unit 124, for example, a reliability score value of "satisfied" or "not satisfied", which will be described later, is obtained. Then, based on the acquired information, access request information is generated, and the generated access request information is output to the access determination unit 140.
 ステップS111において、アクセス判断部140は、ステップS110でアクセス要求情報生成部112から受信したアクセス要求情報に基づいて、ステップS101で受信したアクセス要求に対するアクセス判断を実行する。これにより、ステップS109で信頼スコア計算部124により計算された信頼スコアに基づいて、アクセス要求の可否を判断することができる。ステップS111のアクセス判断の結果は、アクセス判断部140からアクセスゲートウェイ110へ出力される。 In step S111, the access determination unit 140 executes access determination for the access request received in step S101 based on the access request information received from the access request information generation unit 112 in step S110. Thereby, based on the trust score calculated by the trust score calculation unit 124 in step S109, it is possible to determine whether or not the access request is acceptable. The result of the access determination in step S111 is output from the access determination unit 140 to the access gateway 110.
 ステップS112において、アクセスゲートウェイ110は、ステップS111でアクセス判断部140から受信したアクセス判断の結果に基づいて、データ要求者2からアクセス制限対象データへのアクセスを許可するか否かを判定する。アクセスを許可すると判定した場合はステップS113へ進み、許可しないと判定した場合はステップS114へ進む。 In step S112, the access gateway 110 determines whether or not to permit access to the access-restricted data from the data requester 2, based on the access determination result received from the access determination unit 140 in step S111. If it is determined that access is permitted, the process advances to step S113; if it is determined that access is not permitted, the process advances to step S114.
 ステップS113において、アクセスゲートウェイ110は、ステップS101で受信したアクセス要求に対する応答として、そのアクセス要求に対応するアクセス制限対象データをデータ要求者2へ送信する。 In step S113, the access gateway 110 transmits the access-restricted data corresponding to the access request to the data requester 2 as a response to the access request received in step S101.
 ステップS114において、アクセスゲートウェイ110は、ステップS101で受信したアクセス要求を拒否し、データ要求者2から指定されたアクセス制限対象データへのアクセスを遮断する。 In step S114, the access gateway 110 rejects the access request received in step S101 and blocks access to the access-restricted data specified by the data requester 2.
 ステップS113またはステップS114の処理を実行したら、続くステップS115において、ログ管理部113は、ステップS102で取得した属性情報と、ステップS103で実行したコンテクスト解析の結果と、ステップS111のアクセス判断結果とを組み合わせて、これらの内容をアクセスログ114に記録する。ステップS115の処理を実行したら、図6および図7のフローチャートを終了する。 After executing the process in step S113 or step S114, in the subsequent step S115, the log management unit 113 stores the attribute information acquired in step S102, the result of the context analysis performed in step S103, and the access determination result in step S111. In combination, these contents are recorded in the access log 114. After executing the process of step S115, the flowcharts of FIGS. 6 and 7 are ended.
 アクセス制御システム100は、データ要求者2からアクセス要求が行われると、以上説明したアクセス制御処理を実行することでアクセス要求の可否を判断し、アクセス要求を許可した場合には、アクセス要求で指定された個人情報などのアクセス制限対象データをデータ要求者2へ返信する。これにより、データ要求者2とデータ提供者3の間で、ワークフローシステムを利用した安全なアクセス制限対象データの仲介を実現することができる。 When the access control system 100 receives an access request from the data requester 2, the access control system 100 executes the access control processing described above to determine whether or not the access request is permitted, and if the access request is permitted, the access control system 100 performs the access request specified in the access request. The access-restricted data, such as personal information, is returned to the data requester 2. Thereby, safe mediation of access-restricted data can be realized between the data requester 2 and the data provider 3 using the workflow system.
 図8は、信頼パラメータと警告カウント値の例を示す図である。図8(a)は、信頼パラメータ取得部121により取得されて信頼パラメータ格納部127に格納される信頼パラメータの例を示している。信頼パラメータ格納部127には、例えば図8(a)に示すように、取得した各信頼パラメータのパラメータ値P1,P2,P5,P7とともに、それぞれの信頼カテゴリと重みW1,W2,W5,W7が表形式で重み順に格納されている。各信頼パラメータの重みW1,W2,W5,W7は、それぞれの重要度に応じて、例えば0から100の範囲でそれぞれ設定される。 FIG. 8 is a diagram showing an example of reliability parameters and warning count values. FIG. 8A shows an example of trust parameters acquired by the trust parameter acquisition unit 121 and stored in the trust parameter storage unit 127. For example, as shown in FIG. 8A, the reliability parameter storage unit 127 stores the parameter values P1, P2, P5, and P7 of each of the acquired reliability parameters, as well as the respective trust categories and weights W1, W2, W5, and W7. Stored in table format in order of weight. The weights W1, W2, W5, and W7 of each reliability parameter are set, for example, in the range of 0 to 100, depending on the importance of each.
 図8(b)は、警告部125が警告を出力する際に用いる警告カウント値の例を示している。警告部125は、例えば図8(b)に示すように、各信頼パラメータのパラメータ値P1,P2,P5,P7と重みW1,W2,W5,W7の積と、それぞれの閾値Th1,Th2,Th5,Th7との比較を重み順に行い、積が閾値未満の場合には警告カウント値を1カウントアップする。そして、警告カウント値が所定の上限値に達したら、管理者への警告を出力する。なお、図8(a)に示すように、各信頼パラメータの警告カウント値は、パラメータ値P1,P2,P5,P7および重みW1,W2,W5,W7とともに信頼パラメータ格納部127に格納される。 FIG. 8(b) shows an example of a warning count value used when the warning unit 125 outputs a warning. For example, as shown in FIG. 8(b), the warning unit 125 calculates the product of the parameter values P1, P2, P5, P7 of each reliability parameter and the weights W1, W2, W5, W7, and the respective threshold values Th1, Th2, Th5. , Th7 is performed in order of weight, and if the product is less than the threshold, the warning count value is incremented by one. Then, when the warning count value reaches a predetermined upper limit, a warning is output to the administrator. Note that, as shown in FIG. 8A, the warning count value of each reliability parameter is stored in the reliability parameter storage unit 127 together with parameter values P1, P2, P5, P7 and weights W1, W2, W5, W7.
 上記の重みW1,W2,W5,W7や閾値Th1,Th2,Th5,Th7は、アクセス制御システム100において予め設定されており、各信頼パラメータの性質に応じて動的に変化してもよい。例えば、信頼パラメータの一つであるアクセス頻度の場合、ピーク時間帯でのアクセス頻度はそれ以外の時間帯に比べて高いため、パラメータ値が周期的に変化する。したがってこの場合、アクセス頻度に対する重みや閾値を時間帯に応じて変化させることが好ましい。これ以外にも、各信頼パラメータの性質に応じた任意の法則に従い、重みや閾値を動的に変化させることが可能である。 The above weights W1, W2, W5, W7 and thresholds Th1, Th2, Th5, Th7 are preset in the access control system 100, and may be dynamically changed according to the nature of each trust parameter. For example, in the case of access frequency, which is one of the reliability parameters, the access frequency during peak hours is higher than at other times, so the parameter value changes periodically. Therefore, in this case, it is preferable to change the weight and threshold value for the access frequency depending on the time period. In addition to this, it is possible to dynamically change weights and thresholds according to arbitrary rules depending on the properties of each reliability parameter.
