CN119109614A - Access control method and system for data security protection - Google Patents
Access control method and system for data security protection Download PDFInfo
- Publication number
- CN119109614A CN119109614A CN202411019739.7A CN202411019739A CN119109614A CN 119109614 A CN119109614 A CN 119109614A CN 202411019739 A CN202411019739 A CN 202411019739A CN 119109614 A CN119109614 A CN 119109614A
- Authority
- CN
- China
- Prior art keywords
- access
- data
- information
- security
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了用于数据安全防护的访问控制方法及系统,涉及数据安全相关领域,该方法包括:获取用户访问请求信息,进行敏感度评估,获得访问数据敏感度信息,与安全验证方式库进行匹配,得到目标安全验证方式;对目标用户进行多维身份验证,获得安全验证结果,当结果为通过时,进行动态访问权限调整,获得可访问权限数据信息;进行访问监控,获取用户访问行为信息,进行异常分析,获取异常访问行为特征信息;进行访问控制分析,获得数据安全访问策略,进行访问限制防护。解决了现有数据访问控制存在的安全防护效果较低,存在数据泄露风险的技术问题,达到了提高数据安全防护效果,有效降低数据泄露和非法访问风险的技术效果。
The present invention discloses an access control method and system for data security protection, which relates to data security related fields. The method includes: obtaining user access request information, performing sensitivity assessment, obtaining access data sensitivity information, matching with a security verification method library, and obtaining a target security verification method; performing multi-dimensional identity authentication on the target user, obtaining a security verification result, and when the result is passed, dynamically adjusting the access permission to obtain the data information of the access permission; performing access monitoring, obtaining user access behavior information, performing abnormal analysis, and obtaining abnormal access behavior feature information; performing access control analysis, obtaining data security access strategy, and performing access restriction protection. The method solves the technical problems of low security protection effect and data leakage risk in the existing data access control, and achieves the technical effect of improving data security protection effect and effectively reducing data leakage and illegal access risks.
Description
Technical Field
The present application relates to the field of data security, and in particular, to an access control method and system for data security protection.
Background
With the rapid development of information technology, data has become an important asset for business and social operations. However, security problems such as data leakage, tampering, illegal access, etc. frequently occur, and huge losses are brought to enterprises and individuals. In order to ensure the safety of data, an access control mechanism is used for a key link of data safety protection. In the existing data security protection method, static role authority management is generally adopted for access control, and the method realizes access control on data by presetting a user role and corresponding access authority. However, the method cannot dynamically adapt to the access requirements and the change of data sensitivity of different users due to the fixed roles and authority settings, and has a great potential safety hazard.
In the related art at the present stage, the data access control has the technical problems of low safety protection effect and data leakage risk.
Disclosure of Invention
The application adopts the technical means of sensitivity assessment, multidimensional identity verification, dynamic access right adjustment, access monitoring, exception analysis, access control analysis, access limit protection and the like to dynamically adjust the access right and monitor the access behavior of a user in real time, thereby achieving the technical effects of improving the data security protection effect and effectively reducing the data leakage and illegal access risk.
The application provides an access control method for data security protection, which comprises the following steps:
S1, acquiring user access request information, performing sensitivity evaluation on the user access request information to acquire access data sensitivity information, and matching the access data sensitivity information with a security verification mode library based on the access data sensitivity information to acquire a target security verification mode;
S2, carrying out multidimensional identity verification on a target user based on the target security verification mode to obtain a security verification result, and carrying out dynamic access right adjustment on the target user through the user access request information to obtain accessible right data information when the security verification result is passed;
S3, carrying out access monitoring on the accessible right data information through the target user, obtaining user access behavior information, carrying out anomaly analysis on the user access behavior information, and obtaining anomaly access behavior characteristic information;
S4, carrying out access control analysis on the abnormal access behavior characteristic information to obtain a data security access policy, and carrying out access restriction protection on the accessible right data information based on the data security access policy.
In a possible implementation manner, the access data sensitivity information is obtained in S1, and the following processing is performed:
S11, acquiring a target access data system, and analyzing access data of the target access data system to acquire target access data architecture information;
s12, constructing data descriptive factor information, wherein the data descriptive factor information comprises a data type, a data hierarchy, a data dimension and a source range;
s13, carrying out feature description on each access data in the target access data architecture information based on the data description factor information to obtain target access data description feature information;
S14, constructing a data sensitivity discriminator according to the target access data description characteristic information, and carrying out sensitivity evaluation on the user access request information based on the data sensitivity discriminator to obtain the access data sensitivity information.
In a possible implementation manner, the step S14 is implemented to construct a data sensitivity discriminator, and the following processing is performed:
identifying the discrimination content of the data descriptive factor information based on the target access data descriptive characteristic information to obtain a data descriptive factor discrimination content node set;
sensitivity division is respectively carried out on the data descriptive factor information according to a data management standard, and a data descriptive factor sensitivity division rule is defined;
Performing sensitivity recognition on the data descriptive factor discrimination content node set based on the data descriptive factor sensitivity dividing rule to obtain a data content node descriptive factor sensitivity set;
and carrying out factor weighted calculation on the data content node description factor sensitivity set to obtain a data content node sensitivity information set, judging the content node set and the data content node sensitivity information set based on the data description factors, and training and constructing the data sensitivity judging device.
In a possible implementation manner, the step S2 obtains the accessible rights data information, and performs the following processing:
s21, acquiring role label information of the target user, and determining role authority information of the target user based on matching of the role label information and a system role authority library;
S22, identifying the context environment of the target user to obtain access context environment characteristic information;
S23, performing access right matching on the access context environment characteristic information according to a preset environment access rule to obtain target environment access right information;
S24, performing content mapping on the intersection of the target user role authority information and the target environment access authority information and the user access request information to obtain the accessible authority data information.
