CN106713313B

CN106713313B - An Access Control Method Based on Origin Graph Abstraction

Info

Publication number: CN106713313B
Application number: CN201611197934.4A
Authority: CN
Inventors: 许国艳; 杨少松; 王诗玉
Original assignee: Hohai University HHU
Current assignee: Hohai University HHU
Priority date: 2016-12-22
Filing date: 2016-12-22
Publication date: 2020-05-05
Anticipated expiration: 2036-12-22
Also published as: CN106713313A

Abstract

The invention discloses an access control method based on the abstraction of the origin graph. 1. Define a PROV model, use the PROV model to enable users to standardize the description of the origin information of data in various systems, and then build the origin graph according to the PROV model; 2. In On the basis of the origin graph obtained in step 1, using the concept of node grouping, four abstract operations of closure, extension, replacement and deletion are proposed, and formal definition and improvement are carried out to obtain an abstract graph that meets the PROV constraints; 3. Definition A series of access rules, use the access rules to mark the abstract graph obtained in step 2 and propose an evaluation strategy; 4. The set of marked nodes obtained in step 3 is finally obtained through the optimal partition algorithm and graph transformation algorithm. The access view corresponding to the user's corresponding permission access. The invention solves the problem of access control in data privacy, and corresponds to different access views according to the user's authority, so that the access result can ensure both security and completeness.

Description

Access control method based on origin graph abstraction

Technical Field

The invention belongs to the technical field of data privacy protection management, and particularly relates to an access control method based on origin graph abstraction.

Background

With the continuous development of large data, the process of querying origin information may face the risk of inadvertently revealing sensitive information, and therefore data security and privacy protection are important. Sensitive information can be abstracted by abstracting the origin graph to generate a user access view, so that an access control mechanism of a user is realized, data security and privacy data are guaranteed, and the integrity of the information is guaranteed.

Disclosure of Invention

The purpose of the invention is as follows: aiming at the problems in the prior art, the invention provides an access control method based on origin graph abstraction, which is used for solving the problems of data security and private data leakage and incapability of ensuring information integrity in user access control.

The invention discloses an access control method based on origin graph abstraction,

the method comprises the following steps: defining a data model, namely a PROV model, according to a W3C origin working group, utilizing the PROV model to enable a user to carry out standardized description on origin information of data in various systems, and extracting the relationship among the entity En, the activity Act, the used and wasGeneratedBy from the PROV model to establish an origin map based on the PROV model;

step two: on the basis of the origin graph obtained in the step one, four kinds of abstract operation operations of closing, expanding, replacing and deleting are proposed, formal definition and perfection are carried out, and an abstract graph meeting PROV constraint conditions is obtained;

step three: defining a series of access rules, including an access target, an access result and access elements, and formally defining the elements, marking the abstract graph obtained in the step two by using the access rules, and proposing two evaluation strategies of refusing priority and allowing priority;

step four: and finally obtaining an access view of the access of the corresponding user corresponding authority by the marked node set obtained in the third step through an optimal partitioning algorithm and a graph conversion algorithm.

Further, the node grouping in the second step is an editing operation for defining a graph, namely how to remove the specified node from the original source graph to generate a new effective source graph; the abstract graph refers to a series of nodes specified by a user are regarded as a group and then replaced by a new abstract node, and meanwhile, a new graph is obtained by modifying the relationship between the nodes and the new abstract node.

Further, the step of constructing the abstract map conforming to the PROV constraint condition in the step two is specifically as follows:

step 1.1: the PROV provenance graph research only comprises the relationships between an entity En and an active Act and between a used and a wasGeneratedBy, the operation is carried out as a homogeneous group aiming at the fact that abstract nodes are all of the same type, and the operation is carried out as a heterogeneous group aiming at the fact that the abstract nodes are not of the same type;

wherein, the homogeneous grouping replaces the new abstract node and the original node through four operations of closure, expansion, replacement and deletion, and forms the mutual relation between the new nodes;

step 1.2: the agent nodes at the periphery of the origin graph are analyzed and processed, and the packet operation related to the agent nodes is divided into three cases:

A) homogeneous packets containing only Ag proxy types: replacing the new abstract node and the original node through four operations of closure, expansion, replacement and deletion, and forming the interrelation between the new nodes;

B) heterogeneous packets containing two types, entity En and active Act: when the new abstract node type is an entity En, modifying the proxy node to ensure that the relationship between proxy nodes adjacent to the abstract node is wat; when the new abstract node type is the active Act, modifying the proxy node to ensure that the relationship between the proxy nodes adjacent to the abstract node is waw;