 続いて、信頼スコアの計算方法について説明する。図9は、信頼スコア計算処理の流れを示すフローチャートの例である。例えば、コンテクスト解析部111により前述のコンテクスト種別Ct1が選択された場合、信頼スコア計算部124は図9のフローチャートに示す処理を実行し、信頼スコアを計算する。 Next, we will explain how to calculate the trust score. FIG. 9 is an example of a flowchart showing the flow of confidence score calculation processing. For example, when the context analysis unit 111 selects the context type Ct1 described above, the confidence score calculation unit 124 executes the process shown in the flowchart of FIG. 9 to calculate a confidence score.
 ステップS201において、信頼スコア計算部124は、信頼パラメータ数Nを取得する。ここでは、図6のステップS108で信頼パラメータ選択部123により選択された信頼パラメータの総数を、信頼パラメータ数Nとして取得する。 In step S201, the reliability score calculation unit 124 obtains the number N of reliability parameters. Here, the total number of reliability parameters selected by the reliability parameter selection unit 123 in step S108 of FIG. 6 is obtained as the number N of reliability parameters.
 ステップS202において、信頼スコア計算部124は、図6のステップS108で信頼パラメータ選択部123により選択された信頼パラメータの中から、(x-n+1)個の信頼パラメータPn~Pxをランダムに選択する。ここでは、例えば0<n≦x≦Nの条件をそれぞれ満たすxとnの値をランダムに選択するとともに、信頼パラメータ選択部123により選択された「装置」、「ネットワーク」、「アクセス」の各カテゴリの信頼パラメータを重み順に並べ、n番目からx番目までの各信頼パラメータを信頼パラメータPn~Pxとして選択すればよい。これ以外にも、任意の方法で信頼パラメータPn~Pxをランダムに選択することができる。 In step S202, the confidence score calculation unit 124 randomly selects (x-n+1) confidence parameters Pn to Px from among the confidence parameters selected by the confidence parameter selection unit 123 in step S108 of FIG. do. Here, for example, the values of x and n that satisfy the condition of 0<n≦x≦N are randomly selected, and the values of “device”, “network”, and “access” selected by the trust parameter selection unit 123 are selected at random. The trust parameters of the categories may be arranged in order of weight, and each of the nth to xth trust parameters may be selected as the trust parameters Pn to Px. Besides this, the trust parameters Pn to Px can be randomly selected using any method.
 ステップS202で信頼パラメータPn~Pxを選択したら、信頼スコア計算部124は、以下のステップS203~S205のループ処理を、i=nからi=xまで繰り返して実行する。 After selecting the reliability parameters Pn to Px in step S202, the reliability score calculation unit 124 repeatedly executes the following loop processing of steps S203 to S205 from i=n to i=x.
 ステップS203において、信頼スコア計算部124は、信頼パラメータPi(i=n~x)の閾値Thiを信頼閾値格納部128から取得する。 In step S203, the confidence score calculation unit 124 obtains the threshold Thi of the confidence parameter Pi (i=n~x) from the confidence threshold storage unit 128.
 ステップS204において、信頼スコア計算部124は、信頼パラメータPiとステップS203で取得した閾値Thiとを比較し、Pi≧Thiの条件を満たすか否かを判定する。その結果、条件を満たす場合、すなわち信頼パラメータPiが閾値Thi以上である場合は、ステップS205へ進んで信頼スコアのカウント値Cnを1カウントアップした後、次のループ処理に移行する。一方、条件を満たさない場合、すなわち信頼パラメータPiが閾値Thi未満である場合は、信頼スコアのカウント値Cnをそのままとして次のループ処理に移行する。 In step S204, the reliability score calculation unit 124 compares the reliability parameter Pi with the threshold value Thi obtained in step S203, and determines whether the condition Pi≧Thi is satisfied. As a result, if the conditions are met, that is, if the confidence parameter Pi is equal to or greater than the threshold Thi, the process proceeds to step S205, increments the count value Cn of the confidence score by 1, and then proceeds to the next loop process. On the other hand, if the condition is not satisfied, that is, if the confidence parameter Pi is less than the threshold Thi, the count value Cn of the confidence score is left unchanged and the process moves to the next loop.
 ステップS203~S205のループ処理を終えると、ステップS206において、信頼スコア計算部124は、ループ処理で最終的に求められた信頼スコアのカウント値Cnが、(x-n+1)個の信頼パラメータが全て1である場合の合計値の所定割合(例えば0.6)以上であるか否かを判定する。カウント値Cnが0.6(x-n+1)以上である場合、すなわち、ランダムに選択した信頼スコアの60%以上がポジティブな判定結果を表している場合は、ステップS207へ進む。一方、カウント値Cnが0.6(x-n+1)未満である場合は、ステップS208へ進む。 After completing the loop processing of steps S203 to S205, in step S206, the confidence score calculation unit 124 calculates that the count value Cn of the confidence score finally obtained in the loop processing is equal to (x-n+1) confidence parameters. It is determined whether or not the total value is equal to or greater than a predetermined ratio (for example, 0.6) when all the values are 1. If the count value Cn is 0.6(x-n+1) or more, that is, if 60% or more of the randomly selected confidence scores represent positive determination results, the process advances to step S207. On the other hand, if the count value Cn is less than 0.6(x-n+1), the process advances to step S208.
 ステップS207において、信頼スコア計算部124は、データ要求者2からのアクセス要求に対する信頼スコアの計算結果として、「信頼性あり」を表す信頼スコア値である“satisfied”を、例えばJSON(JavaScript(登録商標) Object Notation)形式のメッセージにより、アクセスゲートウェイ110へ送信する。 In step S207, the trust score calculation unit 124 calculates “satisfied”, which is a trust score value indicating “reliable”, as a calculation result of the trust score for the access request from the data requester 2, for example, in JSON (JavaScript (registered) Object Notation) format message is sent to the access gateway 110.
 ステップS208において、信頼スコア計算部124は、データ要求者2からのアクセス要求に対する信頼スコアの計算結果として、「信頼性なし」を表す信頼スコア値である“not satisfied”を、例えばJSON形式のメッセージにより、アクセスゲートウェイ110へ送信する。 In step S208, the trust score calculation unit 124 sends "not satisfied", which is a trust score value representing "no reliability", to a message in JSON format, for example, as a trust score calculation result for the access request from the data requester 2. , and sends it to the access gateway 110.
 ステップS207またはS208の処理を実施したら、信頼スコア計算部124は、図9のフローチャートに示す信頼スコア計算処理を終了する。 After performing the process of step S207 or S208, the reliability score calculation unit 124 ends the reliability score calculation process shown in the flowchart of FIG.
