多维度数据分级分类安全管理框架

doi:10.3969/j.issn.1671-1122.2021.10.007

信息网络安全 ›› 2021, Vol. 21 ›› Issue (10): 48-53.doi: 10.3969/j.issn.1671-1122.2021.10.007

多维度数据分级分类安全管理框架

刘红¹^,²(), 张越今³, 赵文霞⁴, 杨牧⁴

1.北京锐安科技有限公司,北京 100192
2.北京市网络空间数据分析与应用工程技术研究中心,北京 100192
3.北京联合大学智慧城市学院,北京 100101
4.北京市公安局,北京 100055

收稿日期:2021-06-15 出版日期:2021-10-10 发布日期:2021-10-14
通讯作者: 刘红 E-mail:liuhong@bjrun.com
作者简介:刘红（1982—）,女,北京,博士,主要研究方向为信息安全|张越今（1970—）,男,吉林,教授,博士,主要研究方向为网络信息安全|赵文霞（1983—）,女,山东,高级工程师,硕士,主要研究方向为数据治理|杨牧（1984—）,男,北京,硕士,主要研究方向为数据安全
基金资助:
公安部技术研究计划重点项目(2020JSYJA09)

A Security Management Framework for Data Sensitivity and Multidimensional Classification

LIU Hong¹^,²(), ZHANG Yuejin³, ZHAO Wenxia⁴, YANG Mu⁴

1. Run Technologies Co., Ltd. Beijing, Beijing 100192, China
2. Beijing Cyberspace Data Analysis and Applied Engineering Technology Research Center, Beijing 100192, China
3. Smart City College, Beijing Union University, Beijing 100101, China
4. Beijing Municipal Public Security Bureau, Beijing 100055, China

Received:2021-06-15 Online:2021-10-10 Published:2021-10-14
Contact: LIU Hong E-mail:liuhong@bjrun.com

摘要/Abstract

摘要：

针对目前数据分级分类安全管理缺乏统一标准和框架,传统的分级分类方法的表达能力有限等情况,文章提出一种利用声明式逻辑编程语言,建立多维度数据分级分类的表达和计算的系统框架,能够实现细粒度的分级分类设定、高效查询和分析。首先在表达能力和复杂度方面,除了支持传统的安全标签,还支持不面向数据记录、带参数、涉及多个数据资源相互作用关系等方式的分级分类,并给出了实例。然后基于分级分类,在同一框架下还能够进行多种数据安全分析和管理。利用纯声明式语言的特性,能够在现有系统上以较小代价实现分级分类安全管理,并允许底层计算框架和存储方式与上层分级分类逻辑的解耦,有利于进行系统优化升级,减小安全机制对系统性能的影响,促进数据分级分类安全管理落地。

关键词: 数据安全, 分级分类, 逻辑编程, 大数据

Abstract:

In view of there has been no consensus on the standard and the technical architecture of data sensitivity and classification management, and conventional tools to realize data sensitivity and classification have very limited expressive power, a framework for expressing and computing data sensitivity and multidimensional data classification was proposed. The method was based on a declarative logic programming language and was capable of defining and analyzing data sensitivity and classification with fine granularity and high efficiency. Firstly, in terms of expression ability and complexity, besides supported conventional security labels, sensitivity and classification assigned not on data records, or parameterized, or concerning multiple data resources could also be expressed and computed. Then based on sensitivity and classification, examples were given to show the expressiveness and complexity of the method. Various data security analysis and management mechanisms could be implemented on the same framework. In addition, utilizing the declarative nature of the language, realizing data security on existing systems incurs low overhead to performance and was transparented to underlying computation and storage details, which was beneficial to system migration and optimization, could reduce the impact of security mechanism on system performance, and facilitates the deployment of data sensitivity and classification-based security mechanisms.

Key words: data security, sensitivity and classification, logic programming, big data

中图分类号:

TP309

刘红, 张越今, 赵文霞, 杨牧. 多维度数据分级分类安全管理框架[J]. 信息网络安全, 2021, 21(10): 48-53.

LIU Hong, ZHANG Yuejin, ZHAO Wenxia, YANG Mu. A Security Management Framework for Data Sensitivity and Multidimensional Classification[J]. Netinfo Security, 2021, 21(10): 48-53.