In a possible implementation manner, the step S24 obtains the accessible rights data information, and performs the following processing:
Carrying out factor authority division on each system role in the system role authority library according to the data description factor information to obtain a system role factor authority label set;
mapping and matching are carried out on the basis of the system role factor authority label set and the target access data architecture information, and a system role authority access data content set is obtained;
content division is carried out on the target access data architecture information according to the preset environment access rule, and an environment authority access data content set is obtained;
Matching and exchanging the target user role authority information with the system role authority access data content set and the target environment access authority information with the environment authority access data content set to obtain accessible data intersection content information;
and carrying out content mapping on the accessible data intersection content information and the user access request information to obtain the accessible right data information.
In a possible implementation manner, the step S3 obtains the characteristic information of the abnormal access behavior, and performs the following processing:
S31, acquiring a system access database, defining an abnormal behavior recognition rule, and marking abnormal characteristics of the system access database to obtain a system access abnormal behavior characteristic sample set;
S32, performing model convergence training on the system access abnormal behavior feature sample set to construct an abnormal access behavior feature recognition model, wherein the abnormal access behavior feature recognition model comprises an abnormal behavior pattern recognition model and an abnormal behavior degree recognition model;
s33, carrying out anomaly analysis on the user access behavior information based on the anomaly access behavior feature recognition model, and outputting the anomaly access behavior feature information.
In a possible implementation manner, the obtaining a data security access policy performs the following processing:
acquiring a security access policy library, wherein the security access policy library comprises historical abnormal access behavior characteristic data and corresponding security access policies;
Based on the abnormal access behavior characteristic information and the security access policy library, similarity analysis is carried out, and a security access policy set within a preset similarity threshold is obtained;
And carrying out multidimensional protection test on the security access policy set to obtain an access policy security protection effect set, and screening according to the access policy security protection effect set to obtain the data security access policy.
The application also provides an access control system for data security protection, comprising:
The target security verification mode acquisition module is used for acquiring user access request information, carrying out sensitivity evaluation on the user access request information to acquire access data sensitivity information, and carrying out matching with a security verification mode library based on the access data sensitivity information to acquire a target security verification mode;
The access right data information acquisition module is used for carrying out multidimensional identity verification on a target user based on the target security verification mode to obtain a security verification result, and when the security verification result is passed, the user access request information is used for carrying out dynamic access right adjustment on the target user to obtain access right data information;
The abnormal access behavior characteristic information acquisition module is used for carrying out access monitoring on the accessible right data information through the target user, acquiring user access behavior information, carrying out abnormal analysis on the user access behavior information and acquiring abnormal access behavior characteristic information;
The access limit protection module is used for carrying out access control analysis on the abnormal access behavior characteristic information, obtaining a data security access strategy and carrying out access limit protection on the data information with the access right based on the data security access strategy.
The access control method and the system for data security protection are proposed to obtain user access request information, perform sensitivity evaluation on the user access request information to obtain access data sensitivity information, match a security verification mode library based on the access data sensitivity information to obtain a target security verification mode, then perform multidimensional identity verification on a target user based on the target security verification mode to obtain a security verification result, and when the security verification result is passed, perform dynamic access right adjustment on the target user through the user access request information to obtain accessible right data information, perform access monitoring on the accessible right data information through the target user to obtain user access behavior information, perform anomaly analysis on the user access behavior information to obtain anomaly access behavior feature information, perform access control analysis on the anomaly access behavior feature information to obtain a data security access strategy, and perform access restriction protection on the accessible right data information based on the data security access strategy to achieve the technical effects of improving the data security protection effect and effectively reducing the data leakage and illegal access risk.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present application, the following description will briefly refer to the accompanying drawings of the embodiments of the present application, in which flowcharts are used to illustrate operations performed by systems according to the embodiments of the present application. It should be understood that the preceding or following operations are not necessarily performed in order precisely. Rather, the various steps may be processed in reverse order or simultaneously, as desired. Also, other operations may be added to or removed from these processes.
FIG. 1 is a flow chart of an access control method for data security protection according to an embodiment of the present application;
Fig. 2 is a schematic structural diagram of an access control system for data security protection according to an embodiment of the present application.
Reference numerals illustrate the target security verification method acquiring module 10, the accessible right data information acquiring module 20, the abnormal access behavior feature information acquiring module 30 and the access limit protecting module 40.
Detailed Description
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict. The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements that are expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or modules that may not be expressly listed or inherent to such process, method, article, or apparatus, and unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains. The terminology used herein is for the purpose of describing embodiments of the application only.
The embodiment of the application provides an access control method for data security protection, as shown in fig. 1, the method comprises the following steps:
S1, acquiring user access request information, performing sensitivity evaluation on the user access request information to acquire access data sensitivity information, and matching the access data sensitivity information with a security verification mode library based on the access data sensitivity information to acquire a target security verification mode. Specifically, access requests from users are monitored and captured, and user access request information is all information contained in access requests initiated by users to the system, including requested resources, methods, parameters, and the like. And analyzing the captured user access request information, and extracting key information such as a requested resource path, a user identifier in a request header and the like. And identifying target resources which the user tries to access from the user access request information, such as a specific database table, a file or an API interface, and carrying out sensitivity assessment on the target resources according to a preset resource sensitivity rule or model, wherein the analysis comprises the analysis of the confidentiality, the integrity, the availability and other attributes of the resources. Based on the evaluation result, a sensitivity level, such as "high sensitivity", "medium sensitivity" and "low sensitivity", is assigned to the user's access request. A security verification mode library is predefined, and the security verification mode library is a database or configuration file containing various security verification modes and corresponding sensitivity level requirements thereof, wherein the security verification mode library contains various security verification modes (such as password verification, biological feature identification, dynamic token and the like) and corresponding sensitivity level requirements thereof. According to the access data sensitivity information, searching a security verification mode matched with the access data sensitivity information in the security verification mode library by comparing the access data sensitivity information with sensitivity level requirements defined in the security verification mode library, and selecting one or more security verification modes from the matching result as target security verification modes for verifying the identity and authorization of the user.
