CN104811442A - Access control method based on feedback evaluation mechanism - Google Patents

Abstract

The invention discloses an access control method based on a feedback evaluation mechanism, the steps of which are as follows: 1) establishing a grading standard for credit evaluation of a subject's access behavior to form a state space of a Markov chain; The evaluation level information of the behavior, the initial distribution of each evaluation state obtained by the subject; 3) The evaluation state information of the subject at the current moment is compared with the evaluation state information of the previous moment, and a state transition matrix is established; 4) According to the state transition matrix Calculate the absolute probability distribution of the subject's next access behavior based on the initial distribution of the evaluation state; 5) Determine the evaluation level of the subject's upcoming access behavior according to the principle of maximum probability; then judge whether the evaluation level belongs to the access feedback evaluation required by the access authority Grade collection. If yes, access is granted; otherwise, access is denied. The method of the invention can effectively avoid the risk of access fraud and realize the security management of access authority.

Description

An Access Control Method Based on Feedback Evaluation Mechanism

technical field

The invention belongs to the field of computer network security, and in particular relates to an access control method based on a feedback evaluation mechanism.

Background technique

In an open network environment, the access behavior of entities has strong autonomy and uncertainty. Entities can join a network at any time to obtain resources and services, and can also disconnect from the network at any time. Certain access requests of entities may have malicious intentions, and direct execution of access may cause destructive consequences to resources. Ensuring the security of access to resources or services has become a key issue in open networks.

In an open network environment, some important resource access decisions not only have "quality" attributes, but also "quantity" attributes. However, in the current research on access control strategies, many scholars pay more attention to the "quality" attribute of access control permissions, while ignoring the "quantity" attribute of access control permissions.

The state of development of things is always changing with the passage of time. Applying the theory of Markov process, the probability law of stochastic process is summarized from the measured time series, mainly taking the transition probability between states as the research object. When the state and time of the development of things are both discrete, the Markov process is called a Markov chain. Its most basic feature is "no aftereffect", that is, on the premise that the "current" state of the system is known, its "future" state development has nothing to do with "history". The basic idea of applying the Markov chain model to solve the problem of predicting the development of things is that if the time series of a certain system with various states is regarded as a Markov chain, then the n+1th state can be inferred according to the state at the nth moment state of a moment. In recent years, the Markov chain prediction model has been widely used in web browsing behavior prediction, network security detection and analysis and other research.

The visit feedback and evaluation mechanism is to evaluate the integrity of each visit behavior of the subject, conduct post-event evaluation according to the visit results, and record the visit feedback and evaluation results in detail.

From the perspective of the "quantity" attribute of the access control authority, according to the feedback and evaluation data owned by the object, the Markov model is used to predict the integrity of the access behavior, which provides a decision-making basis for this access authority control.

Contents of the invention

The purpose of the present invention is to provide an access control method based on a feedback evaluation mechanism. The subject's access behavior prediction is abstracted as a Markov model, and the Markov chain is used to predict the integrity of the subject's access behavior. According to the feedback and evaluation data owned by each object in the network, a certain amount of historical feedback and evaluation data for the subject of this visit is selected from it to form a visit feedback and evaluation status table, which reflects the dynamic changes of the subject's visit behavior. Citing the transition probability matrix, the Markov model is used to predict the integrity of the subject's access behavior, and the granting of access rights is judged based on the integrity. The method applies the historical access feedback data, can effectively avoid the risk of access fraud, and realize the security management of access control authority.

The present invention adopts the following technical solutions.

1. Classification of Visit Feedback Evaluation Levels

Based on the access rights granted to the subject, the object makes feedback and evaluation on the satisfaction degree of the subject's visit with reference to the visit results implemented by the subject. The evaluation results of visit feedback are divided into m grades such as honesty, fraud and non-fraud, which are represented by K ₀ , K ₁ , ..., K _m-1 respectively, and each grade corresponds to a satisfaction interval of visit feedback, as shown in Table 1.

Table 1 Evaluation grades of interview feedback satisfaction

Wherein, 0≤α _i <α _i+1 ≤1, 0≤i≤m-1.