C) the heterogeneous packet contains three types of entity En, active Act and agent Ag: when the new abstract node type is an entity En, modifying the proxy node to ensure that the relationship between proxy nodes adjacent to the abstract node is wat; when the new abstract node type is the active Act, modifying the proxy node to ensure that the relationship between the proxy nodes adjacent to the abstract node is waw; when the new abstract node type is the proxy Ag, mapping the proxy relation to the abstract graph;

step 1.3: deleting some isolated proxy nodes which are generated in the step and are isolated from other nodes;

step 1.4: further modifying the abstract diagram through the following four constraint conditions to obtain a final correct abstract diagram;

the four constraints are:

1) if an entity is generated by two or more activities, then these activities need to occur simultaneously;

2) the entity must be generated before it can be used;

3) the activity using entity must occur in the process of the activity;

4) the activity generation entity must occur in the course of the activity occurring.

The access rule in the third step is further composed of an access target, an access result, and a conversion element:

a) accessing a target: the access target element is used for defining which resources a specific user can access under which conditions, and consists of a theme matching the rule, a record and a limiting condition and a use range for accessing the element;

wherein Subject refers to a set of accessing users;

recording Record refers to accessing the resource;

the constraint restiction is used for defining a series of conditions allowed to be used by the rule;

the use Scope defines whether the rule is convertible or not; the convertible representation indicates that the rule applies to all matching nodes and their ancestor nodes in the graph, and the non-convertible representation indicates that the rule applies only to matching nodes in the graph.

b) Accessing a result: the access result element is used to specify an expected result when the policy applies and the rule matches part of the information in the origin graph; the results are divided into four categories:

absolute allowed limits means that the user can access all information in the graph without being influenced by other rules;

deny access means that part of the information in the map cannot be accessed by the user of the subject;

allowing the Necessary permission if Necessary means that a certain constraint condition is required for the user of the subject to access partial information, so that an explicit access permission policy is required;

the permission access Permit is used for describing that when no other rule refuses to access the element, the user of the subject can access partial information in the graph;

c) conversion element

The conversion element allows a data manager to specify the manner in which the origin graph is converted, specifies which nodes need to be hidden and the specific operation applied to the nodes, generates a conversion graph according to the authority of the user, and obtains a query result according to the graph; wherein the conversion element is composed of three parts: a conversion type, a conversion level, and a converted element tag.

Further, the optimal partition algorithm in the fourth step includes the following specific steps: firstly, calculating an external reason set and an external influence set of each element in a set of abstract nodes to obtain an empty reason set and an empty influence set, and then arranging the elements in a descending order according to the sum of the external reason and the number of the external influence elements of each element; and traversing the sorted set, selecting a node as a seed node, traversing elements behind the set, judging whether the two nodes can meet the condition of the same partition, if so, adding the node into the set as the element of the same partition, and deleting the element in the set.

Further, the specific steps of the step four middle map conversion algorithm are as follows: if one element abstraction level in the partition is hidden, or all elements of the partition are marked to be empty, or the partition is an empty reason set or an empty result set, deleting the partition, otherwise, carrying out replacement operation, namely taking marks of all nodes of the partition as marks of a new abstraction node to obtain a required access view.

Aiming at the problem of access control in data privacy protection, the invention introduces an access control method which is analyzed respectively from three aspects of origin graph abstraction, access control model establishment and access view generation, and the feasible and effective verification of the method is carried out.

Compared with the prior art, the invention has the advantages that: the problem of access control in data privacy is solved, and different access views are corresponding to the authority of the user, so that the access result not only ensures safety, but also ensures completeness.

Drawings

FIG. 1 is a flow chart of the present invention;

FIG. 2 is a framework of an access control method based on an origin graph in an embodiment;

FIG. 3 is an origination diagram in an embodiment;

FIG. 4 is a modified diagram of a proxy node in a heterogeneous packet including two types, namely, an entity En and an active Act, in an embodiment;

FIG. 5 is a modified diagram of a proxy node in a heterogeneous packet including three types of entity En, active Act, and proxy Ag in the embodiment;

FIG. 6 is a comparison graph of evaluation strategies;

FIG. 7 is a patient diagnostic record provenance diagram of an embodiment;

FIG. 8 is a graph of the results of marking and partitioning in an embodiment;

fig. 9 is an access control view in the embodiment.