In one possible implementation manner, the step S1 of obtaining the access data sensitivity information further includes the step S11 of obtaining a target access data system, and performing access data analysis on the target access data system to obtain target access data architecture information. Specifically, the target access data system which the user wants to access is defined, and the target access data system is a data storage system which the user wants to access, includes data which needs to be accessed and managed, and can be a database, an API interface, a file system or the like. And analyzing the data structure, the data relation and the like in the target access data system, and determining the data architecture, the table structure, the field type and the like of the target access data system. And extracting target access data architecture information from the analysis result, wherein the target access data architecture information is information such as a data structure, a data relationship and the like obtained by analyzing a target access data system, such as a data table name, a field name, a data type and the like. And S12, constructing data descriptive factor information, wherein the data descriptive factor information comprises data types, data levels, data dimensions and source ranges. specifically, the data descriptor information is a set of information for describing attributes of data, and is used for helping understand and analyze characteristics of the data, wherein the data type is a type or category of the data, such as text, numerical value, date and the like, the data type determines a storage mode and a processing mode of the data, the data hierarchy is a position or level of the data in an organization structure, such as a company level, a department level, a person level and the like, reflecting importance and influence scope of the data, the data dimension describes different aspects or attributes of the characteristics of the data, and is used for carrying out multi-angle analysis and interpretation on the data, such as user identity, transaction amount, geographic position and the like in business data, and the source scope refers to a source or a source of the data, such as an internal system, external partners, public data sources, etc., for evaluating the trustworthiness and reliability of the data. And S13, carrying out feature description on each access data in the target access data architecture information based on the data description factor information to obtain target access data description feature information. Specifically, each data item in the target access data architecture information is matched with the data description factor information, the characteristic information such as the data type, the data level, the data dimension and the like of each data item is extracted according to the matching result, and the extracted characteristic information is integrated to form the target access data description characteristic information. S14, constructing a data sensitivity discriminator according to the target access data description characteristic information, and carrying out sensitivity evaluation on the user access request information based on the data sensitivity discriminator to obtain the access data sensitivity information. Specifically, a data sensitivity discriminator is constructed according to the characteristic information of the target access data description, the data sensitivity discriminator can be an algorithm model or a set of rules, the data sensitivity discriminator is used for judging the sensitivity degree of the data according to the characteristics and rules of the data, the user access request information is input into the data sensitivity discriminator, the sensitivity evaluation is carried out on the data according to the logic and rules of the data sensitivity discriminator, the evaluation result, namely the access data sensitivity information, is information about the sensitivity degree of the data involved in the user access request information, and the access data sensitivity information can be a sensitivity level or a score. According to the implementation mode, the sensitivity and the importance of the data are judged more accurately by analyzing the data architecture and the characteristics of the target access data system, and the technical effects of fine management and safety control on the user access request are achieved.
In a possible implementation manner, the step S14 of constructing a data sensitivity discriminator further includes discriminating content identification of the data descriptor information based on the target access data descriptor characteristic information, and obtaining a data descriptor discriminating content node set. Specifically, information related to the data descriptor information is extracted from the target access data descriptor information, for each data descriptor information (data type, data hierarchy, data dimension, source range), the content or sub-item specifically contained in the data descriptor information is identified, each sub-item serves as a judging content node, and all the identified judging content nodes are integrated into one set, namely, the data descriptor judging content node set. And respectively carrying out sensitivity division on the data descriptive factor information according to a data management standard, and defining a data descriptive factor sensitivity division rule. Specifically, the sensitivity classification principle of different data descriptive factor information is determined according to the data management standard of industry or organization (the specification and standard regarding data management, data security and the like established by the industry or organization). For each data descriptive factor information, defining the sensitivity level (such as high, medium and low) according to the standard or actual requirement, and formulating a specific sensitivity dividing rule for each data descriptive factor information to determine how to judge the sensitivity level according to the data content. And carrying out sensitivity recognition on the data descriptive factor discrimination content node set based on the data descriptive factor sensitivity dividing rule to obtain a data content node descriptive factor sensitivity set. Specifically, a defined data descriptive factor sensitivity dividing rule is applied to a data descriptive factor discriminating content node set, sensitivity evaluation is carried out on each discriminating content node according to the data descriptive factor sensitivity dividing rule, a sensitivity level is determined, and all the identified data content node descriptive factor sensitivities are integrated into a set, namely a data content node descriptive factor sensitivity set. And carrying out factor weighted calculation on the data content node description factor sensitivity set to obtain a data content node sensitivity information set, judging the content node set and the data content node sensitivity information set based on the data description factors, and training and constructing the data sensitivity judging device. Specifically, according to actual requirements or expert experience, a weight is allocated to each data descriptive factor information or discrimination content node, a weighted calculation method (such as mean weighting, product weighting and the like) is used, based on the data content node descriptive factor sensitivity set and the weight, the comprehensive sensitivity of each data content node is calculated, and all calculated data content node sensitivities are integrated into one set, namely a data content node sensitivity information set. And using the data descriptive factors to judge the content node set and the data content node sensitivity information set as training data, training and constructing a data sensitivity judging device which can be a machine learning model, a decision tree, a neural network and the like. According to the implementation mode, the identification of the content is carried out on the data descriptive factor information based on the target access data descriptive characteristic information, so that the data sensitivity discriminator can cover all important data contents and dimensions, sensitivity division and rule definition are carried out according to the data management standard, the assessment result of the data sensitivity discriminator meets the industry or organization standard, the accuracy and generalization capability of the data sensitivity discriminator are further improved through factor weighted calculation and model training, the data sensitivity discriminator can cope with complex and changeable data environments and access requests, and finally an accurate and reliable data sensitivity discriminator is built, so that the technical effect of carrying out refined sensitivity assessment on the user access requests is achieved.