 以上説明した信頼スコア計算処理では、xとnの値を動的に選択することで、信頼スコアの計算に用いられる信頼パラメータPn~Pxがランダムに選択される。これにより、アクセス制御システム100におけるアクセス判断パターンの推測を困難とし、悪意のあるハッカー等の攻撃者からの攻撃を防ぐことができるようにしている。 In the trust score calculation process described above, the trust parameters Pn to Px used in the trust score calculation are randomly selected by dynamically selecting the values of x and n. This makes it difficult to guess the access determination pattern in the access control system 100, thereby making it possible to prevent attacks from attackers such as malicious hackers.
 あるいは、以下で説明する方法により信頼スコアを計算してもよい。例えば、コンテクスト解析部111により前述のコンテクスト種別Ct2またはCt3が選択された場合、信頼スコア計算部124は、以下の方法で信頼スコアを計算する。 Alternatively, the confidence score may be calculated by the method described below. For example, when the context analysis unit 111 selects the context type Ct2 or Ct3, the confidence score calculation unit 124 calculates the confidence score using the following method.
 信頼スコア計算部124は、例えば以下の式(1)により、信頼スコアTsを算出することができる。式(1)において、Nは前述の信頼パラメータ数を表し、Pjは、図6のステップS108で信頼パラメータ選択部123により選択された信頼パラメータのうち、j番目の信頼パラメータの値を表す。また、Wjはj番目の信頼パラメータに対して予め設定された重みを表す。
Figure JPOXMLDOC01-appb-M000001
 The reliability score calculation unit 124 can calculate the reliability score Ts using, for example, the following equation (1). In equation (1), N represents the aforementioned number of reliability parameters, and Pj represents the value of the j-th reliability parameter among the reliability parameters selected by the reliability parameter selection unit 123 in step S108 of FIG. Further, Wj represents a weight preset for the j-th reliability parameter.
Figure JPOXMLDOC01-appb-M000001
 上記の式(1)で計算される信頼スコアTsは、選択された全ての信頼パラメータを重み付け加算することに相当する。すなわち、信頼スコア計算部124は、図5に例示したカテゴリ501~504にそれぞれ対応する信頼パラメータのうち、コンテクスト種別Ct2に対応して予め設定された「アクセス」、「アプリケーション」にそれぞれ該当するカテゴリ503、504の各信頼パラメータ、または、コンテクスト種別Ct3に対応して予め設定された「アプリケーション」に該当するカテゴリ504の各信頼パラメータを重み付け加算することで、信頼スコアTsを算出することができる。なお、信頼スコア同士の比較を容易にするため、0から1の範囲内で信頼スコアTsを正規化してもよい。 The reliability score Ts calculated by the above formula (1) corresponds to weighted addition of all the selected reliability parameters. That is, the trust score calculation unit 124 calculates the categories corresponding to "access" and "application", which are preset corresponding to the context type Ct2, among the trust parameters corresponding to the categories 501 to 504 illustrated in FIG. The trust score Ts can be calculated by weighting and adding each of the trust parameters 503 and 504, or the trust parameters of the category 504 that corresponds to "application" that has been set in advance corresponding to the context type Ct3. Note that the trust score Ts may be normalized within the range of 0 to 1 in order to facilitate comparison between the trust scores.
 前述のように、コンテクスト種別Ct2、Ct3では、エンドユーザに対する契約条件やサービス提供の検討のため、各種サービス提供会社(金融会社、保険会社等)の過去の信頼スコアがアクセス制限対象データとして提供される。そのため、エンドユーザの個人情報に対するアクセス要求の可否を判断するコンテクスト種別Ct1の場合とは異なり、アクセス判断パターンの推測を困難とする必要性が低い。したがって、選択された全ての信頼パラメータを式(1)により重み付け加算することで、アクセス要求時の状況を適切に反映して信頼スコアを算出するようにしている。 As mentioned above, in context types Ct2 and Ct3, past trust scores of various service providers (financial companies, insurance companies, etc.) are provided as access-restricted data in order to consider contract conditions and service provision to end users. Ru. Therefore, unlike the case of the context type Ct1 in which it is determined whether or not to request access to the end user's personal information, there is little need to make it difficult to guess the access determination pattern. Therefore, by weighting and adding all the selected trust parameters using equation (1), the trust score is calculated while appropriately reflecting the situation at the time of the access request.
 次に、信頼パラメータの解析方法について説明する。例えば、コンテクスト解析部111によりコンテクスト種別Ct2またはCt3が選択された場合、アクセスゲートウェイ110は、信頼スコアの算出に用いられた信頼パラメータを多次元解析するためのユーザインタフェースをエンドユーザに提供する。このユーザインタフェースにおいて、エンドユーザは所望の条件を設定することにより、信頼パラメータの解析に必要な情報をアクセス制御システム100から受けることができる。 Next, a method for analyzing reliability parameters will be explained. For example, when the context analysis unit 111 selects the context type Ct2 or Ct3, the access gateway 110 provides the end user with a user interface for performing multidimensional analysis of the trust parameters used to calculate the trust score. In this user interface, the end user can receive information necessary for analyzing trust parameters from the access control system 100 by setting desired conditions.
 図10は、信頼パラメータの多次元解析の例を示す図である。図10(a)は、信頼パラメータの多次元解析を行う際にエンドユーザの端末において表示されるユーザインタフェースの例を示している。図10(a)において、図形1000は、ある会社の信頼スコアの算出に用いられた信頼パラメータの一つである不正アクセス試行回数の値を、支店および月ごとに示している。また、図形1005は、同じ会社の不正アクセス試行回数の値を、地域および年ごとに示している。これらの図形1000,1005は3次元の形状を有しており、そのうち一つの次元には、支店や地域のように、サービス提供者である会社の組織階層を表しており、別の次元には、月や年のように、信頼パラメータである不正アクセス試行回数の取得期間を表している。 FIG. 10 is a diagram showing an example of multidimensional analysis of reliability parameters. FIG. 10(a) shows an example of a user interface displayed on an end user's terminal when performing multidimensional analysis of trust parameters. In FIG. 10A, a diagram 1000 shows the value of the number of unauthorized access attempts, which is one of the trust parameters used to calculate a company's trust score, for each branch and month. Further, a graphic 1005 shows the number of unauthorized access attempts for the same company by region and year. These figures 1000 and 1005 have a three-dimensional shape, in which one dimension represents the organizational hierarchy of the service provider company, such as branches and regions, and the other dimension represents the organizational hierarchy of the company that is the service provider. , represents the acquisition period of the number of unauthorized access attempts, which is a trust parameter, such as month or year.
 図10(b)は、図形1000,1005における各次元の項目選択の例を示している。エンドユーザは、端末に表示された画面において、これらの図形の一つの次元について、会社名、地域、支店の各項目を、上位階層に向かって(ドリルアップ)、または下位階層に向かって(ドリルダウン)適宜選択することができる。同様に他の次元について、年、四半期、月の各項目を、上位階層に向かって(ドリルアップ)、または下位階層に向かって(ドリルダウン)適宜選択することができる。 FIG. 10(b) shows an example of item selection for each dimension in figures 1000 and 1005. On the screen displayed on the terminal, the end user can drill down to the upper hierarchy (drill up) or lower hierarchy (drill up) for each dimension of these shapes, such as company name, region, and branch. down) can be selected as appropriate. Similarly, regarding other dimensions, each item of year, quarter, and month can be selected as appropriate toward an upper hierarchy (drill up) or toward a lower hierarchy (drill down).