Detailed Description

The invention is further elucidated with reference to the drawings and the detailed description, the flow being shown in fig. 1.

An access control method based on an origin graph abstract model comprises the following steps: firstly, establishing an origin abstract model based on node grouping based on an origin graph constructed by a PROV model; secondly, on the basis of a PGgu/ea original graph, four operations of closure, expansion, replacement and deletion are provided, formal definition and perfection are carried out, and an abstract graph meeting PROV constraint conditions is obtained; then, an access control model based on abstraction of a PROV (provider oriented programming) provenance graph is provided, a frame graph is shown in FIG. 2, access rules and elements thereof are formally defined, two evaluation strategies of priority rejection and priority permission are provided, and implementation schemes thereof are discussed in detail; finally, the view of the access of the corresponding authority of the corresponding user is obtained according to the graph abstraction algorithm.

The origin graph abstraction refers to a series of nodes specified by a user as a group and then replaced by a new abstract node, and a new graph is obtained by modifying the relationship between the nodes (including the new abstract node).

The role of origin graph abstraction can be roughly divided into two categories: firstly, ensuring the safety of origin information in the data exchange or data access process, and abstracting sensitive information or private data to generate an access view corresponding to a corresponding authority user; and secondly, the requirements of different users on different attention degrees of origin information are met, some users need to know complete origin information, some users only need to know partial important information, the importance definitions of different users on the information are different, and different access views can be generated according to the attention degrees of the users through the criticality of the nodes and the origin graph abstraction technology.

The simplest abstraction is to delete a node and the edges associated with the node directly. However, abstracting in this way does not generally guarantee the validity of the generated graph. Therefore, a series of operations need to be defined to convert the origin graph so as to ensure the effectiveness of generating the graph, and therefore the invention provides an origin abstract model based on node grouping.

1. PGgu/ea origin map abstraction

(1) Homogeneous grouping

The main task of the node grouping is to define the editing operation of the graph, i.e. how to get a given node from the graph G e PG_gu/eaRemoving to generate a new effective PROV graph G' E PG_gu/ea。

The main idea of the grouping operation is: using (V, E) E PG_gu/ea(V represents a set of nodes and E represents a set of edges between nodes) and a subset of the set of nodes V

Rewriting the graph to generate a new graph G' E PG_gu/ea. The rewriting is V_grAs a group, is replaced by a new node, simultaneously with V_grThe associated relationship is also replaced with a new relationship.

Closing operation: suppose the origin graph G ═ V, E ∈ PG_gu/eaAnd has a set

For any two vertex pairs v in the set_i,v_j∈V_grIf there is a v in graph G_iTo v_jConnected directed edges, then the set will be

Defined as all points on the path. V_grThe path closure operation in graph G is defined as:

and (3) expanding operation: suppose that graph G ∈ PG ═ V, E ∈_gu/eaAnd the set t belongs to { En, Act }.

In the process of generating the abstract graph, nodes in the abstract set in the original graph are replaced by a new node, the relationship among partial nodes in the graph needs to be deleted, and meanwhile, a series of relationships need to be introduced to connect the abstract nodes with the nodes related to the abstract nodes in the graph.

Let graph G be (V, E),

is a set of nodes requiring abstraction, v, obtained by an extension operation_newRepresenting the replaced abstract node. The replace function is to V'_grSubstitution to v_newAnd v is_newThe nodes are connected to their associated nodes in the graph according to a certain pattern.

Due to V'_grIs replaced by a new node, therefore V 'in graph G needs to be deleted'_grAnd V \ V'_grThe following classifications define these relationships.

1) V is to be_out(V'_gr) Is defined as V 'to be deleted in graph G'_grOf (2), i.e. from V'_grIs led out to V \ V'_grThe set of middle edges is defined as:

v_out(V′_gr)＝{(v,v′)|v∈V′_gr,v′∈V\V′_gr} (3)

2) v is to be_in(V'_gr) Is defined as V 'to be deleted in graph G'_grI.e. from V \ V'_grIs introduced to V'_grA set of edges defined as:

v_in(V′_gr)＝{(v,v')|v'∈V′_gr,v∈V\V′_gr} (4)

3) v is to be_int(V'_gr) Is defined as V 'to be deleted in graph G'_grInner side of (2), V'_grEdges between internal nodes, defined as:

v_int(V′_gr)＝{(v,v')|v,v'∈V′_gr} (5)

due to the addition of new nodes v in the generated abstract graph_newIn order to ensure the connectivity and validity of the graph, v is required_newAnd V \ V'_grAdd edges of appropriate relationships between them.