S2, carrying out multidimensional identity authentication on the target user based on the target security authentication mode to obtain a security authentication result, and carrying out dynamic access right adjustment on the target user through the user access request information to obtain accessible right data information when the security authentication result is passed. Specifically, according to the target security verification method determined in step S1, a corresponding verification tool, system or service is prepared, and multidimensional identity verification is performed, that is, multiple different verification methods are adopted to verify the identity of the target user, so as to improve the accuracy and security of the identity verification, including static password verification (requiring the user to input its static password for verification), biometric identification (such as fingerprint identification, facial identification, etc., acquiring the biometric information of the user through a biometric acquisition device and comparing), dynamic token verification (such as mobile phone verification code, dynamic password, etc., sending a dynamic token to the user through a short message, APP push, etc., and requiring the user to input for verification), and other verification methods (such as device fingerprint, IP address whitelist, etc.). Recording the result of each verification step, including verification success or failure, summarizing the results of all verification steps, comprehensively judging whether the identity verification of the target user passes or not according to the summarized verification results, and if the verification steps pass, passing or not passing. When the security verification result is that the security verification result is passed, according to user access request information (such as requested resources, request time, roles of a requester and the like), analyzing the purpose and the context of the access of the user, determining a permission adjustment policy based on the information of the roles, historical behaviors, requested resource sensitivity and the like of the user, including granting new permission, improving the level of the existing permission, limiting certain permissions and the like, and dynamically adjusting the access permission of the target user according to the determined permission adjustment policy, such as updating a user permission table, session information and the like. The access right information of the user after dynamic adjustment is arranged into the access right data information, wherein the access right data information is specific access right information obtained after identity verification and right adjustment of the target user, and comprises a user accessible resource list, a right level, effective time and the like.
In a possible implementation manner, the step S2 of obtaining the accessible right data information further includes the step S21 of obtaining the role label information of the target user, and determining the role right information of the target user based on matching between the role label information and a system role right library. Specifically, role tag information (information for identifying roles played by the user in the system) of the target user is obtained from user authentication information or user data, such as an 'HR manager', 'project manager', and the like, and corresponding role authorities are searched in a predefined system role authority library according to the role tag information of the user, wherein the system role authority library is a database or configuration file storing all roles and corresponding authorities in the system and comprises access authority sets owned by different roles. And extracting authority information matched with the role label information from a system role authority library to obtain target user role authority information, wherein the target user role authority information defines a data range, an operation type and the like which can be accessed by a target user. S22, identifying the context environment of the target user and obtaining the access context environment characteristic information. Specifically, context environment data related to access of the target user is collected, where the context environment refers to an environment in which the user performs an access operation, and includes a physical environment (such as location, time) and a network environment (such as device information, network state), and the like. And extracting key characteristic information from the collected context environment data, namely accessing the context environment characteristic information, wherein the accessing context environment characteristic information describes the attribute and state of the environment and is used for judging whether the accessing environment of the target user meets the preset safety requirement. S23, performing access right matching on the access context environment characteristic information according to a preset environment access rule to obtain target environment access right information. Specifically, a series of environment access rules are preset according to the security policy and the actual requirement of an organization, wherein the environment access rules are rules or policies for judging what access rights the user should have under different environments. The extracted access context environment characteristic information is matched with a preset environment access rule, the access authority which the target user should have in the current environment is determined, the target environment access authority information is generated according to the matching result, and the target environment access authority information describes the data range, the operation type and the like which the target user can access in the current environment. S24, performing content mapping on the intersection of the target user role authority information and the target environment access authority information and the user access request information to obtain the accessible authority data information. Specifically, intersection operation is performed on the target user role authority information determined in the step S21 and the target environment access authority information determined in the step S23 to obtain an actually accessible authority set of the user in the current environment, content mapping is performed on the obtained accessible authority set and the user access request information, namely whether the access request of the target user is in the accessible authority range or not is checked, final accessible authority data information is generated according to the result of the content mapping, if the access request of the user is in the accessible authority range, the user is allowed to access, and otherwise, the user is denied to access. According to the realization mode, by combining the role authority information of the user and the context environment characteristic information, whether the access request of the target user is legal or not is accurately judged, so that unauthorized access and data leakage are effectively prevented, and the technical effect of flexibly obtaining the accessible authority data information according to the requirements of different users and environments on the premise of meeting the safety requirement is achieved.
In a possible implementation manner, the step S24 of obtaining the accessible right data information further includes performing factor authority division on each system role in the system role authority library according to the data description factor information, and obtaining a system role factor authority tag set. Specifically, the data descriptive factor information in the system is analyzed, including data type, data hierarchy, data dimension and source range, and according to the data descriptive factor information, factor authority division is performed on each system role in the system role authority library, for example, an access hierarchy label (such as "read only", "read write" and the like) of the corresponding data descriptive factor information is allocated to each system role. And integrating the factor authority dividing result of each system role into a set, namely a system role factor authority label set, wherein the system role factor authority label set comprises access authority information of each system role under different data description factor information. And mapping and matching the system role factor authority label set and the target access data architecture information to obtain a system role authority access data content set. Specifically, mapping and matching are performed on the system role factor authority label set and target access data architecture information (such as database table structures, data fields and the like), specific data content accessible by each system role under the target access data architecture information is determined through mapping and matching, and accessible data content of all the system roles is integrated into one set, namely, the system role authority access data content set. And carrying out content division on the target access data architecture information according to the preset environment access rule to obtain an environment authority access data content set. Specifically, content division is performed on the target access data architecture information according to a preset environment access rule, the preset environment access rule defines data access rights under different environments based on the context environment of a target user, data contents which can be accessed under a specific environment are determined through content division, and the data contents which can be accessed under all environments are integrated into a set, namely, an environment right access data content set. And matching and exchanging the target user role authority information with the system role authority access data content set and the target environment access authority information with the environment authority access data content set to obtain accessible data intersection content information. Specifically, the target user role authority information is matched with the system role authority access data content set, and an intersection is obtained, wherein the intersection represents the data content which can be accessed by the target user under the role authority, the target environment access authority information is matched with the environment authority access data content set, and the intersection represents the data content which can be accessed by the target user under the specific environment. And carrying out intersection operation again on the two intersections to obtain final accessible data intersection content information, wherein the accessible data intersection content information represents the data content which is actually accessible by the target user under the current role and environment. And carrying out content mapping on the accessible data intersection content information and the user access request information to obtain the accessible right data information. specifically, based on the content information of the accessible data intersection, content mapping is carried out with the user access request information, whether the access request of the target user is within the accessible authority range of the target user is checked, final accessible authority data information is generated according to the content mapping result, if the access request of the target user is within the accessible authority range of the target user, the target user is allowed to access the target user, and otherwise, the target user is refused to access the target user. The realization mode combines the system role authority and the context environment authority, so that the access authority of the target user to the data is controlled more accurately, the requirements of different users and environments can be met, and the technical effects of ensuring the safety and the compliance of the data access are achieved.