 なお、図10に例示したユーザインタフェースを、エンドユーザに限らず、例えばアクセス制御システム100の管理者などに提供してもよい。信頼スコアの算出に用いられる信頼パラメータは、ユーザレベル、役割レベル、会社レベル等の様々なレベルに応じて変化する。管理者は、図10のユーザインタフェースに示される情報を用いることで、データ要求者2やデータ提供者3としてアクセス制御システム100に接続する各会社に対して、信頼パラメータの変動についての警告などを適宜行うことができる。 Note that the user interface illustrated in FIG. 10 may be provided not only to end users but also to, for example, the administrator of the access control system 100. The trust parameters used to calculate the trust score change depending on various levels such as user level, role level, company level, etc. By using the information shown in the user interface of FIG. 10, the administrator can send warnings about changes in trust parameters to each company connected to the access control system 100 as data requesters 2 and data providers 3. This can be done as appropriate.
 続いて、信頼スコアの解析方法について説明する。アクセスゲートウェイ110は、例えば信頼スコアを解析するためのユーザインタフェースをエンドユーザに提供する。このユーザインタフェースにおいて、エンドユーザは所望の項目を選択することにより、信頼スコアの解析に必要な情報をアクセス制御システム100から受けることができる。 Next, we will explain how to analyze the confidence score. Access gateway 110 provides an end user with a user interface for analyzing trust scores, for example. In this user interface, the end user can receive information necessary for analyzing the trust score from the access control system 100 by selecting a desired item.
 図11は、信頼スコア解析画面の例を示す図である。図11に示す信頼スコア解析画面1100は、例えばアクセスゲートウェイ110によってエンドユーザの端末に表示される画面であり、選択枠1101,1102,1103および信頼スコアグラフ1104を有している。エンドユーザは、例えば新規サービスの契約を検討する際に、当該サービスを提供する各会社の信頼スコアの解析のために、アクセス制御システム100に対して、図11のような信頼スコア解析画面1100の表示を要求することができる。 FIG. 11 is a diagram showing an example of a confidence score analysis screen. A trust score analysis screen 1100 shown in FIG. 11 is a screen displayed on an end user's terminal by, for example, the access gateway 110, and includes selection frames 1101, 1102, 1103 and a trust score graph 1104. For example, when considering a contract for a new service, the end user requests the access control system 100 to display a trust score analysis screen 1100 as shown in FIG. 11 in order to analyze the trust score of each company providing the service. Display can be requested.
 選択枠1101は、エンドユーザが信頼スコアの解析対象とするサービス種類を選択するための枠である。この選択枠1101において、エンドユーザは、例えばサービス種類に応じた会社の種類等を選択することで、信頼スコア解析画面1100に表示される信頼スコアの解析対象を選択することができる。 The selection frame 1101 is a frame for the end user to select the type of service whose reliability score is to be analyzed. In this selection frame 1101, the end user can select the target of the trust score analysis displayed on the trust score analysis screen 1100 by selecting, for example, the type of company according to the service type.
 選択枠1102は、エンドユーザがセキュリティレベルやその他要件を選択するための枠である。この選択枠1102において、エンドユーザは、信頼スコアに関連する様々な要件を選択することができる。 The selection frame 1102 is a frame for the end user to select the security level and other requirements. In this selection pane 1102, the end user can select various requirements related to the confidence score.
 選択枠1103は、エンドユーザがサービス提供会社の階層レベルを選択するための枠である。この選択枠1103において、エンドユーザは、例えば会社名、地域、支社等の様々な階層レベルから、信頼スコアの解析対象とするサービス提供会社の階層レベルを選択することができる。 The selection frame 1103 is a frame for the end user to select the hierarchical level of the service provider company. In this selection frame 1103, the end user can select the hierarchical level of the service providing company whose trust score is to be analyzed from among various hierarchical levels such as company name, region, branch office, etc.
 信頼スコアグラフ1104は、選択枠1101~1103でそれぞれ選択された項目に該当する信頼スコアの値をグラフ上に可視化して示したものである。エンドユーザは、この信頼スコアグラフ1104を参照することで、各サービス提供会社の信頼スコア同士を比較し、どのサービス提供会社との間で新規サービスの契約を行うかを検討することができる。 The reliability score graph 1104 is a visualization of the reliability score values corresponding to the items selected in the selection frames 1101 to 1103 on a graph. By referring to the trust score graph 1104, the end user can compare the trust scores of each service provider company and consider which service provider company to contract for a new service with.
 ここで、不動産業界では、金融会社から融資の許可を得るために、エンドユーザ(顧客または賃借人)の所得証明や雇用形態等の文書について、不動産会社がエンドユーザに知らせることなく、これらの内容を改ざんするという不正行為の存在が知られている。以下では、こうした不正行為を防止するためのアクセス制御システム100の実運用例について、図12を参照して説明する。 In the real estate industry, in order to obtain approval for a loan from a financial company, the real estate company collects documents such as income proof and employment status of the end user (customer or tenant) without informing the end user. It is known that there is a fraudulent act of tampering with. Below, an example of actual operation of the access control system 100 for preventing such fraudulent acts will be described with reference to FIG. 12.
 図12は、本発明の一実施形態に係るアクセス制御システム100の実運用例を示すシーケンス図である。エンドユーザが不動産会社に対して所得証明や雇用形態等の個人情報を提出すると、不動産会社は、ユーザの代理として、データ交換プラットフォーム1に対して個人情報の入力を行う。アクセス制御システム100では、入力された個人情報に基づき、ポリシーとワークフローシステムの管理を行うとともに、金融会社に対して新規融資の申し込みがあったことを通知する。この通知を受けた金融会社では、アクセス制御システム100を介して行われたエンドユーザからの申込内容を確認するとともに、これを入力した不動産会社に対する信頼スコア解析を必要に応じて実行し、融資の承認(OK)または否認(NG)を判定する。金融会社による判定結果は、アクセス制御システム100を介してエンドユーザに通知される。 FIG. 12 is a sequence diagram showing an example of actual operation of the access control system 100 according to an embodiment of the present invention. When the end user submits personal information such as income proof and employment status to the real estate company, the real estate company inputs the personal information to the data exchange platform 1 on behalf of the user. The access control system 100 manages the policy and workflow system based on the input personal information, and also notifies the financial company that an application for a new loan has been received. Upon receiving this notification, the financial company confirms the application content from the end user made via the access control system 100, and performs a trust score analysis on the real estate company that entered the application, as necessary, to provide a loan. Approval (OK) or denial (NG) is determined. The determination result by the financial company is notified to the end user via the access control system 100.
 以上説明した本発明の一実施形態によれば、以下の作用効果を奏する。 According to the embodiment of the present invention described above, the following effects are achieved.