1) V'_out(V′_gr) Defined as requiring an added leading edge, i.e. from v_newIs led out to V \ V'_grThe set of middle edges is defined as:

2) v'_in(V′_gr) Defined as requiring an added lead-in edge, i.e. from V \ V'_grIntroduction into v_newA set of edges defined as:

the replace function assigns each to v_out(V'_gr) Is replaced with the same type of edge arc (v)_newV) while each belonging to v_in(V'_gr) Is replaced by an edge arc (v, v) of the same type_new) Those belonging to v_intIs followed by node V'_grAre deleted altogether.

We can easily prove that the relationship types of the nodes and edges in the new abstract graph obtained by the replacement operation are correct. From the above, it is clear that V 'is obtained by the expanding operation'_grAll end points in the set are of type t ∈ { En, Act }, and the newly constructed node v_newIs also of type t e { En, Act }, and is therefore defined by v_newFrom V'_grWithout generating node type inconsistency(ii) a condition; meanwhile, because the newly introduced edges are all replaced by the same type of edges, the edges with inconsistent types cannot be introduced. It can be seen that the substitution operation ensures the correctness of the type. The following formally defines the replacement operation:

and (3) replacement operation: in the graph G, V is_grSubstitution to v_newIs given by the formula

v_out(V_gr)、v_in(V_gr)、v_int(V_gr) For edges to be deleted in the figure

v'_out(V_gr)、v'_in(V_gr) For newly introduced edges in the figure

And (3) deleting operation: let graph G be (V, E),

is the set of points to be deleted. Generating a new origin graph G ' ═ (V ', E ') by the delete operation, where:

by the above definitions, we can define PG_gu/eaHomogeneous grouping operation in the model:

homogeneous grouping operation: let graph G ═ V, E ∈ PG_gu/ea,V_grE.g. V is a set of nodes of the same type, V_newIs a V_grType of new node (v)_new＝type(V_gr) Homogenous grouping is defined as:

Group_hom(G,V_gr,v_new)＝replace(extend(pclos(V_gr,V),V,type(V_gr)),v_new,G) (10)

(2) heterogeneous grouping

The heterogeneous packet is V_grGrouping operation when nodes of different types are contained in the network, because type (V) cannot be passed_gr) The function is obtainedThe type of the node, and therefore the type of the replacement node, needs to be specified, and the abstract graph generated by the specified type will be different. We call the heterogeneous grouping operation t-grouping, where t ∈ { En, Act }. When the specified type is En, the system is called e-grouping, and when the specified type is Act, the system is called a-grouping.

Heterogeneous grouping operation: let graph G ═ V, E ∈ PG_gu/ea,V_gr∈V,t∈{En,Act},v_newIf the node is a newly designated node of t type, the heterogeneous group is defined as:

Group(G,V_gr,v_new,t)＝replace(extend(pclos(V_gr,V),V,t),v_new,G) (11)

2、PG_gu+/eaAgorigin graph abstraction

We add proxy (Ag) type nodes and relationships related thereto to PG_gu/eaThe study is carried out in the figure. The proxy node is an important component of the PROV model, which can be a human or a software system, that is responsible for the execution of activities. The relationship between the entity and the agent is wasAttributedto (wat), denoted as

The relationship between the activity and the agent is wasAssociatedwith (waw), denoted as

The relationship between the agents is actideOnBehalfOf (abo), which is expressed as

It follows that these new relationships are all binary relationships (the PROV model allows abo relationships to contain an additional optional activity, which we have temporarily left out for simplicity), so that the new origin graph can still be represented as a directed graph G (V, E), where V (En ∪) isAct ∪ Ag, E is set of edges, we use the notation PG_gu+/eaAgRepresenting a graph containing all node types and relationships. In the same way, PG_gu+/eaAgThe graph formed by the model is called PG_gu+/eaAgFigure (a).

It can be seen from the visual observation of fig. 3 that all edges associated with a proxy node always serve as the end point of a directed edge, and the proxy nodes (shaded) are all on the outer layer of the directed graph, so the proxy nodes can be regarded as part of the periphery of the origin graph. Therefore, we break the packet operations associated with the proxy into the following three parts:

1)

this is the case for homogeneous packets. At this time, it is necessary to increase

Grouping operation, ag-grouping operation and PG, because the agents are only related by a delegation relationship_gu/eaHomogeneous grouping operation in the model is similar, and PG can be obtained through analysis_gu/eaDefinition of homogeneous grouping operations in model for PGs_gu+/eaAgThe ag-grouping operation in the model is fully applicable.