S3, carrying out access monitoring on the accessible right data information through the target user, obtaining user access behavior information, carrying out anomaly analysis on the user access behavior information, and obtaining anomaly access behavior characteristic information. Specifically, after the target user successfully passes the authentication and obtains the data information of the accessible right, an access monitoring mechanism for the target user is started, all user access behavior information of the target user is monitored in real time, and the user access behavior information is all behavior data generated when the target user accesses the system, including access time, access resources, access modes (such as reading, writing, executing and the like), operation frequency and the like, and the information is recorded in a log or a database. User access behavior information is collected from the monitoring log or the database periodically or in real time, and the collected data is cleaned, integrated and formatted, so that the accuracy and consistency of the data are ensured. According to business requirements and security policies, defining which user access behaviors are regarded as abnormal, such as abnormally high access frequency, access in non-working time, unauthorized access to sensitive resources and the like, establishing a user access behavior analysis model by utilizing a data analysis tool or a machine learning algorithm, identifying abnormal behaviors by the user access behavior analysis model based on a statistical method, a rule engine or the machine learning algorithm (such as an abnormality detection algorithm), inputting user access behavior information into the user access behavior analysis model, executing abnormality analysis, and identifying abnormal user access behaviors. And extracting abnormal access behavior characteristic information, namely key characteristic information or attribute key characteristic information describing the abnormal access behavior, such as the type, occurrence time, related resources and the like of the abnormal behavior, from the detected abnormal access behavior.
In one possible implementation manner, the step S3 of acquiring the abnormal access behavior feature information further comprises the step S31 of acquiring a system access database, defining an abnormal behavior recognition rule to perform abnormal feature labeling on the system access database, and acquiring a system access abnormal behavior feature sample set. Specifically, all user access behavior data in the system, including user ID, access time, accessed resources, operation type, etc., are collected and recorded to form a system access database. According to the service requirement and the security policy, a series of abnormal behavior recognition rules are defined, including access frequency is too high, unauthorized resources are accessed, access in abnormal time periods is performed, and the like. And carrying out abnormal feature labeling on the access behaviors in the system access database by using the defined abnormal behavior recognition rule, and labeling a data record conforming to the abnormal behavior rule to form a system access abnormal behavior feature sample set. S32, performing model convergence training on the system access abnormal behavior feature sample set to construct an abnormal access behavior feature recognition model, wherein the abnormal access behavior feature recognition model comprises an abnormal behavior pattern recognition model and an abnormal behavior degree recognition model. Specifically, a machine learning model is trained by using a marked system access abnormal behavior feature sample set, model parameters are continuously adjusted, model performance is optimized, abnormal access behaviors can be accurately identified, after training is completed, an abnormal access behavior feature identification model is constructed, the abnormal access behavior feature identification model comprises two sub-models, the abnormal behavior pattern identification model is used for identifying whether user access behaviors accord with an abnormal behavior pattern or not, if so, unauthorized resources are frequently accessed, and the abnormal behavior degree identification model is used for evaluating the abnormal degree of the user access behaviors, such as the abnormal access frequency, the abnormal access duration and the like. S33, carrying out anomaly analysis on the user access behavior information based on the anomaly access behavior feature recognition model, and outputting the anomaly access behavior feature information. Specifically, the user access behavior information is input into an abnormal access behavior feature recognition model for performing abnormal analysis, the abnormal access behavior feature recognition model judges whether an abnormal behavior mode exists according to the user access behavior data, evaluates the degree of the abnormal behavior, and outputs the abnormal access behavior feature information after the analysis is completed, wherein the abnormal access behavior feature information comprises an abnormal behavior type, an abnormal degree, related user information, abnormal time and the like. According to the implementation mode, the system can automatically identify and evaluate the abnormal characteristics in the access behaviors of the user by constructing the abnormal access behavior characteristic identification model, so that the technical effect of improving the accuracy and efficiency of the abnormal analysis is achieved.
S4, carrying out access control analysis on the abnormal access behavior characteristic information to obtain a data security access policy, and carrying out access restriction protection on the accessible right data information based on the data security access policy. Specifically, through data mining and pattern recognition technology, the patterns in the abnormal access behavior characteristic information are analyzed, possible attack behaviors or security risks are recognized, risk assessment is carried out on the access behaviors of the target user according to the recognized attack behaviors or security risks, and the potential threat degree of the access behaviors to the system data security is determined. Based on the risk assessment result and the existing security policy, a data security access policy is formulated, wherein the data security access policy is formulated according to the access control analysis result and is used for limiting the access authority of a user and protecting the security of system data, and the specific mode and degree of limitation are defined. And updating the data information of the accessible authority of the user according to the data security access strategy, limiting the access authority of the target user to the specific resource, preventing unauthorized access and data leakage, and implementing a new access control rule at an access control layer of the system so that the user can only access according to the new data information of the accessible authority. And continuously monitoring the access behaviors of the target user, ensuring the effective execution of the data security access strategy, and if a new abnormal access behavior is found, re-analyzing and adjusting the data security access strategy. The embodiment of the application adopts the technical means of sensitivity evaluation, multidimensional identity verification, dynamic access right adjustment, access monitoring, exception analysis, access control analysis, access limit protection and the like, realizes the dynamic adjustment of the access right and the real-time monitoring of the access behavior of a user, achieves the technical effects of improving the data security protection effect and effectively reducing the data leakage and illegal access risk.