(1)アクセス制御システム100は、データ要求者2とデータ提供者3の間でアクセス制限対象データを仲介するデータ交換プラットフォーム1において用いられる。アクセス制御システム100は、アクセス制限対象データへのデータ要求者2からのアクセス要求に対するコンテクスト解析を行うアクセスゲートウェイ110と、アクセスゲートウェイ110によるコンテクスト解析の結果に基づいて、データ交換プラットフォーム1が提供するワークフローシステムから取得した複数の信頼パラメータから1つ以上の信頼パラメータをランダムに選択し、選択した信頼パラメータに基づいてアクセス要求の信頼スコアを算出する信頼スコア管理部120と、信頼スコア管理部120により算出された信頼スコアに基づいて、アクセス要求の可否を判断するアクセス判断部140とを備える。このようにしたので、安全で堅牢性が高いアクセス制御を実現することができる。 (1) The access control system 100 is used in the data exchange platform 1 that mediates access-restricted data between the data requester 2 and the data provider 3. The access control system 100 includes an access gateway 110 that performs context analysis in response to an access request from a data requester 2 to access-restricted data, and a workflow provided by the data exchange platform 1 based on the result of the context analysis by the access gateway 110. Calculated by the trust score management unit 120 and the trust score management unit 120 that randomly selects one or more trust parameters from a plurality of trust parameters obtained from the system and calculates the trust score of the access request based on the selected trust parameters. and an access determination unit 140 that determines whether or not to make an access request based on the reliability score obtained. By doing this, it is possible to realize access control that is safe and highly robust.
(2)アクセスゲートウェイ110は、コンテクスト解析において、データ要求者2の属性、アクセス制限対象データの属性およびワークフローシステムの進行状況を含む属性情報を取得し(ステップS102)、取得した属性情報に基づいて、アクセス要求が第1のコンテクスト(コンテクスト種別Ct1)、第2のコンテクスト(コンテクスト種別Ct2)または第3のコンテクスト(コンテクスト種別Ct3)のいずれに該当するかを判断する(ステップS103)。図4の符号401~403にそれぞれ示すように、コンテクスト種別Ct1では、データ要求者2とは、エンドユーザにサービスを提供するサービス提供者であり、データ提供者3とは、他のサービス提供者またはエンドユーザであり、アクセス制限対象データとは、エンドユーザに関する個人情報である。また、コンテクスト種別Ct2では、データ要求者2とは、サービス提供者であり、データ提供者3とは、他のサービス提供者であり、アクセス制限対象データとは、他のサービス提供者が過去にデータ要求者2としてアクセス要求を行ったときに算出された信頼スコアに関する情報である。また、コンテクスト種別Ct3では、データ要求者2とは、エンドユーザであり、データ提供者3とは、サービス提供者であり、アクセス制限対象データとは、サービス提供者が過去にデータ要求者2としてアクセス要求を行ったときに算出された信頼スコアに関する情報である。このようにしたので、アクセス制限対象データへのデータ要求者2からのアクセス要求に対するコンテクスト解析を適切に行うことができる。 (2) In the context analysis, the access gateway 110 acquires attribute information including the attributes of the data requester 2, the attributes of the access-restricted data, and the progress status of the workflow system (step S102), and based on the acquired attribute information, , it is determined whether the access request corresponds to the first context (context type Ct1), the second context (context type Ct2), or the third context (context type Ct3) (step S103). As shown by reference numerals 401 to 403 in FIG. 4, in context type Ct1, data requester 2 is a service provider that provides services to end users, and data provider 3 is a service provider that provides services to end users. or an end user, and the access-restricted data is personal information about the end user. In addition, in context type Ct2, data requester 2 is a service provider, data provider 3 is another service provider, and access-restricted data is a data requester that has been previously used by another service provider. This is information regarding the trust score calculated when the access request was made as the data requester 2. In addition, in context type Ct3, data requester 2 is an end user, data provider 3 is a service provider, and access-restricted data is a data requester 2 who has been a data requester in the past. This is information regarding the trust score calculated when an access request is made. By doing this, it is possible to appropriately perform a context analysis on an access request from the data requester 2 to the access-restricted data.
(3)アクセスゲートウェイ110によりアクセス要求がコンテクスト種別Ct1に該当すると判断された場合(ステップS105)、信頼スコア管理部120は、複数の信頼パラメータのうちコンテクスト種別Ct1に対応して予め設定された所定数の信頼パラメータの中から、ランダムに決定された個数の信頼パラメータを優先度順に選択し(ステップS202)、選択した信頼パラメータの中に所定の閾値以上の信頼パラメータが所定割合以上存在するか否かを判断する(ステップS203~S206)ことで、信頼スコアを算出する(ステップS207,S208)。また、アクセスゲートウェイ110によりアクセス要求がコンテクスト種別Ct2またはコンテクスト種別Ct3に該当すると判断された場合(ステップS106,S107)、信頼スコア管理部120は、複数の信頼パラメータのうちコンテクスト種別Ct2またはコンテクスト種別Ct3に対応して予め設定された各信頼パラメータを、式(1)により重み付け加算することで、信頼スコアを算出する。このようにしたので、アクセス要求時の状況に応じて信頼スコアを適切に算出することができる。 (3) When the access gateway 110 determines that the access request corresponds to the context type Ct1 (step S105), the trust score management unit 120 selects a predetermined value that is set in advance corresponding to the context type Ct1 among the plurality of trust parameters. A randomly determined number of trust parameters is selected from among the number of trust parameters in order of priority (step S202), and a determination is made as to whether there is a predetermined percentage or more of trust parameters that are equal to or higher than a predetermined threshold value among the selected trust parameters. A reliability score is calculated (steps S207, S208) by determining whether the information is reliable (steps S203 to S206). Further, when the access gateway 110 determines that the access request corresponds to the context type Ct2 or the context type Ct3 (steps S106, S107), the trust score management unit 120 selects the context type Ct2 or the context type Ct3 from among the plurality of trust parameters. A reliability score is calculated by weighting and adding each reliability parameter set in advance according to equation (1). By doing this, it is possible to appropriately calculate the trust score depending on the situation at the time of the access request.
(4)アクセスゲートウェイ110は、アクセス要求がコンテクスト種別Ct2またはコンテクスト種別Ct3に該当すると判断した場合に、例えば図10の図形1000,1005のように、信頼スコアの算出に用いられた信頼パラメータを多次元解析するためのユーザインタフェースをエンドユーザに提供する。このユーザインタフェースは、サービス提供者の組織階層または信頼パラメータの取得期間を画面上で選択するための部位を含む。このようにしたので、エンドユーザは、信頼パラメータの解析に必要な情報をアクセス制御システム100から受けることができる。 (4) When the access gateway 110 determines that the access request corresponds to the context type Ct2 or the context type Ct3, the access gateway 110 multiplies the trust parameters used to calculate the trust score, for example, as shown in figures 1000 and 1005 in FIG. Provide end users with a user interface for dimensional analysis. This user interface includes a section for selecting the service provider's organizational hierarchy or trust parameter acquisition period on the screen. This allows the end user to receive information necessary for analyzing the trust parameters from the access control system 100.