2. Construction of object evaluation table

An object evaluation table is established for each object to store the historical information of all subjects who have visited the object. The table structure mainly includes: subject IP address, access time, access authority, feedback satisfaction and feedback evaluation level and other information.

When the subject visits the object, the object searches the evaluation table of the object according to the subject identification such as IP, and if the first access history record of the subject is found in the evaluation table, the information of this visit is inserted before the history information of the last visit; Otherwise, if the last record of the evaluation table is found, and there is no historical access information of the subject, it means that the subject visits the object for the first time, then add this access information record to the end of the object evaluation table. Only the object has the permission to write and modify the records of the object evaluation table, but other objects can read the relevant subject evaluation information.

3. Construction of subject access record table

In order to fully share the historical access behavior information of the subject in the application environment, a subject access record table is constructed in each subject to record all the object information that the subject has visited. The structure of the subject access record table includes: the identification of the accessed object, Visiting time and the address of the evaluation form of the interviewed object, etc. However, only the requested object has read and write access to the subject access record table.

Before allowing the subject to access, the object first looks up the subject's access record table. If you find your own historical records, verify your own relevant information, and update the access time and other information; otherwise, that is, the subject visits the object for the first time, then the object first adds information such as its own identity and the entry address of the object evaluation table to Subject access records.

4. Construction of Subject Feedback Evaluation Status Table

Assuming that the subject’s visit time is t _i , according to the subject’s visit record table, according to the order of visit time, select n different objects that the subject has visited, and read the object’s feedback evaluation level to the subject from the n object evaluation tables, etc. data, and save these data in the feedback evaluation status table. Wherein, the size of n is selected according to different system requirements. The feedback evaluation state table structure includes information such as access time, object IP and feedback evaluation level, as shown in Table 2.

Table 2 Access Feedback Evaluation Status Table

5. Access Behavior Prediction Based on Markov Chain

In an open network environment, the integrity of the subject is the embodiment of its access behavior. If the probability that a subject's current status is evaluated as honest is higher, then the probability that the subject will be predicted as honest access behavior next time is higher.

The honesty prediction algorithm of applying the Markov chain to the subject's access behavior is as follows:

(1) All possible m access feedback evaluation levels are given to the subject to form the state space of the Markov chain.

(2) Read the subject's visit record table, if the visit record table is empty, it means that the subject visits for the first time, then the subject's visit feedback evaluation level prediction is initially K _i , The algorithm ends; otherwise, read the access record table and the access evaluation table of related objects, and construct the current access feedback evaluation status table.

(3) According to the subject's current latest access feedback evaluation status table, calculate the probability distribution of each access feedback evaluation level, that is, the initial distribution of the access feedback evaluation status;

Assuming that at the current time t _i , there are n records in the access feedback evaluation state table, and the number of records whose access feedback evaluation level is K _i is U _i , then the probability of access feedback evaluation level K _i is p _i = U _i /n , the initial distribution of evaluation states at the current time t _i is P(0)=(p _i ), where i=0,1,...,m-1.

(4) For each object in the subject’s current access feedback evaluation state table, by looking up its object evaluation table, the last access feedback evaluation level given to the subject is obtained, and the feedback evaluation state table at the previous moment is formed. Compared with the current access feedback evaluation state table, the transition probability of each access feedback evaluation level to the rest of the access feedback evaluation levels is calculated, and a state transition matrix is established.

If the subject has only visited the object once, the feedback evaluation level of the subject's last visit cannot be obtained by looking up the object evaluation table. In view of this situation, the present invention adopts the method of initializing the evaluation level of the access feedback, that is, the last access feedback evaluation level of the subject is set to K _i ,

Assume that in the access feedback evaluation status table at the previous moment, the number of objects whose access feedback evaluation level is given as K _i is M _i , and The IPs of the objects are respectively IP_0, IP_1, . . . , IP_(M _i -1). If the number _of objects M _i =0 for the access feedback evaluation level _Ki = 0, it means that there is no object to give the evaluation level, then p _i =0; The number of objects for K _j is C _j , where j=0,1,...,m-1, then p _ij =C _j /M _i , i,j=0,1,...,m- 1. p _ij represents the probability that the object given access feedback evaluation level K _i will transfer to the current access feedback evaluation level K _j due to the change of subject’s access integrity behavior. P _ij =(p _ij ) _m×m is the transition matrix of the n objects to the subject's access feedback evaluation state.