In one possible implementation manner, the method for obtaining the data security access policy further comprises obtaining a security access policy library, wherein the security access policy library comprises historical abnormal access behavior characteristic data and corresponding security access policies. Specifically, a security access policy library of the system is obtained, the security access policy library contains historical abnormal access behavior characteristic data and corresponding security access policies formulated for the abnormal behaviors, new abnormal access behavior data and corresponding policies thereof are continuously added into the security access policy library along with the time, and meanwhile, outdated data can be removed or updated to keep the validity and timeliness of the security access policy library. And carrying out similarity analysis on the basis of the abnormal access behavior characteristic information and the security access policy library, and acquiring a security access policy set within a preset similarity threshold. Specifically, after the new abnormal access behavior feature information is identified, similarity analysis is performed on the new abnormal access behavior feature information and historical abnormal access behavior feature data in the security access policy library, a similarity threshold is preset, and when the similarity between the new feature and the feature in the security access policy library exceeds the similarity threshold, the new feature and the feature in the security access policy library are considered to be similar. And finding out historical abnormal access behavior characteristic data with the new characteristic similarity within a preset similarity threshold through similarity analysis, and acquiring a corresponding security access policy to form a security access policy set. And carrying out multidimensional protection test on the security access policy set to obtain an access policy security protection effect set, and screening according to the access policy security protection effect set to obtain the data security access policy. Specifically, the obtained security access policy set is subjected to multi-dimensional protection test, including functional test (verifying whether the policy can be correctly executed), performance test (testing the execution efficiency and response time of the policy), security test (simulating attack to verify the security of the policy), and the like. And evaluating the safety protection effect of each access strategy through the test, and generating an access strategy safety protection effect set. And screening the strategy with the best safety protection effect from the safety protection effect set of the access strategy according to the evaluation result, and taking the strategy as the data safety access strategy. According to the implementation mode, the new abnormal access behavior can be responded quickly by constructing and maintaining the security access policy library, and a proper coping policy is provided based on history experience, meanwhile, through a multi-dimensional protection test, the selected policy is ensured to be effective and safe, so that the safety of data resources is protected to the greatest extent, and the technical effects of improving the response speed and accuracy of a system and reducing the data security risk caused by improper policy are achieved.
In the above, an access control method for data security protection according to an embodiment of the present invention is described in detail with reference to fig. 1. Next, an access control system for data security protection according to an embodiment of the present invention will be described with reference to fig. 2.
The access control system for data security protection according to the embodiment of the invention is used for solving the technical problems that the security protection effect is low and the data leakage risk exists in the existing data access control, and achieving the technical effects of improving the data security protection effect and effectively reducing the data leakage and illegal access risk. The access control system for data security protection comprises a target security verification mode acquisition module 10, an accessible right data information acquisition module 20, an abnormal access behavior characteristic information acquisition module 30 and an access limit protection module 40.
The target security verification mode acquisition module 10 is used for acquiring user access request information, performing sensitivity evaluation on the user access request information to acquire access data sensitivity information, and matching the access data sensitivity information with a security verification mode library based on the access data sensitivity information to acquire a target security verification mode;
The accessible right data information obtaining module 20 is configured to perform multidimensional identity verification on a target user based on the target security verification mode, obtain a security verification result, and perform dynamic access right adjustment on the target user through the user access request information when the security verification result is passed, so as to obtain accessible right data information;
The abnormal access behavior feature information obtaining module 30 is configured to obtain user access behavior information by performing access monitoring on the accessible right data information by the target user, and perform abnormal analysis on the user access behavior information to obtain abnormal access behavior feature information;
The access limit protection module 40 is configured to perform access control analysis on the abnormal access behavior feature information, obtain a data security access policy, and perform access limit protection on the accessible right data information based on the data security access policy.
Next, the specific configuration of the target security verification manner acquisition module 10 will be described in detail. As described above, the target security verification manner obtaining module 10 may further include an access data parsing unit configured to obtain a target access data system, parse access data of the target access data system to obtain target access data architecture information, a data descriptor information constructing unit configured to construct data descriptor information, where the data descriptor information includes a data type, a data hierarchy, a data dimension, and a source range, a feature describing unit configured to perform feature description on each access data in the target access data architecture information based on the data descriptor information to obtain target access data description feature information, and a sensitivity evaluating unit configured to construct a data sensitivity discriminator based on the target access data description feature information, and perform sensitivity evaluation on the user access request information based on the data sensitivity discriminator to obtain the access data sensitivity information.
The data sensitivity discriminator is constructed by the sensitivity evaluation unit, and the sensitivity evaluation unit can further comprise a discriminating content recognition subunit, a sensitivity dividing subunit and a data sensitivity discriminator training construction subunit, wherein the discriminating content recognition subunit is used for discriminating content of the data descriptive factor information based on the target access data descriptive factor characteristic information to obtain a data descriptive factor discriminating content node set, the sensitivity dividing subunit is used for respectively dividing the data descriptive factor information according to data management standards to define a data descriptive factor sensitivity dividing rule, the sensitivity recognition subunit is used for discriminating the data descriptive factor discriminating content node set based on the data descriptive factor sensitivity dividing rule to obtain a data content node descriptive factor sensitivity set, the data sensitivity discriminator training construction subunit is used for carrying out factor weighted calculation on the data content node descriptive factor sensitivity set to obtain a data content node sensitivity information set, and the data sensitivity discriminator is trained and constructed based on the data descriptive factor discriminating content node set and the data content node sensitivity information set.