2)

This is the case for heterogeneous packets. Nodes involved in abstraction are all inside the origin graph, and these nodes may be related to proxy nodes through waw or wat relations, so that the PG needs to be paired_gu/eaHeterogeneous grouping operations in the model are modified appropriately.

In order to ensure that no relationship is introduced in error, partial relationships need to be deleted when a replacement operation is performed. As shown in fig. 4 (a), to avoid introducing a wrong waw relationship, we delete it in the process of performing an e-grouping operation; similarly, in (b) of FIG. 4, we delete the wat relation during the execution of the a-grouping operation. In (c1) and c (2) in fig. 4, the illegal waw relationship is deleted after the e-grouping operation is performed.

In summary, when the new node type is En, that is, after the e-grouping operation is performed, the relationship between the proxy nodes adjacent to the abstract node can only be wat; when the new node type is Act, i.e. after performing an a-grouping operation, the relationship between the agent nodes adjacent to the abstract node can only be waw. The replacement operation is redefined as follows:

3)

this is the case for heterogeneous packets. All types of nodes are involved at this time. However, since the proxy nodes are all at the outer layer of the graph, this situation can be considered as an e-grouping or a-grouping operation that may involve a combined node type of proxy nodes, but the new abstract node cannot be a proxy type.

When V is_grWhen { e, ag3}, performing an e-grouping operation results in the result shown in fig. 5. Pclos (V) by closure operation_gr) Get intermediate results (b) in fig. 5, and the final abstract results are shown in fig. 5 (c). Obviously, the abo (ag4, ag3) relationship should not be mapped onto the final graph. Analysis shows that the main reason causing the result is to replace theta 'in the function'_in(V′_gr) Introduces an erroneous relationship.

Next, we modify the replace operation to ensure that no false relationships are introduced. To avoid introducing false dependencies we are on θ'_in(V′_gr) The function is modified and the new definition is as follows:

i.e. mapping proxy relationships into abstract graphs only if the abstract node is of the proxy type.

Through the two new replacement operations defined above, it is ensured that no error relationship is introduced into the generated origin graph, but some relationships are simply deleted, so that some nodes in the graph G' are isolated from other nodes in the graph, isolated nodes are generated, and a simple function is provided to delete isolated proxy nodes.

Removing isolated nodes: let graph G ═ V, E ∈ PG_gu+/eaAgThe isolated nodes in the graph can be represented as: isolated (g) { V ∈ V | type (V) ═ Ag ^ Lo ∈ V. ((V', V)) ∈ E ∈ V ∈ E }, the definition of removing the orphaned proxy node is as follows:

remIsolated(V,E)＝(V\isolated(G),E) (14)

3. source graph abstraction satisfying timing constraints

A legal PROV graph needs to satisfy two types of constraints simultaneously: type constraints and timing constraints. In the process of defining the node grouping operation, only formal type constraints are considered, and timing constraints are not considered.

Briefly, timing constraints include the following conditions:

(1) if an entity is generated by two or more activities, then these activities need to occur simultaneously;

(2) the entity must be generated before it can be used;

(3) the activity using entity must occur in the process of the activity;

(4) the activity generation entity must occur in the course of the activity occurring.

In order to ensure that the generated abstract graph meets the time sequence constraint condition (1), the time sequence condition of the graph generated by the e-grouping operation needs to be verified, if an abstract node in the generated abstract graph is related to a plurality of active nodes, the active nodes related to the abstract node need to be grouped, then a-grouping operation is carried out, and the nodes are abstracted into one active node. The specific definition is as follows:

strict grouping operation: let graph G ═ V, E ∈ PG_gu+/eaAg,V_gr∈V,v_newIs a new node of En type, G ' (V ', E ') -Group (G, V)_gr,v_new,t)，

Is node v on graph G' and newly generated_newA set of associated active nodes, then

When the grouping operation is a homogenous a-grouping operation, strict t-grouping coincides with t-grouping.

Loops may be introduced in the process of abstracting the origin graph, which will have a great influence on the origin graph. To better address this problem, we redefine the usage events and generation events of the abstract nodes.

