CN-122020629-A - Self-adaptive data security and authority management method for business process

Abstract

The invention discloses a business process-oriented self-adaptive data security and authority management method, and particularly relates to the technical field of data security and authority management. And secondly, generating a collaborative behavior path around sensitive data in a sliding time window, calculating a risk score by combining path frequency, a topological structure and cross-organization cross-role characteristics, and identifying a high-risk collaborative behavior path. And then generating multi-granularity candidate authority intervention measures aiming at the high-risk paths, comprehensively evaluating risk benefits and business influences, automatically generating a main body level, session level, resource level and path level authority adjustment strategy, and issuing and executing. And finally, dynamically updating the trust state and the feature weight based on the policy execution result and the audit feedback, and realizing continuous accurate interception of abnormal collaborative behavior and minimization of business influence.

Inventors

• ZHANG ZHIWEN
• LU WEN

Assignees

• 因正信息(上海)有限公司

Dates

Publication Date

20260512

Application Date

20260202

Claims (10)

1. 1. The self-adaptive data security and authority management method for the business process is characterized by comprising the following steps of: modeling a target business process, determining a process node, an access subject and a data resource, and collecting node, subject, environment and data attribute when access occurs to generate an access event record; Step two, taking the access main body as a node, taking delegation, data interaction or cooperative operation among the main bodies as edges, setting a trust state and updating along with access events, and constructing a dynamic trust chain network; constructing a collaborative behavior path around sensitive data in the dynamic trust chain network, analyzing path frequency, path topology and cross-organization cross-role combination by utilizing a preset collaborative malicious behavior identification rule, and identifying a high-risk collaborative behavior path; Generating candidate authority intervention measures aiming at the high-risk collaborative behavior path, wherein the candidate authority intervention measures at least comprise authority tightening, identity verification or approval link increasing, access frequency or access range limiting, determining an authority adjustment strategy through an authority adjustment algorithm based on comprehensive evaluation of risk benefits and business influences, and issuing the authority adjustment strategy to an authority control point for execution; And fifthly, collecting an executing result of the authority adjustment strategy and subsequent access behaviors, updating the trust state of a collaboration edge related to the high-risk collaborative behavior path in the dynamic trust chain network based on the collecting result, and updating the characteristic weight for identifying the high-risk collaborative behavior path in the collaborative malicious behavior identification rule, so that the subsequent collaborative behavior identification and authority decision on the dynamic trust chain network are executed based on the updated trust state and the updated characteristic weight.
2. 2. The business process-oriented self-adaptive data security and authority management method according to claim 1 is characterized in that in the second step, the trust states comprise a high trust state, a normal state, a cautious state and a high risk state, the trust state is initialized for each collaboration edge when a dynamic trust chain network is built, the trust state of the corresponding edge is adjusted from the high trust state or the normal state to the cautious state or the high risk state when frequent abnormal access or suspicious behaviors are detected in the collaboration operation corresponding to the collaboration edge, the trust state of the corresponding edge is promoted from the cautious state or the high risk state to the normal state or the high trust state when no malicious behaviors exist through audit, and the trust state of the corresponding edge is degraded to the high risk state and the collaborative operation corresponding to the collaboration edge is forbidden when the malicious behaviors exist through audit.
3. 3. The method for self-adaptive data security and authority management for business processes according to claim 1, wherein the step two further comprises gradually reducing trust status of a collaboration edge where no collaboration occurs within a preset time period, and removing the collaboration edge from the dynamic trust chain network when the trust status is reduced below a preset threshold value to reflect timeliness of the collaboration relationship and control network scale.
4. 4. The business process-oriented self-adaptive data security and authority management method according to claim 1, wherein in the third step, a sliding time window is adopted to process the access event, and in each time window, the access event related to the target sensitive data is screened from the access event record; And sharing the updated result of the dynamic trust chain network between adjacent time windows to ensure that the path construction process is consistent with the updating of the trust state.
5. 5. The business process oriented adaptive data security and rights management method according to claim 1, wherein the analysis of the path topology in the third step comprises identifying at least one of a multi-hop long-chain structure formed in a short time window, a closed-loop structure comprising a plurality of access bodies, and a star-shaped aggregation structure centered on the same access body.
6. 6. The business process-oriented self-adaptive data security and authority management method according to claim 1, wherein the step four of comprehensively evaluating business influence of each candidate authority intervention comprises evaluating influence of each candidate authority intervention on overall processing duration, failure rate and service level of a target business process, setting business influence weights for each process node according to importance degree of the process node in the business process, and combining influence of each candidate authority intervention on different process nodes with corresponding business influence weights to determine business influence level of each candidate authority intervention.
7. 7. The business process-oriented self-adaptive data security and authority management method according to claim 1, wherein the authority adjustment strategy in the fourth step comprises at least one level of authority adjustment strategies including a main body level, a session level, a resource level and a cooperative behavior path level, wherein the main body level strategy is used for adjusting the overall authority configuration of a specific access main body, the session level strategy is used for restraining access frequency, request source or authentication strength in the current access session validity period, the resource level strategy is used for setting differentiated access control requirements for data resources of a specific type or a specific sensitivity level, and the cooperative behavior path level strategy is used for partially blocking or completely blocking a cooperative behavior path determined to be a high-risk cooperative behavior path.
8. 8. The business process-oriented self-adaptive data security and authority management method according to claim 1, wherein the candidate authority intervention measures in the fourth step at least comprise one or more of setting a stricter authentication mode or adding a manual approval link for an access subject in a cautious state or a high risk state, setting an access frequency upper limit for an access subject with an access frequency exceeding a threshold value within a preset time window, setting a single access data volume upper limit or a derived frequency upper limit for an access request related to a high sensitivity data resource in sensitive data, and temporarily prohibiting or forcing manual review for a collaborative operation corresponding to a collaborative edge in a high risk state.
9. 9. The business process-oriented self-adaptive data security and authority management method according to claim 1, wherein in the fifth step, the process of updating trust status and feature weight based on the authority adjustment strategy execution result comprises the steps of for the high-risk collaborative behavior path confirmed to be false-positive by manual verification, reducing the weight of abnormal features in the collaborative malicious behavior recognition rule in the collaborative behavior path, improving the weight of normal behavior features and improving the trust status of relevant collaborative edges, and for the actual security event successfully prevented in the strategy execution process, improving the weight of the corresponding abnormal features in the collaborative malicious behavior recognition rule and keeping the trust status of the relevant collaborative edges in a discreet state or a high-risk state so as to enhance the interception capability of similar collaborative behavior paths.
10. 10. A business process oriented adaptive data security and rights management system comprising a processor and a memory, the memory having a computer program stored therein, the processor when executing the computer program being configured to implement the steps of a business process oriented adaptive data security and rights management method of any of claims 1 to 9.