Next, the specific configuration of the accessible right data information acquisition module 20 will be described in detail. As described above, the accessible right data information obtaining module 20 may further include a target user role right information determining unit configured to obtain role tag information of the target user, determine target user role right information based on matching the role tag information and a system role right library, an access context feature information obtaining unit configured to identify a context of the target user to obtain access context feature information, an access right matching unit configured to perform access right matching on the access context feature information according to a preset context access rule to obtain target environment access right information, and a content mapping unit configured to perform content mapping on an intersection of the target user role right information and the target environment access right information with the user access request information to obtain the accessible right data information.
The content mapping unit can further comprise a factor authority dividing subunit for dividing factor authorities of all system roles in the system role authority library according to the data description factor information to obtain a system role factor authority label set, a mapping matching subunit for mapping and matching the system role factor authority label set with the target access data architecture information to obtain a system role authority access data content set, a content dividing subunit for dividing the target access data architecture information according to the preset environment access rule to obtain an environment authority access data content set, a matching and intersection subunit for matching and intersecting the target user role authority information with the system role authority access data content set and the target environment access authority information with the environment authority access data content set to obtain accessible data intersection content information, and an accessible authority data information obtaining subunit for performing content mapping with the user access request information based on the accessible data intersection content information to obtain the accessible authority data information.
Next, the specific configuration of the abnormal access behavior feature information acquisition module 30 will be described in detail. As described above, the abnormal access behavior feature information obtaining module 30 may further include an abnormal feature labeling unit configured to collect and obtain a system access database, define an abnormal behavior recognition rule, perform abnormal feature labeling on the system access database to obtain a system access abnormal behavior feature sample set, and an abnormal access behavior feature recognition model building unit configured to perform model convergence training on the system access abnormal behavior feature sample set to build an abnormal access behavior feature recognition model, where the abnormal access behavior feature recognition model includes an abnormal behavior pattern recognition model and an abnormal behavior degree recognition model, and an abnormal analysis unit configured to perform abnormal analysis on the user access behavior information based on the abnormal access behavior feature recognition model, and output the abnormal access behavior feature information.
Next, the specific configuration of the access restriction protection module 40 will be described in detail. As described above, the access restriction protection module 40 may further include a security access policy library obtaining unit configured to obtain a security access policy library, where the security access policy library includes historical abnormal access behavior feature data and corresponding security access policies, a similarity analysis unit configured to perform similarity analysis with the security access policy library based on the abnormal access behavior feature information to obtain a security access policy set within a preset similarity threshold, and a screening unit configured to perform multidimensional protection test on the security access policy set to obtain an access policy security protection effect set, and screen to obtain the data security access policy according to the access policy security protection effect set.
The access control system for data security protection provided by the embodiment of the invention can execute the access control method for data security protection provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Although the present application makes various references to certain modules in a system according to an embodiment of the present application, any number of different modules may be used and run on a user terminal and/or a server, and each unit and module included are merely divided according to functional logic, but are not limited to the above-described division, so long as the corresponding functions can be implemented, and in addition, specific names of each functional unit are only for convenience of distinguishing from each other, and are not intended to limit the scope of protection of the present application.
The above embodiments do not limit the scope of the present application. It will be apparent to those skilled in the art that various modifications, combinations, and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application should be included in the scope of the present application. In some cases, the acts or steps recited in the present application may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411019739.7A CN119109614B (en) | 2024-07-29 | 2024-07-29 | Access control method and system for data security protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411019739.7A CN119109614B (en) | 2024-07-29 | 2024-07-29 | Access control method and system for data security protection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119109614A true CN119109614A (en) | 2024-12-10 |
| CN119109614B CN119109614B (en) | 2025-02-28 |
Family
ID=93719656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411019739.7A Active CN119109614B (en) | 2024-07-29 | 2024-07-29 | Access control method and system for data security protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119109614B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119808159A (en) * | 2024-12-31 | 2025-04-11 | 中国电信股份有限公司 | Data security management method and device, computer program product, and electronic device |
| CN120408688A (en) * | 2025-07-04 | 2025-08-01 | 泉州信息工程学院 | Computer data security protection method and system |
| CN120632855A (en) * | 2025-08-12 | 2025-09-12 | 深圳市分转科技有限公司 | Database management method, device, equipment and medium based on multiple security mechanisms |
| CN120832684A (en) * | 2025-09-19 | 2025-10-24 | 广州中长康达信息技术有限公司 | AI security monitoring method and system based on database access analysis |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140373104A1 (en) * | 2013-06-12 | 2014-12-18 | Ajit Gaddam | Data sensitivity based authentication and authorization |