The abstract node generates an event: let V_grE.g. V and V_newIs replacing V_grGenerates activity a, then:

next, we define an abstract node v_newOf use event, i.e. V_grThe event used first in the node is specifically defined as follows:

the abstract node uses events: let V_gre.V, G ═ V ', E' is a new abstract graph, V_newE.V' is a new abstract node. If there is an activity a ∈ V', cause used (a, V)_new) If true, then:

although the validity of the relationship in the generated graph can be ensured well by the above definitions, it is understood from both definitions that the original graph V is required if the use of the abstract node and the generation relationship are established at the same time_grAll entities in (a) can be used after being generated, and therefore, additional constraint relations need to be added.

An access control model: 1. an access rule is composed of an access target, an access result and a conversion element:

(1) accessing a target

The access target element is used to define which resources a particular user can access under what circumstances, and consists of the subject of the matching rule, the record, and the restrictions (optional) and scope of use (optional) to access the element.

Topic refers to a collection of accessing users.

Record (Record) refers to an access resource.

Constraints (constraints) are used to define a series of conditions that the rule allows to be used.

The usage Scope (Scope) defines whether the rule is convertible or not. The convertible representation indicates that the rule applies to all matching nodes and their ancestor nodes in the graph, and the non-convertible representation indicates that the rule applies only to matching nodes in the graph.

(2) Accessing results

The access result element is used to specify the expected result that is obtained when the policy applies and the rule matches part of the information in the provenance graph. The results are divided into four categories:

absolute permission (Absolute permit) means that the user can access all the information in the graph without being affected by other rules.

Denial of access (Deny) means that some of the information in the graph cannot be accessed by the user of the topic.

Allowing (recessary permission) when Necessary means that the user of the subject needs certain constraints to access part of the information, and therefore needs an explicit access permission policy.

The allowed access (Permit) is used to describe that the user of the topic may access part of the information in the graph when no other rule denies access to the element.

(3) Conversion element

The transformation element allows the data manager to specify in what manner the origin graph is to be transformed, and specifies which nodes need to be hidden and the specific operations to apply to those nodes. And generating a conversion graph according to the authority of the user, and obtaining a query result according to the graph.

The conversion element consists of three parts: a conversion type, a conversion level, and a converted element tag.

2. The evaluation policy algorithm is not only used to determine whether a resource is accessible, but also to construct a view that satisfies the user's security constraints. During the evaluation of the rules, a set of nodes associated with the policy are generated, and then the nodes are used to generate the security access view. The evaluation strategy is to mark the origin graph by using a series of access rules, the order of the access rules is different, and the processing mode is different, so that a denial priority evaluation strategy and an allowance priority evaluation strategy are proposed:

(1) denial of priority evaluation policy

The main idea of the rejection priority evaluation strategy is as follows: firstly, marking nodes which accord with rules in an original graph G according to absolute access permission, access rejection, access permission if necessary and access permission rules, then marking uncovered nodes, and finally generating an access view, wherein the specific steps are shown in (a) in an algorithm flow chart 6 and are as follows; a) using an absoutePermit function to mark nodes in the original graph G which accord with the fully-allowed access rule;

b) because the processes of rejecting the access rule and allowing the access rule if necessary are the same, the marking of the nodes matching the two rules can be completed by using the same function denynecePermit ();

c) function updateForDeny) is used to implement the extension of the matching nodes and the permit () function is used to label the nodes in the graph that meet the allowed access rules.

d) For the deny-first access control policy, all uncovered nodes deny access, so all uncovered nodes are added to the set R and the abstraction level is defined as hidden, while the node information is marked as empty, which is done by the completeR (G, dlevs, dlabels, R, covered) function.

e) And generating an accessible view according to the marking information and the set of the disallowed access nodes by using a viewGeneration function.

(2) Enabling prioritized evaluation of policies

The allow priority assessment policy is about the same idea as the deny priority assessment policy, but the order of rule matching is different. And allowing the priority evaluation policy to mark nodes in the graph which accord with the rules according to the sequence of absolutely allowing access, allowing access if necessary, allowing access and denying access rules, and finally generating an access view. Since the uncovered nodes in the permission preference policy are allowed to access, the marking is not required to be carried out again.

