A data element access control method, device and system

By receiving and evaluating relevant data on data element access behavior, sensitivity assessment and pattern classification are performed. Combined with anomaly detection and risk probability, precise access control policies are generated, solving the problem that traditional methods are difficult to adapt to dynamic scenarios and achieving precise control over data element access.

CN122339856APending Publication Date: 2026-07-03BEIJING HAIZHIYAN ADVERTISEMENT CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING HAIZHIYAN ADVERTISEMENT CO LTD
Filing Date
2026-06-04
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Traditional data element access control methods are ill-suited to the dynamic relationships between scenarios and cannot achieve precise control over data element access, especially in terms of identifying and responding to risks from a global perspective.

Method used

By receiving relevant data from multiple access behaviors, sensitivity assessment and pattern classification are performed. Combined with anomaly detection and risk probability, an access control model is used for dynamic evaluation to generate accurate access control policies.

Benefits of technology

It enables global and dynamic evaluation of data element access, improves the accuracy and rationality of access control policies, reduces the randomness of anomaly detection, and ensures the security and efficiency of data element access.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339856A_ABST
    Figure CN122339856A_ABST
Patent Text Reader

Abstract

This application relates to the general field of digital information transmission technology, specifically to a data element access control method, device, and system. The method includes: receiving multiple related data for multiple access behaviors of a data element, and performing sensitivity assessment on the access behaviors based on the differences between the related data of different access behaviors to obtain an anomaly sensitivity of the access behaviors; classifying the access behaviors according to the anomaly sensitivity to determine the risk probability that the access behaviors belong to risky operations; performing anomaly detection on multiple access behaviors based on the anomaly sensitivity to determine the anomaly score of the access behaviors; combining the anomaly score and risk probability of the same access behavior to obtain the risk value of the access behavior, and inputting the risk value into an access control model to obtain the access control policy corresponding to the access behavior.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of digital information transmission technology, and in particular to a data element access control method, device and system. Background Technology

[0002] In today's rapidly developing digital economy, data has become the fifth factor of production, on par with land, labor, capital, and technology. Security and privacy issues are not only core challenges arising from the circulation and utilization of data, but also the technological support for achieving data sharing and circulation.

[0003] In traditional data element access processes, the value and risk of data elements are determined by the context. For example, the Attribute-Based Access Control (ABAC) model is used to evaluate the combination of multi-dimensional attributes such as users, resources, and environment, and then the access control strategy is determined based on the evaluation results.

[0004] However, static assessments of single access attempts struggle to adapt to the interrelationships between different dynamic scenarios, failing to perceive the risks of a single access from a global perspective, and thus hindering precise control over data element access. Therefore, a superior data element access control scheme is needed to overcome these difficulties. Summary of the Invention

[0005] This application provides a data element access control method, device, and system to achieve precise control over access to data elements.

[0006] In a first aspect, this application provides a data element access control method, the method comprising: Receive multiple related data for multiple access behaviors of data elements, and perform sensitivity assessment on the access behaviors based on the differences between the related data of different access behaviors to obtain the abnormal sensitivity of the access behaviors; Based on the aforementioned anomaly sensitivity, the access behavior is classified into patterns to determine the risk probability that the access behavior belongs to a risky operation. Based on the aforementioned anomaly sensitivity, anomaly detection is performed on multiple access behaviors to determine the anomaly score of each access behavior. The anomaly score and risk probability of the same access behavior are combined to obtain the risk value of the access behavior, and the risk value is input into the access control model to obtain the access control policy corresponding to the access behavior.

[0007] Furthermore, when the relevant data includes user data, the sensitivity assessment of the access behavior based on the differences between the relevant data of different access behaviors to obtain the abnormal sensitivity of the access behavior includes: By concatenating user data for the same access behavior, an access feature vector is obtained. Based on the access feature vector, the access behavior is clustered to obtain multiple clusters representing access behavior patterns; The anomaly sensitivity of the access behavior is determined based on the Euclidean distance between the access behavior and the cluster center of the cluster to which the access behavior belongs.

[0008] Furthermore, when the relevant data includes log records, determining the abnormal sensitivity of the access behavior based on the Euclidean distance between the access behavior and the cluster center of the cluster to which the access behavior belongs includes: The log records are segmented into words to obtain multiple words, and the weight of each word is determined based on its frequency of occurrence in the log records. The weights of the words in the same log record are concatenated to obtain a weight vector, and the weight vectors of the access behaviors are concatenated to obtain a weight matrix. Based on a preset set of multiple access topics, including sensitive topics, the access behavior is classified using the weight matrix to obtain the probability that the access behavior belongs to each of the access topics. The abnormal sensitivity of the access behavior is determined based on the probability that the access behavior belongs to the sensitive topic and the Euclidean distance.

[0009] Furthermore, determining the abnormal sensitivity of the access behavior based on the probability that the access behavior belongs to the sensitive topic and the Euclidean distance includes: The probability that the access behavior belongs to the sensitive topic is coupled with the Euclidean distance to obtain the abnormal sensitivity. Alternatively, based on a preset weighting coefficient, the probability that the access behavior belongs to the sensitive topic and the Euclidean distance are weighted and summed to obtain the abnormal sensitivity.