(5)信頼スコア管理部120は、コンテクスト解析の結果に基づいて、予め設定された複数の信頼カテゴリ(カテゴリ501~504)のいずれかを選択し、選択した信頼カテゴリに対して予め設定された信頼パラメータの組み合わせの中からいずれか1つ以上の信頼パラメータをランダムに選択することで、信頼パラメータの選択を行う(ステップS108)。このようにしたので、コンテクスト解析の結果を利用して、信頼スコアの算出用に適した信頼パラメータを確実に選択することができる。 (5) The trust score management unit 120 selects one of a plurality of preset trust categories (categories 501 to 504) based on the results of the context analysis, and selects one of the preset trust categories (categories 501 to 504) and The reliability parameters are selected by randomly selecting one or more reliability parameters from the combination of reliability parameters (step S108). By doing this, it is possible to reliably select trust parameters suitable for calculating the trust score by using the results of the context analysis.
(6)アクセスゲートウェイ110は、信頼スコアと、ワークフローシステムの進行状況に応じたアクセス要求の属性情報(サブジェクト属性srt、アクション属性art、リソース属性rrt、環境属性wrt)とに基づいて、アクセス要求に対応するアクセス要求情報を生成するアクセス要求情報生成部112を有する。アクセス要求情報生成部112は、生成したアクセス要求情報をアクセス判断部140へ送信する(ステップS110)。アクセス判断部140は、アクセス要求情報生成部112から受信したアクセス要求情報に基づいて、アクセス要求の可否を判断する(ステップS111)。このようにしたので、信頼スコアやワークフローの進行状況を反映してアクセス要求の可否を正確に判断することができる。 (6) The access gateway 110 uses the trust score and the attribute information (subject attribute s rt , action attribute ar t , resource attribute rt , environment attribute wr t ) of the access request according to the progress status of the workflow system. , has an access request information generation unit 112 that generates access request information corresponding to an access request. The access request information generation unit 112 transmits the generated access request information to the access determination unit 140 (step S110). The access determination unit 140 determines whether the access request is acceptable based on the access request information received from the access request information generation unit 112 (step S111). By doing this, it is possible to accurately determine whether or not to grant an access request by reflecting the trust score and the progress status of the workflow.
(7)アクセス制御システム100は、アクセス要求の許可条件を記述したポリシーが格納され、アクセス判断部140にポリシーを参照させるポリシー格納部132と、ポリシー格納部132に格納されたポリシーを更新するポリシー更新部131とを備える。ポリシー更新部131は、ワークフローシステムの参加者の変更に応じてポリシーを更新する。このようにしたので、ワークフローシステムにおいてデータ要求者2やデータ提供者3の変更があった場合でも、その変更内容に応じてポリシーの内容を適切に更新することが可能となる。 (7) The access control system 100 includes a policy storage unit 132 that stores a policy that describes permission conditions for access requests and allows the access determination unit 140 to refer to the policy, and a policy that updates the policy stored in the policy storage unit 132. The update unit 131 is also provided. The policy update unit 131 updates the policy in response to changes in participants in the workflow system. By doing this, even if there is a change in the data requester 2 or data provider 3 in the workflow system, it is possible to appropriately update the contents of the policy according to the change.
(8)アクセス制御システム100によるアクセス制御方法は、データ要求者2とデータ提供者3の間でアクセス制限対象データを仲介するデータ交換プラットフォーム1におけるアクセス制御方法である。このアクセス制御方法では、アクセス制限対象データへのデータ要求者2からのアクセス要求に対するコンテクスト解析を行い(ステップS103)、コンテクスト解析の結果に基づいて、データ交換プラットフォーム1が提供するワークフローシステムから取得した複数の信頼パラメータから1つ以上の信頼パラメータをランダムに選択する(ステップS108)。そして、選択した信頼パラメータに基づいてアクセス要求の信頼スコアを算出し(ステップS109)、信頼スコアに基づいてアクセス要求の可否を判断する(ステップS111)。このようにしたので、安全で堅牢性が高いアクセス制御を実現することができる。 (8) The access control method by the access control system 100 is an access control method in the data exchange platform 1 that mediates access-restricted data between the data requester 2 and the data provider 3. In this access control method, a context analysis is performed on the access request from the data requester 2 to the access-restricted data (step S103), and based on the result of the context analysis, the access control method One or more trust parameters are randomly selected from the plurality of trust parameters (step S108). Then, a trust score of the access request is calculated based on the selected trust parameter (step S109), and it is determined whether the access request is acceptable or not based on the trust score (step S111). By doing this, it is possible to realize access control that is safe and highly robust.
 なお、本発明は上記実施形態に限定されるものではなく、その要旨を逸脱しない範囲内で、任意の構成要素を用いて実施可能である。以上説明した実施形態や変形例はあくまで一例であり、発明の特徴が損なわれない限り、本発明はこれらの内容に限定されるものではない。また、上記では種々の実施形態や変形例を説明したが、本発明はこれらの内容に限定されるものではない。本発明の技術的思想の範囲内で考えられるその他の態様も本発明の範囲内に含まれる。 Note that the present invention is not limited to the above embodiments, and can be implemented using arbitrary components without departing from the scope of the invention. The embodiments and modifications described above are merely examples, and the present invention is not limited to these contents as long as the characteristics of the invention are not impaired. Furthermore, although various embodiments and modifications have been described above, the present invention is not limited to these. Other embodiments considered within the technical spirit of the present invention are also included within the scope of the present invention.
 1…データ交換プラットフォーム、2…データ要求者、3…データ提供者、100…アクセス制御システム、110…アクセスゲートウェイ、111…コンテクスト解析部、112…アクセス要求情報生成部、113…ログ管理部、114…アクセスログ、120…信頼スコア管理部、121…信頼パラメータ取得部、122…信頼カテゴリ分析部、123…信頼パラメータ選択部、124…信頼スコア計算部、125…警告部、127…信頼パラメータ格納部、128…信頼閾値格納部、129…信頼スコア格納部、130…ポリシー管理部、131…ポリシー更新部、132…ポリシー格納部、140…アクセス判断部、150…ワークフローシステム DESCRIPTION OF SYMBOLS 1... Data exchange platform, 2... Data requester, 3... Data provider, 100... Access control system, 110... Access gateway, 111... Context analysis section, 112... Access request information generation section, 113... Log management section, 114 ...Access log, 120...Trust score management section, 121...Trust parameter acquisition section, 122...Trust category analysis section, 123...Trust parameter selection section, 124...Trust score calculation section, 125...Warning section, 127...Trust parameter storage section , 128...Trust threshold storage section, 129...Trust score storage section, 130...Policy management section, 131...Policy update section, 132...Policy storage section, 140...Access judgment section, 150...Workflow system