(5) Based on the initial distribution P(0) of the access feedback evaluation state and the state transition matrix P, predict the absolute probability distribution of the subject’s access feedback evaluation state at the next moment: ^PT (1)= ^PT (0)·P;

(6) According to the absolute probability distribution of the predicted access feedback evaluation status, and according to the principle of maximum probability, determine the subject's access feedback evaluation level, that is, predict the integrity of the subject's next access behavior.

6. Access rights management

According to the principle of maximum membership degree, B=max(P ^T (1)), according to Table 1, it can be known that the next visit feedback evaluation level of the predictor is K _i . According to the authority management rules, if the set of access feedback evaluation levels required by authority prediction is R={K _j ,...,K _m-1 }, j=0,1,...m-1, then when K _i When ∈R, the subject's access is allowed; otherwise, the access is denied.

Compared with the prior art, the present invention has the following advantages:

This method introduces the access feedback evaluation mechanism. By applying the Markov model to the historical access feedback data, the "macroscopic" prediction of the subject's access integrity is realized, and based on the integrity, the granting and rejection of access rights are intuitively judged. The method can effectively avoid the risk of access fraud and realize the security management of access control rights.

Description of drawings

Accompanying drawing is the flowchart of the present invention.

Detailed ways

The present invention will be described in detail below through specific embodiments.

Specific application examples:

(1) Access feedback evaluation grade and feedback satisfaction, as shown in Table 3.

Table 3 Evaluation grades of interview feedback satisfaction

The object Object has three grantable access rights: {read}, {write} and {modify}. The set requirements of these three permissions on the predictive access evaluation level of the subject are: {non-fraud, integrity}, {integrity}, {integrity}.

Assuming that the Subject’s access request to the Object is {modify}, the response process of the Object is as follows:

(2) By querying the Subject visit record table and the related object evaluation table, construct the current visit feedback evaluation status table and the previous visit feedback evaluation status table, as shown in Table 4 and Table 5.

According to the statistics of Table 4, P ^T (0)=[0.2,0.2,0.6]

From the comparative analysis of Table 4 and Table 5, it can be seen that $P_{\mathrm{ij}}=\left[\begin{array}{ccc}0.0& 0.0& 1.0\\ 0.5& 0.0& 0.5\\ 0.0& 0.5& 0.5\end{array}\right]$

Table 4 Current Visit Feedback Evaluation Status Table

Table 5 Feedback and Evaluation Status Table of Visiting at the Previous Moment

(3) Obtain the absolute probability distribution of the evaluation state

${\mathrm{<span\; class="notranslate">\; P</span>}}^{\mathrm{<span\; class="notranslate">\; T</span>}}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; =</span><span\; class="notranslate">\; [</span>\mathrm{<span\; class="notranslate">\; 0.2,0.2,0.6</span>}<span\; class="notranslate">\; ]</span><span\; class="notranslate">\; \&Center\; Dot;</span>\left[\begin{array}{ccc}\mathrm{<span\; class="notranslate">\; 0.0</span>}& \mathrm{<span\; class="notranslate">\; 0.0</span>}& \mathrm{<span\; class="notranslate">\; 1.0</span>}\\ \mathrm{<span\; class="notranslate">\; 0.5</span>}& \mathrm{<span\; class="notranslate">\; 0.0</span>}& \mathrm{<span\; class="notranslate">\; 0.5</span>}\\ \mathrm{<span\; class="notranslate">\; 0.0</span>}& \mathrm{<span\; class="notranslate">\; 0.5</span>}& \mathrm{<span\; class="notranslate">\; 0.5</span>}\end{array}\right]<span\; class="notranslate">\; =</span><span\; class="notranslate">\; [</span>\mathrm{<span\; class="notranslate">\; 0.1,0.3,0.6</span>}<span\; class="notranslate">\; ]</span><span\; class="notranslate">\; .</span>$

(4) Access rights management

According to the principle of maximum membership degree, B=max(P ^T (1))=0.6∈[0.5,0.7), it can be seen from Table 3 that the evaluation level of Subject’s next visit feedback is: non-fraud {Integrity}, therefore {Modify} access request is denied.