[0010] Furthermore, the step of classifying the access behavior into patterns based on the anomaly sensitivity to determine the risk probability that the access behavior belongs to a risky operation includes: Based on a variety of preset access topics, the access behavior is classified using the anomaly sensitivity to obtain the probability that the access behavior belongs to each of the access topics. From the access topics, identify target access topics with a risk index exceeding a threshold, and determine the risk probability that the access behavior belongs to a risk operation according to the probability corresponding to the target access topic.

[0011] Further, combining the anomaly score and the risk probability of the same access behavior to obtain the risk value of the access behavior includes: Performing product coupling on the anomaly score and the risk probability to obtain the risk value of the access behavior.

[0012] Further, the training process of the access control model includes: Obtain multiple sample access behaviors, each of which has a risk value, an access control policy, and a security evaluation result; Input the risk value of the sample access behavior into a reward function to obtain the reward value of the sample access behavior, and the reward function determines the reward value based on the consistency between the access control policy and the security evaluation result of the sample access behavior; Use the reward value, risk value, and access control policy of the sample access behavior to train the access control model to obtain a trained access control model.

[0013] Further, using the reward value, risk value, and access control policy of the sample access behavior to train the access control model to obtain a trained access control model includes: After training the access control model using the reward value, risk value, and access control policy of the kth sample access behavior, adjust the exploration factor in the access control model based on the risk value of the kth sample access behavior, so that the exploration factor is inversely proportional to the risk value, k ∈ N, k > 0 and k < N, and N is the number of sample access behaviors; Use the reward value, risk value, and access control policy of the (k + 1)th sample access behavior to train the access control model with the exploration factor adjusted based on the risk value of the kth sample access behavior to obtain a trained access control model.

[0014] In a second aspect, an embodiment of the present application further provides a data element access control device, and the device includes: A sensitivity module, configured to receive various relevant data of multiple access behaviors for data elements, and perform sensitivity evaluation on the access behaviors based on the differences between the relevant data of different access behaviors to obtain the anomaly sensitivity of the access behaviors; A risk probability module, configured to perform pattern classification on the access behaviors based on the anomaly sensitivity and determine the risk probability that the access behaviors belong to risk operations; An anomaly score module is used to perform anomaly detection on multiple access behaviors based on the anomaly sensitivity, and determine the anomaly score of the access behavior; The control strategy module is used to combine the anomaly score and risk probability of the same access behavior to obtain the risk value of the access behavior, and input the risk value into the access control model to obtain the access control strategy corresponding to the access behavior.

[0015] Thirdly, embodiments of this application also provide a data element access control system, the system including a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor executes the computer program to implement the steps of any of the methods described above.

[0016] In the embodiments of this specification, while performing pattern classification based on anomaly sensitivity, anomaly detection is also performed based on anomaly sensitivity. The obtained anomaly score is combined with the risk probability to obtain a risk value, and then an access control policy is determined based on the risk value. This process provides a new data element access control method. The anomaly detection is performed across multiple access behaviors, achieving a global and dynamic evaluation of access behaviors. This avoids the harm caused by access behaviors with global risks and improves the accuracy of access control policies. Meanwhile, the pattern classification is a static evaluation of a single access behavior. Combining static and dynamic evaluation can reduce erroneous judgments caused by the randomness of anomaly detection, further improving the rationality of access control policies and achieving precise control over data element access. Attached Figure Description

[0017] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0018] Figure 1 The diagram above illustrates a flowchart of a data element access control method. Figure 2 The diagram above illustrates a schematic of a data element access control device.

[0019] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation

[0020] Various exemplary embodiments, features, and aspects of this disclosure will now be described in detail with reference to the accompanying drawings. The same reference numerals in the drawings denote elements that have the same or similar functions. Although various aspects of the embodiments are shown in the drawings, they are not necessarily drawn to scale unless specifically indicated otherwise.

[0021] The term “exemplary” as used herein means “serving as an example, embodiment, or illustration.” Any embodiment illustrated herein as “exemplary” is not necessarily to be construed as superior to or better than other embodiments.

[0022] In this document, the term "and / or" is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent three cases: A alone, A and B simultaneously, and B alone. Furthermore, the term "at least one" in this document means any combination of at least two of any one or more elements. For example, including at least one of A, B, and C can mean including any one or more elements selected from the set consisting of A, B, and C.

[0023] Furthermore, to better illustrate this disclosure, numerous specific details are set forth in the following detailed description. Those skilled in the art will understand that this disclosure can be practiced without certain specific details. In some instances, methods, means, components, and circuits well known to those skilled in the art have not been described in detail in order to highlight the main points of this disclosure.

[0024] Figure 1 A flowchart illustrating a data element access control method according to an embodiment of the present disclosure is provided. This method can be applied to a data element access control device, which can be a terminal device, a server, or other processing device. The terminal device can be a user equipment (UE), mobile device, user terminal, terminal, cellular phone, cordless phone, personal digital assistant (PDA), handheld device, computing device, in-vehicle device, wearable device, etc.

[0025] In some possible implementations, this data element access control method can be implemented by the processor calling computer-readable instructions stored in memory.

[0026] like Figure 1 As shown, the data element access control method may include: Step S11: Receive multiple related data for multiple access behaviors of data elements, and based on the differences between the related data of different access behaviors, perform sensitivity assessment on the access behaviors to obtain the abnormal sensitivity of the access behaviors.