The algorithm flowchart is shown in fig. 6 (b), and includes the following specific steps:

a) using an absoutePermit function to mark nodes in the original graph G which accord with the fully-allowed access rule;

b) the necPermit () function is to record the abstraction level and the label simultaneously according to the node which allows the rule to mark the graph and does not allow the access when necessary;

c) the function permit () and the deny () are respectively used for marking the node which allows the access rule to be matched and marking the node which does not allow the access rule to be matched;

d) since the uncovered nodes in the permission preference evaluation strategy are allowed to be accessed, the marking does not need to be carried out again, namely, the viewGeneration function only needs to generate the accessible view according to the marking information and the set of nodes which are not allowed to be accessed

And (3) generating an access view: reasonably partitioning a set R of nodes needing abstraction to ensure that the generated abstract view maintains the relationship among the nodes, and providing three algorithms:

(1) optimal partitioning algorithm

First, several concepts are involved in the partitioning process:

external causes (external causes), i.e. the reason the current node is the external node.

External effects (external effects) that the current node is generated by an external node.

The constraint is a boolean expression that is satisfied by all elements of the partition defined for computing the optimal partition. The following are two constraints:

RESTR.1: nodes in a set are not allowed to have soft dependencies.

RESTR.2: all nodes in a partition have the same evaluation attributes.

The method comprises the steps of obtaining a set of nodes needing abstraction according to an evaluation strategy, carrying out appropriate partition simplified abstraction processes on the nodes, and providing an optimal partition algorithm. The main idea of the algorithm is divided into two stages:

in the first stage, an external reason set and an external influence set of each element in the R are calculated firstly, so that an empty reason set and an empty influence set are obtained, and then the elements are arranged in a descending order according to the sum of the external reason and the number of the external influence elements of each element.

And in the second stage, traversing the sorted set, selecting a node as a seed node, traversing elements behind the set, judging whether the two nodes can meet the condition of the same partition, if so, adding the node into the set as the element of the same partition, and deleting the element in the set.

(2) Graph transformation algorithm

The graph transformation algorithm refers to a process of abstracting or hiding all the partitions according to the marking information to generate an abstract graph. The main idea of the algorithm is that if one element abstraction level in a partition is hidden, or all elements of the partition are marked to be empty, or the partition is an empty reason set or an empty result set, the partition is deleted, otherwise, a replacement operation is performed, that is, the marks of all nodes of the partition are used as the marks of a new abstraction node, and a required access view is obtained.

(3) Graph generation algorithm

Calculating the optimal partition condition of a user, obtaining two limit conditions according to limit rules 1 and 2 provided in the optimal partition algorithm, and calling an optimal partition function optimalPartition () and a graph transformation function () to obtain an access view.

And (3) experimental verification: the experiment is mainly divided into three steps:

(1) description of origin map

(2) Marking and partitioning a graph according to access rules and evaluation policies

(3) Generating abstract drawings

The origin graph is described first. As shown in fig. 7, the evolution process of the electronic medical record of the two-visit experience of a patient is described.

The first visit was made by a general practitioner (ag3) for the patient (ag1) and the diagnosis was recorded in detail by the EHR system (ag 2). First, a new project creation process (a1) is performed based on the patient's previous electronic medical records (v19-e1), resulting in a new electronic medical record (v20-e 2). After the patient is diagnosed in detail, the doctor prescribes the patient (e3) and a blood test chart (e4), and updates the electronic medical record to generate a new version of the record (v21-e 5). The laboratory technician (ag5) prepares the instrument according to the blood test table while taking measurements with the laboratory system (ag4) (a3), finally generates a laboratory condition report (e6), while notifying the blood test report creation activity (a 5). The blood test report creation activity is used to generate a blood test report (e7) and a new electronic medical record (v 22-e 9). Clinical trial investigators (ag6) generated electronic case report forms (e8) using laboratory condition reports (e6) and blood test reports (e 7).

The second visit was treated by the general practitioner (ag7) for the patient (ag7) and the diagnostic procedure was recorded in detail by the EHR system (ag 8). First, a new project creation process (a6) is performed based on the patient's previous electronic medical records (v 12-e 9), resulting in a new electronic medical record (v 23-e 10). Subsequently, the physician uses a decision support system (DSS Tool ag10) to obtain a series of diagnostic cues (e11) through the new medical record (v 23-e 10), and then uses these cues to compare (a8) with the clinical outcome database (e12) in the system, thereby providing the physician with a diagnostic recommendation (e13) through which the physician can obtain the final diagnostic outcome (e 15). The doctor generates a new prescription according to the diagnosis result (e16) and updates the electronic medical record system to generate a new electronic medical record (v 24-e 17).

Next, when the user is a patient, the upper graph is marked and partitioned according to the defined access rules and evaluation strategies, and the result of partitioning is shown in FIG. 8.