Claims (7)

1. An access control method based on a feedback evaluation mechanism, the steps of which are: 1) Establish a grading standard for the integrity evaluation of the subject's access behavior, and obtain the state space of the Markov chain; 2) Statistically determine the initial distribution of each evaluation state obtained by the subject according to the feedback and evaluation grade information of the objects visited by the subject; 3) Comparing the current evaluation state information of each object obtained by the subject with the previous evaluation state information, and establishing a state transition matrix; 4) According to the initial distribution of the state transition matrix and the evaluation state, calculate the absolute probability distribution of the subject's next visit behavior feedback evaluation level; 5) According to the absolute probability distribution of the feedback evaluation grade and according to the principle of maximum probability, determine the feedback evaluation grade of the subject's upcoming visit behavior; then judge whether the feedback evaluation grade belongs to the set of access feedback evaluation grades required by the authority; if so, Then allow the subject to access, and then conduct feedback and evaluation according to the results of the access behavior to generate access information; otherwise, deny the subject access. 2. the method for claim 1, is characterized in that, builds an access record table for each subject, is used for recording all object information that this subject has visited; Described subject access record table comprises: the identification of the access object, The access time and the address of the object evaluation table of the access object; an object evaluation table is established for each object to record the historical evaluation level information of the subject authorized to access. 3. The method according to claim 2, wherein, when the object allows the subject to visit, the object searches the object evaluation table, and if the subject's visit history is found, then the current visit information is inserted into the last time Before accessing the historical information; if the historical access information of the subject is not found, the current access information is added to the end of the object evaluation table. 4. The method according to claim 2 or 3, wherein the method for establishing the initial distribution is: according to the access record list of the subject, according to the order of access time, select n different objects that the subject has visited , and then read the object’s feedback evaluation level data on the subject from the object evaluation table of the n objects, and then save these data in the current feedback evaluation state table; then make statistics on the feedback evaluation state table to obtain the access The number of records with feedback evaluation level K _i is U _i , then the probability of accessing feedback evaluation level K _i is p _i =U _i /n, and the initial distribution of evaluation status at the current moment is P(0)=(p _i ), where , i=0,1,...,m-1. 5. the method for claim 4, is characterized in that, the method for setting up described state transition matrix is: 51) For each object in the subject's current feedback evaluation state table, by looking up its object evaluation table, the last access feedback evaluation level given to the subject is obtained, and the feedback evaluation state table at the previous moment is formed; 52) comparing the feedback evaluation state table at the previous moment with the current access feedback evaluation state table; Let M _i be the number of objects whose access feedback evaluation level is K _i given in the access feedback evaluation state table at the previous moment, and The IPs of the objects are IP_0, IP_1,..., IP_(M _i -1); for the M _i objects, the number of objects whose access feedback evaluation level is K _j at the current moment is counted as C _j , where j=0 ,1,...,m-1, then p _ij ＝C ^j / _{M i} , i,j=0,1,...,m-1; The probability of accessing the object of feedback evaluation level K _i to the current access feedback evaluation level K _j , and finally obtained P _ij =(p _ij ) _m×m as the state transition of the n objects to the subject’s access feedback evaluation state matrix. 6. The method as claimed in claim 5, wherein, if the last visit feedback evaluation grade of the subject is not obtained by searching the object evaluation table, then the last visit feedback evaluation grade of the subject is set as K _i , 7. The method according to claim 1, 5 or 6, characterized in that in step 4), the initial distribution P(0) of the access feedback evaluation state is multiplied by the state transition matrix P to predict the subject's next Absolute probability distribution of evaluation grades of behavioral feedback at time of visit.