Claims (8)

  1.  データ要求者とデータ提供者の間でアクセス制限対象データを仲介するデータ交換プラットフォームにおいて用いられるアクセス制御システムであって、
     前記アクセス制限対象データへの前記データ要求者からのアクセス要求に対するコンテクスト解析を行うアクセスゲートウェイと、
     前記アクセスゲートウェイによる前記コンテクスト解析の結果に基づいて、前記データ交換プラットフォームが提供するワークフローシステムから取得した複数の信頼パラメータから1つ以上の信頼パラメータをランダムに選択し、選択した信頼パラメータに基づいて前記アクセス要求の信頼スコアを算出する信頼スコア管理部と、
     前記信頼スコア管理部により算出された前記信頼スコアに基づいて、前記アクセス要求の可否を判断するアクセス判断部と、を備えるアクセス制御システム。     An access control system used in a data exchange platform that mediates access-restricted data between a data requester and a data provider, the system comprising:
    an access gateway that performs a context analysis on an access request from the data requester to the access-restricted data;
    Based on the results of the context analysis by the access gateway, one or more trust parameters are randomly selected from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform; a trust score management unit that calculates a trust score of an access request;
    An access control system comprising: an access determination unit that determines whether or not the access request is permitted based on the trust score calculated by the trust score management unit.
  2.  請求項1に記載のアクセス制御システムにおいて、
     前記アクセスゲートウェイは、前記コンテクスト解析において、前記データ要求者の属性、前記アクセス制限対象データの属性および前記ワークフローシステムの進行状況を含む属性情報を取得し、取得した前記属性情報に基づいて、前記アクセス要求が第1のコンテクスト、第2のコンテクストまたは第3のコンテクストのいずれに該当するかを判断し、
     前記第1のコンテクストでは、前記データ要求者とは、エンドユーザにサービスを提供するサービス提供者であり、前記データ提供者とは、他のサービス提供者または前記エンドユーザであり、前記アクセス制限対象データとは、前記エンドユーザに関する情報であり、
     前記第2のコンテクストでは、前記データ要求者とは、前記サービス提供者であり、前記データ提供者とは、前記他のサービス提供者であり、前記アクセス制限対象データとは、前記他のサービス提供者が過去に前記データ要求者として前記アクセス要求を行ったときに算出された前記信頼スコアに関する情報であり、
     前記第3のコンテクストでは、前記データ要求者とは、前記エンドユーザであり、前記データ提供者とは、前記サービス提供者であり、前記アクセス制限対象データとは、前記サービス提供者が過去に前記データ要求者として前記アクセス要求を行ったときに算出された前記信頼スコアに関する情報であるアクセス制御システム。     The access control system according to claim 1,
    In the context analysis, the access gateway obtains attribute information including the attributes of the data requester, the attributes of the access-restricted data, and the progress status of the workflow system, and determines the access based on the obtained attribute information. determining whether the request falls into a first context, a second context, or a third context;
    In the first context, the data requester is a service provider that provides a service to an end user, the data provider is another service provider or the end user, and the access restriction target is Data is information regarding the end user;
    In the second context, the data requester is the service provider, the data provider is the other service provider, and the access-restricted data is the other service provider. information regarding the trust score calculated when the person made the access request as the data requester in the past;
    In the third context, the data requester is the end user, the data provider is the service provider, and the access-restricted data is the data that the service provider has previously An access control system that is information regarding the trust score calculated when the access request is made as a data requester.
  3.  請求項2に記載のアクセス制御システムにおいて、
     前記アクセスゲートウェイにより前記アクセス要求が前記第1のコンテクストに該当すると判断された場合、前記信頼スコア管理部は、前記複数の信頼パラメータのうち前記第1のコンテクストに対応して予め設定された所定数の信頼パラメータの中から、ランダムに決定された個数の信頼パラメータを優先度順に選択し、選択した前記信頼パラメータの中に所定の閾値以上の信頼パラメータが所定割合以上存在するか否かを判断することで、前記信頼スコアを算出し、
     前記アクセスゲートウェイにより前記アクセス要求が前記第2のコンテクストまたは前記第3のコンテクストに該当すると判断された場合、前記信頼スコア管理部は、前記複数の信頼パラメータのうち前記第2のコンテクストまたは前記第3のコンテクストに対応して予め設定された各信頼パラメータを重み付け加算することで、前記信頼スコアを算出するアクセス制御システム。     The access control system according to claim 2,
    When the access gateway determines that the access request corresponds to the first context, the trust score management unit determines a predetermined number of trust parameters that are preset corresponding to the first context among the plurality of trust parameters. A randomly determined number of trust parameters are selected from among the trust parameters in order of priority, and it is determined whether there is a predetermined percentage or more of trust parameters that are equal to or higher than a predetermined threshold value among the selected trust parameters. Calculate the confidence score by
    When the access gateway determines that the access request corresponds to the second context or the third context, the trust score management unit determines whether the access request corresponds to the second context or the third context among the plurality of trust parameters. An access control system that calculates the trust score by weighting and adding each trust parameter that is set in advance in accordance with the context of the access control system.
  4.  請求項3に記載のアクセス制御システムにおいて、
     前記アクセスゲートウェイは、前記アクセス要求が前記第2のコンテクストまたは前記第3のコンテクストに該当すると判断した場合に、前記信頼スコアの算出に用いられた前記信頼パラメータを多次元解析するためのユーザインタフェースを前記エンドユーザに提供し、
     前記ユーザインタフェースは、前記サービス提供者の組織階層または前記信頼パラメータの取得期間を画面上で選択するための部位を含むアクセス制御システム。     The access control system according to claim 3,
    When the access gateway determines that the access request falls under the second context or the third context, the access gateway provides a user interface for performing multidimensional analysis of the trust parameters used to calculate the trust score. providing to said end user;
    The user interface is an access control system including a section for selecting an organizational hierarchy of the service provider or an acquisition period of the trust parameter on the screen.
  5.  請求項1に記載のアクセス制御システムにおいて、
     前記信頼スコア管理部は、前記コンテクスト解析の結果に基づいて、予め設定された複数の信頼カテゴリのいずれかを選択し、選択した信頼カテゴリに対して予め設定された前記信頼パラメータの組み合わせの中からいずれか1つ以上の信頼パラメータをランダムに選択することで、前記信頼パラメータの選択を行うアクセス制御システム。     The access control system according to claim 1,
    The trust score management unit selects one of a plurality of preset trust categories based on the result of the context analysis, and selects one of the trust parameter combinations preset for the selected trust category. An access control system that selects the trust parameter by randomly selecting one or more trust parameters.
  6.  請求項1に記載のアクセス制御システムにおいて、
     前記アクセスゲートウェイは、前記信頼スコアと、前記ワークフローシステムの進行状況に応じた前記アクセス要求の属性情報とに基づいて、前記アクセス要求に対応するアクセス要求情報を生成するアクセス要求情報生成部を有し、
     前記アクセス要求情報生成部は、生成した前記アクセス要求情報を前記アクセス判断部へ送信し、
     前記アクセス判断部は、前記アクセス要求情報生成部から受信した前記アクセス要求情報に基づいて、前記アクセス要求の可否を判断するアクセス制御システム。     The access control system according to claim 1,
    The access gateway includes an access request information generation unit that generates access request information corresponding to the access request based on the trust score and attribute information of the access request according to the progress status of the workflow system. ,
    The access request information generation unit transmits the generated access request information to the access determination unit,
    The access determination unit is an access control system that determines whether or not the access request can be made based on the access request information received from the access request information generation unit.
  7.  請求項1に記載のアクセス制御システムにおいて、
     前記アクセス要求の許可条件を記述したポリシーが格納され、前記アクセス判断部に前記ポリシーを参照させるポリシー格納部と、
     前記ポリシー格納部に格納された前記ポリシーを更新するポリシー更新部と、を備え、
     前記ポリシー更新部は、前記ワークフローシステムの参加者の変更に応じて前記ポリシーを更新するアクセス制御システム。     The access control system according to claim 1,
    a policy storage unit that stores a policy that describes permission conditions for the access request, and causes the access determination unit to refer to the policy;
    a policy updating unit that updates the policy stored in the policy storage unit;
    The policy update unit is an access control system that updates the policy in response to a change in participants of the workflow system.
  8.  データ要求者とデータ提供者の間でアクセス制限対象データを仲介するデータ交換プラットフォームにおけるアクセス制御方法であって、
     前記アクセス制限対象データへの前記データ要求者からのアクセス要求に対するコンテクスト解析を行い、
     前記コンテクスト解析の結果に基づいて、前記データ交換プラットフォームが提供するワークフローシステムから取得した複数の信頼パラメータから1つ以上の信頼パラメータをランダムに選択し、
     選択した信頼パラメータに基づいて前記アクセス要求の信頼スコアを算出し、
     前記信頼スコアに基づいて前記アクセス要求の可否を判断する、アクセス制御方法。     An access control method in a data exchange platform that mediates access-restricted data between a data requester and a data provider, the method comprising:
    Performing a context analysis on the access request from the data requester to the access-restricted data;
    Randomly selecting one or more trust parameters from a plurality of trust parameters obtained from a workflow system provided by the data exchange platform based on the results of the context analysis;
    calculating a trust score for the access request based on a selected trust parameter;
    An access control method that determines whether or not the access request is granted based on the trust score.
PCT/JP2023/018177 2022-05-19 2023-05-15 Access control system and access control method WO2023224016A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022082623A JP2023170691A (en) 2022-05-19 2022-05-19 Access control system, and access control method
JP2022-082623 2022-05-19