[0027] Data elements can include personal data (such as attribute data, health data, activity data, etc.), commercial data (such as transaction records, supply chain information, patent data, etc.), public data (such as meteorological data, traffic flow data, map data, etc.), and scientific data (such as gene sequences, astronomical observation data, physical experiment data, etc.). This specification does not specify the content of data elements, which can be determined according to the actual situation.

[0028] Access behavior can include operations such as querying and backing up data elements. By recording the access behavior and related information of multiple users to the same or multiple data element databases, relevant data can be obtained. Specifically, this relevant data can be one or more of the following: user attribute data, access environment data, and log records.

[0029] Typically, users with the same responsibilities should generate similar data when accessing the same data element database. For example, when handling customer complaints, different customer service personnel need to query order information, contact information, etc., based on the user's ID. This access to the user information database will generate relevant data, and the relevant data for different customer service personnel will be similar, such as including the user's ID, order information, and contact information.

[0030] In one example, data related to different access behaviors can be compared to identify abnormal access behaviors. Sensitivity assessment can be a measure of whether access behavior is routine; the assessment result is the anomaly sensitivity. For example, sensitivity assessment can be based on whether the relevant data corresponding to an access behavior deviates from the relevant data of other access behaviors; it can also be based on whether the relevant behavior includes multiple attempts to access data that is not within the scope of responsibilities. The higher the anomaly sensitivity, the greater the risk of the corresponding access behavior.

[0031] Step S12: Based on the anomaly sensitivity, classify the access behavior into patterns and determine the risk probability that the access behavior belongs to a risky operation.

[0032] Here, risk probability refers to the probability that an access behavior carries risk. Multiple access modes (also called access topics) can be preset. For example, three modes can be preset: regular operation, sensitive operation, and management operation. The risk probability is determined based on the probability that the access behavior belongs to a risky access mode. In one possible implementation, the step of classifying the access behavior into modes based on the anomaly sensitivity to determine the risk probability that the access behavior belongs to a risky operation includes: Based on a variety of preset access topics, the access behavior is classified using the anomaly sensitivity to obtain the probability that the access behavior belongs to each of the access topics. From the access topics, target access topics with risk indices exceeding a threshold are identified, and the probability that the access behavior constitutes a risky operation is determined based on the probability corresponding to the target access topics.

[0033] Specifically, a classification model can be set up, which can include the three access topics mentioned above. After inputting the anomaly sensitivity of each access behavior into the classification model, the model classifies the access behaviors and determines the probability that each behavior belongs to a particular access topic. This classification model can be a Gaussian Mixture Model (GMM). A GMM models the latent probabilities of data through a combination of multiple Gaussian distributions, and its output class probability expresses the likelihood that the relevant data of each input access behavior belongs to a certain latent access topic.

[0034] A risk index is used to indicate the magnitude of risk of access behavior under each access topic. Different access topics result in different access behaviors, and therefore different risk indices. In this embodiment of the invention, risk is assessed by experts in the relevant field when setting the relevant information for each access topic, determining the risk index for each corresponding access topic. Since the risk index for each access mode is different, the probabilities corresponding to higher-risk access topics (e.g., risk indices exceeding a threshold) can be summed to obtain the probability that the access behavior belongs to a high-risk operation. Among the three topics mentioned above, sensitive operations directly affect high-value or private data, while management operations have higher privileges. Both pose a threat to data security and stability (risk index exceeding a threshold, which is greater than 0 and less than 1, for example, it can be set to 0.7). The probabilities of the two can be summed to obtain the risk probability. Furthermore, during the summation process, higher weights can be assigned to higher-risk access modes, and lower weights can be assigned to lower-risk access modes.

[0035] Clearly, in step S12, static evaluation of individual access behaviors is achieved through pattern classification.

[0036] Step S13: Based on the anomaly sensitivity, perform anomaly detection on multiple access behaviors and determine the anomaly score of the access behaviors.

[0037] Anomaly detection (or outlier detection) refers to identifying "outliers" in data through data mining techniques.

[0038] In the dynamic access control process for data element access, a high-risk data element access is usually accompanied by abnormal behavior in all data element accesses; this abnormal behavior can be used as a high-risk category feature. Compliant access behaviors have similar anomaly sensitivity values, while non-compliant access behaviors will have different anomaly sensitivity values ​​than compliant ones. Therefore, after obtaining the anomaly sensitivity value for each access behavior, it can be used for anomaly detection.

[0039] Isolation forest and randomized deforestation forest algorithms are common anomaly detection algorithms. The isolation forest algorithm isolates access behavior samples by randomly partitioning the feature space, making it easier to isolate higher-risk access requests (or behaviors), thus obtaining higher anomaly scores. The anomaly score represents the degree to which the relevant data corresponding to that access behavior is isolated. Therefore, the isolation forest algorithm can be used to compare various access behaviors, especially when new access behaviors emerge, comparing them with historical access behaviors.

[0040] Specifically, the anomaly sensitivity values ​​corresponding to each access behavior can be used as a sensitivity set. This sensitivity set can then be input into the Isolation Forest algorithm to determine the anomaly score for each access behavior. For example, the number of trees in the Isolation Forest algorithm can be set to 100, the subsampling size to 256, and the anomaly ratio to 0.1.

[0041] After obtaining the anomaly scores, the anomaly scores can be standardized (e.g., normalization). For example, each anomaly score can be divided by the largest anomaly score. Since standardized data is easier to compare, the processed anomaly scores can better reflect the relative deviation of each access behavior from the regular access behavior.