And obtaining a set R of points needing abstraction according to the access rules and the rejection priority evaluation strategy, wherein the set R is { a3, a4, a7, a8, e6, e8, e11, e12, e13, ag4, ag5, ag6 and ag10 }. And obtaining the external reasons and the external influence sets of the R sets according to the default causal relationship, as shown in the table 1. The partitioning result is { { e11, e12, e13, a7, a8, ag10}, { a4, e8, ag6}, { a3, e6, ag4, ag5} } obtained according to the partitioning algorithm.

TABLE 1 set of external causes and external influences for partitioning elements

Finally, a user access view is obtained according to the result obtained by partitioning and the marking information thereof, as shown in fig. 9.

According to the access rule, the patient has no right to access any information related to the automatic recommendation, so the parts of the automatic recommendation are marked in the marking stage, the abstraction level is set as hidden, the contents are deleted in the finally generated access view, the a9 and the a6 are directly connected, and the relation is defined as c, namely the causal relation exists between the two nodes.

According to the access rule, the patient does not have the right to access origin information in the experimental process, but the patient knows the process, so that the information of the experimental part is marked in the marking stage, the abstraction level is set as abstraction, the node is divided into two parts of contents of a clinical experiment and a Laboratory through partitioning, the contents are respectively abstracted into a clinical Trial node and a Laboratory node, the nodes are connected through a causal relationship, according to the abstraction model, the clinical Trial node and the e7 node are still in a used relationship, and the clinical Trial node and the e4 node are still in a used relationship.

The above description is only an example of the present invention and is not intended to limit the present invention. All equivalents which come within the spirit of the invention are therefore intended to be embraced therein. Details not described herein are well within the skill of those in the art.

Claims

1. An access control method based on origin graph abstraction,

the method comprises the following steps: defining a data model, namely a PROV model, according to a W3C origin working group, utilizing the PROV model to enable a user to carry out standardized description on origin information of data in various systems, and extracting the relationship among an entity En, an activity Act, an Agent, used and wasGeneratedBy from the PROV model to establish an origin map based on the PROV model;

step two: on the basis of the initial diagram obtained in the step one, four kinds of abstract operations of closure, expansion, replacement and deletion are provided by using the concept of node grouping, formal definition and perfection are carried out, and an abstract diagram which accords with the PROV constraint condition is obtained;

step three: defining a series of access rules, wherein the access rules consist of an access target, an access result and a conversion element, marking the abstract graph obtained in the step two by using the access rules, and proposing two evaluation strategies of refusing priority and allowing priority;

2. The method of claim 1, wherein the method comprises: the node grouping in the step two is an editing operation for defining the graph, namely how to remove the designated node from the original source graph to generate a new effective source graph; the abstract graph refers to a series of nodes specified by a user are regarded as a group and then replaced by a new abstract node, and meanwhile, a new graph is obtained by modifying the relationship between the nodes and the new abstract node.

3. The method of claim 1, wherein the method comprises: the construction steps of the abstract graph conforming to the PROV constraint condition in the step two are specifically as follows:

the four constraints are:

2) the entity must be generated before it can be used;

3) the activity using entity must occur in the process of the activity;

4. An access control method based on origin graph abstraction according to one of claims 1 to 3, characterized by: the access rule in the third step is composed of an access target, an access result and a conversion element:

wherein Subject refers to a set of accessing users;

recording Record refers to accessing the resource;

the use Scope defines whether the rule is convertible or not; the rule is applicable to all matching nodes and ancestor nodes thereof in the graph in a convertible way, and the rule is applicable to only the matching nodes in the graph in an untransformable way;

c) conversion element

5. The method of claim 4, wherein the method comprises: the optimal partition algorithm in the fourth step comprises the following specific steps: firstly, calculating an external reason set and an external influence set of each element in a set of abstract nodes to obtain an empty reason set and an empty influence set, and then arranging the elements in a descending order according to the sum of the external reason and the number of the external influence elements of each element; and traversing the sorted set, selecting a node as a seed node, traversing elements behind the set, judging whether the two nodes can meet the condition of the same partition, if so, adding the node into the set as the element of the same partition, and deleting the element in the set.

6. The method of claim 1, wherein the method comprises: the image conversion algorithm in the fourth step comprises the following specific steps: if one element abstraction level in the partition is hidden, or all elements of the partition are marked to be empty, or the partition is an empty reason set or an empty result set, deleting the partition, otherwise, carrying out replacement operation, namely taking marks of all nodes of the partition as marks of a new abstraction node to obtain a required access view.