Description

Self-adaptive data security and authority management method for business process Technical Field The invention relates to the technical field of data security and authority management, in particular to a business process-oriented self-adaptive data security and authority management method. Background With the continuous development of government affair systems, financial systems, enterprise information systems and industry platforms, more and more key businesses are migrated to the online environment of distributed multi-system collaboration, and business processing modes are changed from traditional single-system and single-department approval to collaborative business processes in which multiple departments and organizations participate in multiple institutions together. In the collaborative business environment, on one hand, participation main body types are various, and in the same business process, an account number of personnel, an account number of an application system, an account number of a third party interface, an automatic account number of a robot process and the like are also available, and the main bodies frequently transmit tasks and data among different process nodes to form a complex collaborative relation network, on the other hand, the business process is complex and dynamic in structure, the process generally comprises conditional branches, parallel nodes, abnormal backspacing, temporary signing, countersign and the like, and an actual running path depends on factors such as data content, approval opinions, wind control results and the like and presents obvious dynamic property. Meanwhile, important or sensitive data such as customer information, transaction records, approval comments, internal reports, supervision data and the like are widely related in the business process, and serious compliance and safety risks are brought once unauthorized access, abnormal export or collaborative leakage occurs. The prior art mostly adopts a role-based access control model (RBAC) or an attribute-based access control model (ABAC), is assisted with a certain risk control strategy, is mature in authority constraint on single system and single main body granularity, but has obvious defects that the authority strategy is a preconfigured static rule which is weak in context with a business flow and is difficult to reflect current node, data sensitivity and recent behavior change in time, the risk identification usually takes a single access request as an analysis unit, few explicit modeling are performed to access cooperative relations among main bodies, the cooperative malicious behaviors which are serially connected and step-by-step implemented by a plurality of main bodies, such as 'low authority input-middle batch modification-high authority export-peripheral forwarding', and the like are combined, the traditional audit and the simple rule are difficult to identify and accurately block in time, when the risk is found, the common whole authority tightening method or temporary blocking method of an account is easy to cause large impact on normal business, and the fine authority strategy selection mechanism which reduces the influence of the business on the premise of controllable risk is lacking, meanwhile, the strategy and the risk identification rule is difficult to be configured in one time, and the closed-loop optimization capacity based on the practical strategy execution effect is lacking. Therefore, there is a need in the art for a data security and rights management method that can identify multi-subject abnormal collaborative behavior and adaptively adjust rights. Disclosure of Invention In order to overcome the defects in the prior art, the invention provides a business process-oriented self-adaptive data security and authority management method, which is characterized in that a dynamic trust chain network is constructed by modeling a target business process, a high-risk collaborative behavior path is identified around sensitive data, and an authority control strategy is adaptively generated and adjusted based on risk benefits and business influences so as to solve the problems in the background art. In order to achieve the above purpose, the present invention provides the following technical solutions: a business process-oriented self-adaptive data security and authority management method comprises the following steps: modeling a target business process, determining a process node, an access subject and a data resource, and collecting node, subject, environment and data attribute when access occurs to generate an access event record; Step two, taking the access main body as a node, taking delegation, data interaction or cooperative operation among the main bodies as edges, setting a trust state and updating along with access events, and constructing a dynamic trust chain network; constructing a collaborative behavior path around sensitive data in the dynamic trust chain network, analyzing p