图/表 1

参考文献 17

[1]	JIANG Yuze, CHEN Shiyang. Development Status and Challenge Analysis of Data Security Technology[J]. Communications World, 2021(8):17-19.
	姜宇泽, 陈诗洋. 数据安全技术发展现状及挑战解析[J]. 通信世界, 2021(8):17-19.
[2]	LIU Bosong. Research and Implementation of Security Policy Management System Based on Multi-dimensional Attribute Label[D]. Beijing: Beijing University of Posts and Telecommunications, 2017.
	刘伯松. 基于多维属性标签的安全策略管理系统研究与实现[D]. 北京:北京邮电大学, 2017.
[3]	YANG Mohan. Declarative Languages and Scalable Systems for Graph Analytics and Knowledge Discovery[D]. Los Angeles: University of California, 2017.
[4]	ANTONIOU G, BATSAKIS S, MUTHARAJU R, et al. A Survey of Large-scale Reasoning on the Web of Data[J]. The Knowledge Engineering Review, 2018(33):1-24.
[5]	DAS A, LI Youfu, WANG Jin, et al. Big Data Applications from Graph Analytics to Machine Learning by Aggregates in Recursion[EB/OL]. https://arxiv.org/abs/1909.08249v1, 2019-09-18.
[6]	AREF M, CATE B T, GREEN T J, et al. Design and Implementation of the Logic Blox System [C]//ACM. 2015 International Conference on Management of Data (SIGMOD’15), May 27-28, 2015, New York, USA. New York: ACM, 2015: 1371-1382.
[7]	MOTIK B, NENOV Y, PIRO R. Parallel Materialisation of Datalog Programs in Centralised, Main-memory RDF Systems [C]//AAAI. 28th AAAI Conference on Artificial Intelligence (AAAI’14), July 27-29, 2014, Québec, Canada. Palo Alto: AAAI, 2014: 129-137.
[8]	SHKAPSKY A, YANG M, INTERLANDI M, et al. Big Data Analytics with Datalog Queries on Spark [C]//ACM. 2016 International Conference on Management of Data (SIGMOD’16), June 26-27, 2016, San Francisco, USA. New York: ACM, 2016: 1135-1149.
[9]	SEO J, PARK J, SHIN J, et al. Distributed Socialite: A Datalog-based Language for Large-scale Graph Analysis[J]. VLDB Endowment, 2013, 6(14):1906-1917.
[10]	WANG Jingjing, BALAZINSKA M, HALPERIN D, et al. Asynchronous and Fault-tolerant Recursive Datalog Evaluation in Shared-nothing Engines[J]. VLDB Endowment, 2015, 8(12):1542-1553.
[11]	GU J, WATANABE Y, MAZZA W, et al. RaSQL: Greater Power and Performance for Big Data Analytics with Recursive-aggregate-SQL on Spark [C]//ACM. 2019 International Conference on Management of Data (SIGMOD’19), June 14-16, 2019, Amsterdam, Netherlands. New York: ACM, 2019: 467-484.
[12]	LI Ninghui. Delegation Logic: A Logic-based Approach to Distributed Authorization[D]. New York: New York University, 2000.
[13]	PASARELLA E, LOBO J. A Datalog Framework for Modeling Relationship-based Access Control Policies [C]//ACM. 22nd ACM on Symposium on Access Control Models and Technologies (SACMAT’17), June 21-22, 2017, Indianapolis, USA. New York: ACM, 2017: 91-102.
[14]	OU Xinming. A Logic-programming Approach to Network Security Analysis[D]. New Jersey: Princeton University, 2005.
[15]	ZANIOLO C, YANG M, INTERLANDI M, et al. Fixpoint Semantics and Optimization of Recursive Datalog Programs with Aggregates[J]. Theory and Practice of Logic Programming, 2017, 17(5-6):1048-1065. doi: 10.1017/S1471068417000436 URL
[16]	MEI Hongyuan, QIN Guanghui, XU Minjie, et al. Neural Datalog Through Time: Informed Temporal Modeling via Logical Specification[EB/OL]. https://arxiv.org/abs/2006.16723, 2020-06-30.
[17]	WANG Jin, WU Jiacheng, LI Mingda. et al. Formal Semantics and High Performance in Declarative Machine Learning Using Datalog[J]. The VLDB Journal, 2021, 30(12):859-881. doi: 10.1007/s00778-021-00665-6 URL

多维度数据分级分类安全管理框架

A Security Management Framework for Data Sensitivity and Multidimensional Classification

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 1

参考文献 17

相关文章 15

编辑推荐

Metrics

本文评价

[1]	杨晓琪, 白利芳, 唐刚. 基于DSMM模型的数据安全评估模型研究与设计[J]. 信息网络安全, 2021, 21(9): 90-95.
[2]	郎为民, 马卫国, 张寅, 姚晋芳. 一种支持数据所有权动态管理的数据去重方案[J]. 信息网络安全, 2020, 20(6): 1-9.
[3]	张佳程, 彭佳, 王雷. 大数据环境下的本地差分隐私图信息收集方法[J]. 信息网络安全, 2020, 20(6): 44-56.
[4]	傅智宙, 王利明, 唐鼎, 张曙光. 基于同态加密的HBase二级密文索引方法研究[J]. 信息网络安全, 2020, 20(4): 55-64.
[5]	纪兆轩, 杨秩, 孙瑜, 单亦伟. 大数据环境下SHA1的GPU高速实现[J]. 信息网络安全, 2020, 20(2): 75-82.
[6]	谢永恒, 冯宇波, 董清风, 王梅. 基于深度学习的数据接入方法研究[J]. 信息网络安全, 2019, 19(9): 36-40.
[7]	文奕, 陈兴蜀, 曾雪梅, 罗永刚. 面向安全分析的大规模网络下的DNS流量还原系统[J]. 信息网络安全, 2019, 19(5): 77-83.
[8]	吴天雄, 陈兴蜀, 罗永刚. 大数据平台下应用程序保护机制的研究与实现[J]. 信息网络安全, 2019, 19(1): 68-75.
[9]	胡荣磊, 何艳琼, 曾萍, 范晓红. 一种大数据环境下医疗隐私保护方案设计与实现[J]. 信息网络安全, 2018, 18(9): 48-54.
[10]	冯新扬, 沈建京. 一种基于Yarn云计算平台与NMF的大数据聚类算法[J]. 信息网络安全, 2018, 18(8): 43-49.
[11]	陶源, 黄涛, 张墨涵, 黎水林. 网络安全态势感知关键技术研究及发展趋势分析[J]. 信息网络安全, 2018, 18(8): 79-85.
[12]	游林, 梁家豪. 基于同态加密与生物特征的安全身份认证研究[J]. 信息网络安全, 2018, 18(4): 1-8.
[13]	鲁秀青, 咸鹤群. 云存储中基于用户授权的大数据完整性审计方案[J]. 信息网络安全, 2018, 18(4): 32-37.
[14]	赵萌, 丁勇, 王玉珏. 指定审计员的云数据安全存储方案[J]. 信息网络安全, 2018, 18(11): 66-72.
[15]	郭敏, 曾颖明, 姚金利, 达小文. 基于大数据样本的软件行为安全分析[J]. 信息网络安全, 2017, 17(9): 153-156.