Publications (1)

Publication Number Publication Date
WO2023224016A1 true WO2023224016A1 (en) 2023-11-23

Family

ID=88835615

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/018177 WO2023224016A1 (en) 2022-05-19 2023-05-15 Access control system and access control method

Country Status (2)

Country Link
JP (1) JP2023170691A (en)
WO (1) WO2023224016A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054826A1 (en) * 2009-06-01 2012-03-01 Koninklijke Philips Electronics N.V. Dynamic determination of access rights
JP2015212939A (en) * 2012-09-04 2015-11-26 アレクセオ コーポレーション System and method for protecting terminal devices on dynamically configured network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054826A1 (en) * 2009-06-01 2012-03-01 Koninklijke Philips Electronics N.V. Dynamic determination of access rights
JP2015212939A (en) * 2012-09-04 2015-11-26 アレクセオ コーポレーション System and method for protecting terminal devices on dynamically configured network

Also Published As

Publication number Publication date
JP2023170691A (en) 2023-12-01

Similar Documents

Publication Publication Date Title
US8805881B2 (en) Reputation based access control
US20130227712A1 (en) Method and system for resource management based on adaptive risk-based access controls
US9954865B2 (en) Sensors for a resource
KR102542720B1 (en) System for providing internet of behavior based intelligent data security platform service for zero trust security
Khambhammettu et al. A framework for risk assessment in access control systems
US20090210267A1 (en) System and method for automatically mapping security controls to subjects
Díaz-López et al. Dynamic counter-measures for risk-based access control systems: An evolutive approach
Madasamy SECURE CLOUD ARCHITECTURES FOR AI-ENHANCED BANKING AND INSURANCE SERVICES
Farroha et al. Challenges of “operationalizing” dynamic system access control: Transitioning from ABAC to RAdAC
Andry et al. Evaluation and recommendation it governance in hospital base on cobit Framework
Menascé The insider threat security architecture: a framework for an integrated, inseparable, and uninterrupted self-protection mechanism
WO2023224016A1 (en) Access control system and access control method
Ryutov et al. Adaptive trust negotiation and access control for grids
Grossman Blaming the Victim: How FTC Data Security Enforcement Actions Make Companies and Consumers More Vulnerable to Hackers
US7703123B2 (en) Method and system for security control in an organization
Alshehri et al. Insider threat mitigation and access control in healthcare systems
US20200285768A1 (en) Method for determining and displaying the security state of data
Ghosh et al. R2q: A risk quantification framework to authorize requests in web-based collaborations
Rajadorai et al. Data Protection and Data Privacy Act for BIG DATA Governance
Shivakumara et al. Review Paper on Dynamic Mechanisms of Data Leakage Detection and Prevention
KR102567355B1 (en) System for providing data portability based personal information sharing platform service
Belhadaoui et al. A Role-Attribute Based Access Control Model for Dynamic Access Control in Hadoop Ecosystem.
Mansikka Data loss prevention: for securing enterprise data integrity
Ribeiro Remote Work and Data Protection: How do Organisations Secure Personal Data Protection Compliance from Home?
Miller Security Assessment of Cloud-Based Healthcare Applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23807618

Country of ref document: EP

Kind code of ref document: A1