[0042] During data element access, the scenarios are highly dynamic. Traditional access control methods suffer from excessive computational complexity in real-time data evaluation, leading to inefficient decision-making and difficulty in accurately reflecting real-time risks. However, in step S13, by grouping together anomaly sensitivity sets corresponding to multiple access behaviors and using the same anomaly detection method, the dynamic deviation between individual access behaviors (e.g., new access behaviors) and overall access behaviors (e.g., historical access behaviors) can be dynamically reflected with less computation. This allows for dynamic quantification and evaluation of current data element access behavior based on the overall risk status of data element access.

[0043] Step S14: Combine the anomaly score and risk probability of the same access behavior to obtain the risk value of the access behavior, and input the risk value into the access control model to obtain the access control policy corresponding to the access behavior.

[0044] In dynamic and ever-changing data element access scenarios, relying solely on static risks expressed by anomaly sensitivity cannot accurately quantify the dynamic risks of data element access requests. This makes it difficult to balance security and efficiency during data element access, leading to misjudgments. Therefore, pattern classification and anomaly detection can be combined for data element access control. In one possible implementation, combining the anomaly score and risk probability of the same access behavior to obtain the risk value of the access behavior includes: The risk value of the access behavior is obtained by multiplying and coupling the anomaly score and the risk probability.

[0045] Specifically, the risk value of access behavior can be calculated based on Formula 1.

[0046] B = s × Q (Formula 1) Where B is the risk value of the access behavior, s is the anomaly score of the access behavior of each data element output by the Isolation Forest algorithm, and Q is the risk probability of the access behavior. B, s, and Q are all dimensionless parameters.

[0047] Formula logic: s evaluates the degree of deviation of the current access from the overall access from the perspective of global data element access, and Q quantifies the probability that the access behavior belongs to a high-risk mode from the perspective of pattern classification. By coupling the product of the two, dynamic global anomaly control is realized in the process of data element access. When a certain access behavior for a data element deviates from the normal access characteristics and is also likely to belong to a high-risk mode, the B value will increase accordingly.

[0048] An access control model is a model based on risk values ​​and determining the corresponding access control policies. After obtaining the risk values, they can be input into the access control model to obtain the access control policies. For low-risk access behaviors, the access control policy may allow the user to continue accessing the site; for high-risk access behaviors, the access control policy may stop the user from continuing accessing the site; for medium-risk access behaviors, the access control policy may restrict the user's access to sensitive information, and further access control policies may be determined based on the user's subsequent access behavior.

[0049] In the embodiments of this specification, while performing pattern classification based on anomaly sensitivity, anomaly detection is also performed based on anomaly sensitivity. The obtained anomaly score is combined with the risk probability to obtain a risk value, and then an access control policy is determined based on the risk value. This process provides a new data element access control method. The anomaly detection is performed across multiple access behaviors, achieving a global and dynamic evaluation of access behaviors. This avoids the harm caused by access behaviors with global risks and improves the accuracy of access control policies. Meanwhile, the pattern classification is a static evaluation of a single access behavior. Combining static and dynamic evaluation can reduce erroneous judgments caused by the randomness of anomaly detection, further improving the rationality of access control policies and achieving precise control over data element access.

[0050] As mentioned above, the relevant data may include various types such as user attribute data, access environment data, and log records. Different types of relevant data may be processed differently. In one possible implementation, when the relevant data includes user data, the sensitivity assessment of the access behavior based on the differences between the relevant data of different access behaviors to obtain the abnormal sensitivity of the access behavior includes: By concatenating user data for the same access behavior, an access feature vector is obtained. Based on the access feature vector, the access behavior is clustered to obtain multiple clusters representing access behavior patterns; The anomaly sensitivity of the access behavior is determined based on the Euclidean distance between the access behavior and the cluster center of the cluster to which the access behavior belongs.

[0051] User data refers to data generated by users' access to data elements. User data may include user attribute data, resource attribute data of data elements, and environmental attribute data at the time of access to data elements.

[0052] Specifically, user attribute data can include user identification and department information, which can be extracted from the identity authentication and access control system; resource attribute data can include the data type, data element identifier, and sensitivity level of the data elements accessed by the user, which can be obtained from the data resource management system; and environmental attributes can include access data, source IP address, and location information when the user accesses data elements, which can be obtained from the operating environment monitoring platform.

[0053] After collecting user data, one-hot encoding can be used to convert non-numerical attributes into numerical values. Min-Max normalization then scales each attribute value to a uniform numerical range to eliminate the influence of unit dimensions. It's important to note that min-Max normalization uses a sliding window to count historical extreme values. New data exceeding the [minimum, maximum] range can be truncated to force it to fall within the [0, 1] interval. Furthermore, user data corresponding to the same access behavior can be concatenated to obtain the access feature vector for each user's data element access. One access behavior corresponds to one access feature vector.

[0054] After obtaining the access feature vectors for each access behavior, a clustering algorithm can be used to cluster the access behaviors based on these feature vectors. In one example, this clustering algorithm can be the K-means clustering algorithm. Specifically, the access feature vectors can be used as input to the K-means clustering algorithm, and the number of clusters can be preset (e.g., 5). It is necessary to ensure that the resulting clusters can contain the common access behavior patterns of the data. The K-means clustering algorithm will output all clusters.

[0055] The clustering algorithm described above, by partitioning the feature space of the input samples, can obtain different cluster centers and clusters, enabling the selection of representative access behaviors for analysis. Specifically, based on the clustering results, the Euclidean distance (a measure of the set distance between two points in space) from each access feature vector to the access behavior and its cluster center can be calculated. This Euclidean distance expresses the degree of deviation between each access behavior and typical access patterns; the larger the value, the more unusual the access behavior. Therefore, the anomaly sensitivity can be determined using this Euclidean distance. In one example, after obtaining the Euclidean distances corresponding to each access behavior, these distances can be normalized.

[0056] In the above process, the degree of deviation between access behavior and classic access patterns is measured by Euclidean distance in the clustering algorithm, realizing the measurement of anomaly sensitivity based on user data. Since user data reflects the attribute characteristics of users and the behavioral characteristics of users' access behavior, this method improves the accuracy of anomaly sensitivity.

[0057] Since access assessment based solely on user data is rather simplistic, other data related to access behavior can be combined with user data to enrich the content implied by anomaly sensitivity. In one possible implementation, when the related data includes log records, determining the anomaly sensitivity of the access behavior based on the Euclidean distance between the access behavior and the cluster center of the cluster to which the access behavior belongs includes: The log records are segmented into words to obtain multiple words, and the weight of each word is determined based on its frequency of occurrence in the log records. The weights of the words in the same log record are concatenated to obtain a weight vector, and the weight vectors of the access behaviors are concatenated to obtain a weight matrix. Based on a preset set of multiple access topics, including sensitive topics, the access behavior is classified using the weight matrix to obtain the probability that the access behavior belongs to each of the access topics. The abnormal sensitivity of the access behavior is determined based on the probability that the access behavior belongs to the sensitive topic and the Euclidean distance.

[0058] Log records are automatically generated by the system managing the data feature database when access activities occur within the database. Typically, log records are stored in text format. Therefore, Natural Language Processing (NLP) and other techniques can be used to process these log records.

[0059] After obtaining the log records, unstructured text fields in the access log records (including but not limited to the request body content of API calls (such as JSON text), SQL query statements, user operation notes, system error messages, etc.) can be segmented to obtain multiple words. To facilitate data processing, a vocabulary can be created for each access behavior. To effectively suppress noise words and rare words, a minimum word frequency threshold (such as 2) can be set so that words below this threshold are not included in the vocabulary, thereby controlling the growth of the vocabulary.

[0060] Furthermore, the weight of each word in the vocabulary can be determined by its frequency (number of occurrences) in the log records (this weight can be the word frequency divided by the total number of words). Concatenating the weights of all words in the vocabulary yields a weight vector. Concatenating the weight vectors corresponding to each access behavior yields a weight matrix. In the weight matrix, each row represents a log record corresponding to an access behavior, each column represents a term appearing in the log record, and each element represents the frequency of that term in that log record. It should be understood that the weight matrix can be updated based on the above method when new access requests arrive.

[0061] Thus, the weight matrix for the data element access process has been obtained. This weight matrix can be used as input to a Latent Dirichlet Allocation (LDA) topic model. In this model, the number of access topics can be set to three (corresponding to regular data element access (i.e., routine operations), sensitive data element access (i.e., sensitive operations), and data element access management (i.e., management operations)). The topic model ultimately outputs the probability of each data element access on each topic. Clearly, the LDA topic model achieves the analysis of the semantic probability of input samples belonging to different topics.

[0062] Since the probability output by the topic model reflects the operational intention of the access behavior at the semantic level, for example, if the probability of the access behavior being close to the access of sensitive data elements is higher, it means that the current data element access has a more sensitive problem, such as the sensitive risk of data leakage. Therefore, the abnormal sensitivity can be determined based on the probability that the access behavior belongs to a sensitive topic (which may be a topic that includes access to sensitive data elements).

[0063] After obtaining the probability that the access behavior belongs to a sensitive topic and the Euclidean distance between the access behavior and the cluster center of its respective cluster, the two can be combined to determine the abnormal sensitivity. In one possible implementation, determining the abnormal sensitivity of the access behavior based on the probability that the access behavior belongs to the sensitive topic and the Euclidean distance includes: In one embodiment of the present invention, the probability that the access behavior belongs to the sensitive topic and the Euclidean distance are product-coupled to obtain the abnormal sensitivity; In other embodiments of the present invention, the probability that the access behavior belongs to the sensitive topic and the Euclidean distance are weighted and summed based on a preset weight coefficient to obtain the abnormal sensitivity.

[0064] Specifically, the abnormal sensitivity can be obtained by coupling the product of the probability that the access behavior belongs to the sensitive topic and the Euclidean distance based on Formula 2.

[0065] A = L × P m (Formula 2) Where A is the anomaly sensitivity, L is the Euclidean distance between the normalized access behavior and the cluster center of its respective cluster, and P... m The probability that the access behavior belongs to a sensitive topic. A, L, and P m All are dimensionless scalars.

[0066] Formula Logic: In dynamic scenarios of data element access, if a high-risk data element access behavior occurs, this behavior will be significantly different from other access behaviors, and its operational intent will be more inclined towards sensitive data access types. Formula 2 quantifies the degree of deviation between each data element access and other data element accesses using L, and combines it with P... m It expresses the semantic sensitivity between access to each data element and access to other data elements. Through the product coupling of the two, it obtains the abnormal sensitivity for risk assessment of access behavior.

[0067] In addition to using the product-coupled probability of an access behavior belonging to a sensitive topic and the Euclidean distance between the access behavior and its cluster, a weighted summation can be used to combine the two. In one example, Equation 3 can be used to determine the anomaly sensitivity.

[0068] A = ω1 × L + ω2 × P m (Formula 3) Where L is the normalized Euclidean distance between the access behavior and its cluster, and P m Let ω1 and ω2 be the weighting coefficients, representing the probability that an access behavior belongs to a sensitive topic, where ω1 + ω2 = 1, and 0 ≤ ω1 ≤ 1, 0 ≤ ω2 ≤ 1. Using ω1 and ω2, we can control the access behavior (L) and access behavior (P). m The weighted summation yields the abnormal sensitivity for risk assessment of access behavior. A, L, P m ω1 and ω2 are both dimensionless scalars. Preferably, ω1 = ω2 = 0.5.

[0069] In the above embodiments, the probability of an access behavior belonging to a sensitive topic and the Euclidean distance between the access behavior and its cluster are coupled to determine the risk probability of the access behavior. This reduces the erroneous judgment caused by chance, improves the rationality and effectiveness of abnormal sensitivity, and avoids misjudgment caused by the simplicity of the access control process.

[0070] To achieve dynamic access decisions under data element access control, reinforcement learning-based data element access control optimization can be introduced. This involves using the risk value of access behavior as input to drive the access control model, allowing the model to learn the relationship between access control policies and risk values, thereby optimizing the access control policies. This achieves a balance between security and efficiency in dynamic data element access scenarios.

[0071] The access control model can be a reinforcement learning model, where the reward (also called the incentive value) serves as a guiding signal for the agent's interaction with the environment. In one possible implementation, the training process of the access control model includes: Multiple sample access behaviors are obtained, and each sample access behavior has a risk value, access control policy, and security assessment result; The risk value of the sample access behavior is input into the reward function to obtain the reward value of the sample access behavior. The reward function determines the reward value based on the consistency between the access control policy and the security assessment results of the sample access behavior. The access control model is trained using the reward value, risk value, and access control policy of the sample access behavior to obtain the trained access control model.

[0072] During the training of the access control model, a reward function can be used to introduce reward values. Specifically, after acquiring sample access behaviors, the risk value of the sample access behavior can be input into the reward function. The reward function combines the consistency between the access control policy of the sample access behavior and the security assessment results, as well as the risk value, to obtain the reward value. The access control model can then be trained using a dataset containing the reward value. The security assessment result is the risk assessment result of the sample access behavior determined based on continuous monitoring of the sample access behavior within a preset time period after the occurrence of the sample access behavior. The security assessment result may indicate whether the sample access behavior involves a security event such as data leakage.

[0073] In one example, the reward function can be defined using Formula 4.

[0074] R = Action × (1 - B) + Audit (Formula 4) Where R is the reward value obtained by the access control policy corresponding to the access behavior; Action represents the action corresponding to the access control policy; B represents the risk value; and Audit is the delayed reward.

[0075] Specifically, for Action, when the access control policy is to allow access, the value of Action is 1; when the access control policy is to deny access, the value of Action is 0.

[0076] For B, B∈(0,1), the larger the value of B, the higher the risk of the current access request.

[0077] For Audit, the system continuously monitors relevant data operation logs, system alerts, and results of abnormal behavior detection after an access occurs. When the access control policy allows access, if no security incidents such as data leakage related to the access behavior are found within the set observation period, it is determined that the access control policy is correct, and at this time Audit = 1; if actual risks or violations caused by this access behavior are detected, it is determined that the original access control policy is incorrect, and at this time Audit = -1; if there is insufficient evidence during the observation period or the audit is not triggered, Audit is set to the neutral value, Audit = 0.

[0078] In the above embodiment, by using the data of the sample access behavior including the reward value to train the access control model, the access control model can reach the training goal smoothly and quickly and output a better access control policy.

[0079] The exploration factor in the reinforcement learning model is usually fixed or simply decaying, which will make the access control model belonging to the reinforcement learning model lack the adaptability to the access behavior of data elements in a dynamic scenario, and this will cause the algorithm to fall into a local optimal solution during the learning process. In a possible implementation manner, the training of the access control model using the reward value, risk value, and access control policy of the sample access behavior to obtain the trained access control model includes: The exploration rate is one of the basic elements of the reinforcement learning model and can be used to adjust the exploration direction during model iteration. During the training iteration process of the reinforcement learning model, when the exploration rate is not adjusted, generally the action that maximizes the iteration value is selected. After the exploration rate is adjusted, the iteration direction of the model can be restricted or adjusted. It should be noted that the access control model is the reinforcement learning model, and the exploration factor in the access control model is the exploration rate in the reinforcement learning model.

[0080] After training the access control model using the reward value, risk value, and access control policy of the k-th sample access behavior, the exploration factor in the access control model is adjusted based on the risk value of the k-th sample access behavior so that the exploration factor is inversely proportional to the risk value, where k ∈ N, k > 0 and k < N, and N is the number of sample access behaviors; Use the reward value, risk value, and access control policy of the (k + 1)-th sample access behavior to train the access control model whose exploration factor is adjusted based on the risk value of the k-th sample access behavior to obtain the trained access control model.

[0081] Specifically, the exploration factor in the access control model can be adjusted using the risk value of the previous sample access behavior (the kth one). This adjustment makes the exploration factor inversely proportional to the risk value. In other words, in the dynamic scenario of data element access, when data elements face high dynamic risk (i.e., when the risk value is large) when they are accessed, the access control model should reduce the exploration of unknown strategies and use more known strategies for learning in the next training process (i.e., when training using the (k+1)th sample access behavior). Conversely, when data elements face low dynamic risk (smaller risk value) when they are accessed, the access control model can explore more unknown strategies in the next training process to improve the long-term decision performance of reinforcement learning.

[0082] In the process of making the exploration factor inversely proportional to the risk value, adjustments can be made using Formula 5 or Formula 6.

[0083] ε=ε0×(τ+e -Bnorm ) (Formula 5) Wherein, ε0 is the initial exploration factor, with a value ranging from 0.1 to 0.5 (preferably, ε0 ​​is 0.3); B norm B represents the risk value after normalization using the minimum-maximum method; τ is a preset adjustment factor, ranging from 0.2 to 0.5. To ensure the range of the adjusted exploration factor and prevent safety risks caused by excessively high or low values ​​of the adjusted exploration factor, the preferred value of τ is 0.4; e is the natural constant; ε is the adjusted exploration factor, ranging from 0 to 1. B, τ, and ε are all dimensionless parameters.

[0084] Formula logic: When the value of B is large, e -Bnorm Approaching e -1 At this point, the exploration factor ε converges to the minimum level, thus suppressing unnecessary exploration by the access control model. Conversely, when the value of B is small, e -Bnorm When the value approaches 1, the exploration factor is appropriately increased to encourage the access control model to explore unknown strategies.

[0085] ε=ε0 / (1+τ×B norm ) (Formula 6) Wherein, ε0 is the initial exploration factor, with a value ranging from 0.1 to 0.5 (preferably, ε0 ​​is 0.3); B norm B represents the risk value after normalization using the minimum-maximum method; τ is a preset adjustment factor, ranging from 0.2 to 0.5. To ensure the range of the adjusted exploration factor and prevent safety risks caused by excessively high or low values ​​of the adjusted exploration factor, the preferred value of τ is 0.4; ε is the adjusted exploration factor, ranging from 0 to 1. B, τ, and ε are all dimensionless parameters.

[0086] Formula logic: When the B value is large, the exploration factor converges to the lowest level, thereby inhibiting the access control model from making unnecessary explorations and reducing the probability of false positives. Conversely, when the B value is small, the exploration factor is appropriately increased, thereby encouraging the access control model to explore unknown strategies, increasing the probability of discovering vulnerabilities, and thus ensuring secure access to data elements.

[0087] Comparing Formula 5 and Formula 6, it can be found that Formula 6 uses a linear negative correlation to adjust ε, which is more moderate in high-risk situations of data element access and is more suitable for situations with high stability requirements.

[0088] In the above embodiments, by adjusting the exploration factor after each data element access, the exploration factor becomes an adaptive parameter. This enables the access control model to adaptively adjust the exploration intensity according to the dynamic level of the data element access environment, matching the dynamic process of data element access, thereby improving the learning efficiency of the access control model while ensuring the security of data element access.

[0089] After the access control model has been trained and inference has been performed, data related to the inferred access behavior can be observed within the aforementioned observation period. Based on the degree of matching between the output access control policy and the relevant data, the access control model can be updated online to form a complete data element access control system.

[0090] Figure 2 A block diagram of a data element access control device according to an embodiment of the present disclosure is shown. The data element access control device may be a terminal device, a server, or other processing device. The terminal device may be a user equipment (UE), mobile device, user terminal, terminal, cellular phone, cordless phone, personal digital assistant (PDA), handheld device, computing device, in-vehicle device, wearable device, etc.

[0091] In some possible implementations, the data element access control device can be implemented by a processor calling computer-readable instructions stored in memory.

[0092] like Figure 2 As shown, the data element access control device 20 may include: Sensitivity module 21 is used to receive multiple related data for multiple access behaviors of data elements, and to perform sensitivity evaluation on the access behaviors based on the differences between the related data of different access behaviors to obtain the abnormal sensitivity of the access behaviors. The risk probability module 22 is used to classify the access behavior into patterns based on the anomaly sensitivity and determine the risk probability that the access behavior belongs to a risky operation. The anomaly score module 23 is used to perform anomaly detection on multiple access behaviors based on the anomaly sensitivity, and determine the anomaly score of the access behavior. The control strategy module 24 is used to combine the anomaly score and risk probability of the same access behavior to obtain the risk value of the access behavior, and input the risk value into the access control model to obtain the access control strategy corresponding to the access behavior.

[0093] The present invention also provides a data element access control system, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program stored in the memory to implement the steps of the aforementioned data element access control method.

[0094] This invention is now complete.

[0095] In summary, the embodiments of this specification, while classifying patterns based on anomaly sensitivity, also perform anomaly detection based on anomaly sensitivity, and combine the obtained anomaly score with the risk probability to obtain a risk value, and then determine the access control policy based on the risk value. This process provides a new data element access control method. The anomaly detection is performed across multiple access behaviors, achieving a global and dynamic evaluation of access behaviors. This avoids the harm caused by access behaviors with global risks and improves the accuracy of access control policies. Meanwhile, the pattern classification is a static evaluation of a single access behavior. Combining static and dynamic evaluation can reduce erroneous judgments caused by the randomness of anomaly detection, further improving the rationality of access control policies and achieving precise control over data element access.

[0096] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A data element access control method, characterized by, The method includes: Receive multiple related data for multiple access behaviors of data elements, and perform sensitivity assessment on the access behaviors based on the differences between the related data of different access behaviors to obtain the abnormal sensitivity of the access behaviors; Based on the aforementioned anomaly sensitivity, the access behavior is classified into patterns to determine the risk probability that the access behavior belongs to a risky operation. Based on the aforementioned anomaly sensitivity, anomaly detection is performed on multiple access behaviors to determine the anomaly score of each access behavior. The anomaly score and risk probability of the same access behavior are combined to obtain the risk value of the access behavior, and the risk value is input into the access control model to obtain the access control policy corresponding to the access behavior.

2. The data element access control method of claim 1, wherein, When the relevant data includes user data, the sensitivity assessment of the access behavior based on the differences between the relevant data of different access behaviors, to obtain the abnormal sensitivity of the access behavior, includes: By concatenating user data for the same access behavior, an access feature vector is obtained. Based on the access feature vector, the access behavior is clustered to obtain multiple clusters representing access behavior patterns; The anomaly sensitivity of the access behavior is determined based on the Euclidean distance between the access behavior and the cluster center of the cluster to which the access behavior belongs.

3. The data element access control method of claim 2, wherein, When the relevant data includes log records, determining the anomaly sensitivity of the access behavior based on the Euclidean distance between the access behavior and the cluster center of the cluster to which the access behavior belongs includes: The log records are segmented into words to obtain multiple words, and the weight of each word is determined based on its frequency of occurrence in the log records. The weights of the words in the same log record are concatenated to obtain a weight vector, and the weight vectors of the access behaviors are concatenated to obtain a weight matrix. Based on a preset set of multiple access topics, including sensitive topics, the access behavior is classified using the weight matrix to obtain the probability that the access behavior belongs to each of the access topics. The abnormal sensitivity of the access behavior is determined based on the probability that the access behavior belongs to the sensitive topic and the Euclidean distance.

4. The data element access control method according to claim 3, characterized in that, The step of determining the abnormal sensitivity of the access behavior based on the probability that the access behavior belongs to the sensitive topic and the Euclidean distance includes: Based on preset weighting coefficients, the probability that the access behavior belongs to the sensitive topic and the Euclidean distance are weighted and summed to obtain the abnormal sensitivity.

5. The data element access control method according to claim 1, characterized in that, The step of classifying the access behavior based on the anomaly sensitivity to determine the risk probability that the access behavior belongs to a risky operation includes: Based on a variety of preset access topics, the access behavior is classified using the anomaly sensitivity to obtain the probability that the access behavior belongs to each of the access topics. From the access subjects, determine the target access subjects whose risk indices exceed the threshold, and determine the risk probability that the access behavior belongs to a risk operation according to the probability corresponding to the target access subject. The risk index is used to indicate the risk level of access behaviors under different access subjects.

6. The data element access control method according to claim 1, characterized in that, Combining the anomaly score and the risk probability of the same access behavior to obtain the risk value of the access behavior includes: Performing product coupling on the anomaly score and the risk probability to obtain the risk value of the access behavior.

7. The data element access control method according to claim 1, characterized in that, The training process of the access control model includes: Obtain multiple sample access behaviors, each of which has a risk value, an access control policy, and a security evaluation result; Input the risk value of the sample access behavior into the reward function to obtain the reward value of the sample access behavior. The reward function determines the reward value based on the consistency between the access control policy and the security evaluation result of the sample access behavior; Use the reward value, risk value, and access control policy of the sample access behavior to train the access control model to obtain the trained access control model.

8. The data element access control method according to claim 7, characterized in that, The using the reward value, risk value, and access control policy of the sample access behavior to train the access control model to obtain the trained access control model includes: After training the access control model with the reward value, risk value, and access control policy of the k-th sample access behavior, adjust the exploration factor in the access control model based on the risk value of the k-th sample access behavior, so that the exploration factor is inversely proportional to the risk value, where k ∈ N, k > 0 and k < N, and N is the number of sample access behaviors; Train the access control model adjusted by the exploration factor based on the risk value of the k-th sample access behavior with the reward value, risk value, and access control policy of the (k + 1)-th sample access behavior to obtain the trained access control model.

9. A data element access control device, characterized in that, The device includes: A sensitivity module, configured to receive various relevant data of multiple access behaviors for data elements, and perform sensitivity evaluation on the access behaviors based on the differences between the relevant data of different access behaviors to obtain the anomaly sensitivity of the access behaviors; A risk probability module, configured to perform pattern classification on the access behaviors based on the anomaly sensitivity to determine the risk probability that the access behavior belongs to a risk operation; An anomaly score module, configured to perform anomaly detection on multiple access behaviors based on the anomaly sensitivity to determine the anomaly score of the access behavior; A control policy module, configured to combine the anomaly score and the risk probability of the same access behavior to obtain the risk value of the access behavior, and input the risk value into the access control model to obtain the access control policy corresponding to the access behavior.

10. A data element access control system, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the computer program is executed by a processor, it implements the steps of the data element access control method according to any one of claims 1-8.