| CN107633183A (en) * | 2017-09-29 | 2018-01-26 | 东南大学 | A kind of leaking data detection method based on query resultses susceptibility |
| EP3772204A1 (en) * | 2019-07-30 | 2021-02-03 | Nokia Solutions and Networks Oy | Secured validation in network management |
| CN114036570A (en) * | 2021-11-25 | 2022-02-11 | 国网四川省电力公司经济技术研究院 | Dynamic evaluation method and system for information sensitivity of smart power grid |
| CN116389167A (en) * | 2023-05-29 | 2023-07-04 | 南京信息工程大学 | Information access security system based on growing type iterative trust strategy |
| CN116980239A (en) * | 2023-09-25 | 2023-10-31 | 江苏天创科技有限公司 | SASE-based network security monitoring and early warning method and system |
| CN116996325A (en) * | 2023-09-25 | 2023-11-03 | 江苏天创科技有限公司 | Network security detection method and system based on cloud computing |
| CN117155605A (en) * | 2023-07-28 | 2023-12-01 | 鹏城实验室 | Network security architecture, network security implementation method, system and medium |
| CN117527430A (en) * | 2023-12-13 | 2024-02-06 | 重庆银行股份有限公司 | Zero-trust network security dynamic evaluation system and method |
| CN117692219A (en) * | 2023-12-13 | 2024-03-12 | 中国电子科技集团公司第三十研究所 | An access control method based on dynamic evaluation mechanism |
| CN117879867A (en) * | 2023-12-05 | 2024-04-12 | 江苏安几科技有限公司 | Cloud security dynamic defense system based on zero trust and computer equipment |
| CN118018300A (en) * | 2024-03-04 | 2024-05-10 | 淮安市第三人民医院 | Terminal network access control system with network asset mapping function |
| CN118364505A (en) * | 2024-04-08 | 2024-07-19 | 中科源信息安全科技(江苏)有限公司 | Data management method and system based on multiparty security calculation |
| CN118378264A (en) * | 2024-04-28 | 2024-07-23 | 北京卫达信息技术有限公司 | User behavior management method, device, medium and product oriented to database |
-
2024
- 2024-07-29 CN CN202411019739.7A patent/CN119109614B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140373104A1 (en) * | 2013-06-12 | 2014-12-18 | Ajit Gaddam | Data sensitivity based authentication and authorization |
| CN107633183A (en) * | 2017-09-29 | 2018-01-26 | 东南大学 | A kind of leaking data detection method based on query resultses susceptibility |
| EP3772204A1 (en) * | 2019-07-30 | 2021-02-03 | Nokia Solutions and Networks Oy | Secured validation in network management |
| CN114036570A (en) * | 2021-11-25 | 2022-02-11 | 国网四川省电力公司经济技术研究院 | Dynamic evaluation method and system for information sensitivity of smart power grid |
| CN116389167A (en) * | 2023-05-29 | 2023-07-04 | 南京信息工程大学 | Information access security system based on growing type iterative trust strategy |
| CN117155605A (en) * | 2023-07-28 | 2023-12-01 | 鹏城实验室 | Network security architecture, network security implementation method, system and medium |
| CN116996325A (en) * | 2023-09-25 | 2023-11-03 | 江苏天创科技有限公司 | Network security detection method and system based on cloud computing |
| CN116980239A (en) * | 2023-09-25 | 2023-10-31 | 江苏天创科技有限公司 | SASE-based network security monitoring and early warning method and system |
| CN117879867A (en) * | 2023-12-05 | 2024-04-12 | 江苏安几科技有限公司 | Cloud security dynamic defense system based on zero trust and computer equipment |
| CN117527430A (en) * | 2023-12-13 | 2024-02-06 | 重庆银行股份有限公司 | Zero-trust network security dynamic evaluation system and method |
| CN117692219A (en) * | 2023-12-13 | 2024-03-12 | 中国电子科技集团公司第三十研究所 | An access control method based on dynamic evaluation mechanism |
| CN118018300A (en) * | 2024-03-04 | 2024-05-10 | 淮安市第三人民医院 | Terminal network access control system with network asset mapping function |
| CN118364505A (en) * | 2024-04-08 | 2024-07-19 | 中科源信息安全科技(江苏)有限公司 | Data management method and system based on multiparty security calculation |
| CN118378264A (en) * | 2024-04-28 | 2024-07-23 | 北京卫达信息技术有限公司 | User behavior management method, device, medium and product oriented to database |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119808159A (en) * | 2024-12-31 | 2025-04-11 | 中国电信股份有限公司 | Data security management method and device, computer program product, and electronic device |
| CN120408688A (en) * | 2025-07-04 | 2025-08-01 | 泉州信息工程学院 | Computer data security protection method and system |
| CN120408688B (en) * | 2025-07-04 | 2025-09-26 | 泉州信息工程学院 | Safety protection method and system for computer data |
| CN120632855A (en) * | 2025-08-12 | 2025-09-12 | 深圳市分转科技有限公司 | Database management method, device, equipment and medium based on multiple security mechanisms |
| CN120832684A (en) * | 2025-09-19 | 2025-10-24 | 广州中长康达信息技术有限公司 | AI security monitoring method and system based on database access analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119109614B (en) | 2025-02-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN119109614B (en) | Access control method and system for data security protection | |
| CN112491779B (en) | A kind of abnormal behavior detection method and device, electronic equipment | |
| TWI734466B (en) | Risk assessment method and device for leakage of privacy data | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN113132311B (en) | Abnormal access detection method, device and equipment | |
| CN114205118B (en) | Data access control analysis method based on the scope of data security law | |
| CN114091042A (en) | Risk early warning method | |
| CN116915515B (en) | Access security control method and system for industrial control network | |
| CN118972162B (en) | Network resource access control method and system based on identity authentication and port perception | |
| CN118504009B (en) | Dynamic data isolation method and system based on multiple data sources | |
| Datta et al. | Real-time threat detection in ueba using unsupervised learning algorithms | |
| CN120353787A (en) | Intelligent contract-based automated data compliance checking and tracking system | |
| CN120336963A (en) | A network data asset security classification method and system for small sample constraints | |
| CN114816964B (en) | Risk model construction method, risk detection device and computer equipment | |
| CN117725575A (en) | Asset management method based on middleware access log | |
| CN120781348B (en) | Interactive monitoring method and system based on LLM safety protection system | |
| CN120197220B (en) | A data risk assessment method based on data concentration | |
| CN117436088B (en) | A security monitoring method and system based on container and container cluster audit information | |
| Adenusi Dauda et al. | Development of threats detection model for cyber situation awareness | |
| CN120493271A (en) | Full life cycle data security management platform and method based on AI | |
| Zhao | Software Informatization Security Platform in Big Data Environment | |
| Guan et al. | Research on Data Leakage Detection and Protection Based on Deep Learning | |
| Ahmad et al. | Detection of the cyber network attack using robust random forest in a big data environment | |
| CN121351068A (en) | Server operation security analysis method and system based on big data | |
| CN121302419A (en) | Privacy-preserving data anonymization methods for big data analytics platforms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |