JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2019, Vol. 54 ›› Issue (3): 1-9.doi: 10.6040/j.issn.1671-9352.2.2018.073

•   •     Next Articles

Security domain-based data isolation protection framework for Hive

Tian-tian CHANG1(),Xing-shu CHEN2,3,*(),Yong-gang LUO3,Xiao LAN3   

  1. 1. College of Software Engineering, Sichuan University, Chengdu 610065, Sichuan, China
    2. College of Cybersecurity, Sichuan University, Chengdu 610065, Sichuan, China
    3. Cybersecurity Research Institute, Sichuan University, Chengdu 610065, Sichuan, China
  • Received:2018-09-20 Online:2019-03-20 Published:2019-03-19
  • Contact: Xing-shu CHEN E-mail:ydyxftt@163.com;chenxsh@scu.edn.cn
  • Supported by:
    国家自然科学基金资助项目(61802270);国家“双创”示范基地之变革性技术国际研发转化平台资助(C700011);四川省重点研发项目资金资助(2018G20100);四川省科技支撑计划(2016GZ0038);中央高校基本科研业务费专项资金资助(2017SCU11059);中央高校基本科研业务费专项资金资助(2017SCU11065);中央高校基本科研业务费专项资金资助(SCU2016D009)

RichHTML

154

PDF (PC)

446

Abstract:

Aiming at the problem of sensitive information leakage caused by data sharing in Hive database, a data isolation and protection framework (SD-DIPF) based on security domain is proposed, which is combined with data classification and tag-based access control technology. Firstly, the tag level is divided by the hierarchy security tag tree which is used to identify the subject and object in the system. Then, the design idea of security domain (SD) is illustrated with hierarchical tags, the definition of SD and its subdomains and formal proof of security are given. Finally, the platform data is logically partitioned by security domain to ensure the effective isolation of different sensitive levels data. The applicability of SD-DIPF to Hive database is illustrated, and its implementation in Hive database is given based on the existing authentication mechanism. The experimental results show that SD-DIPF can protect sensitive data from being illegally accessed, which proves the feasibility and security of the framework.

Key words: Hive, data classification, security domain, access control

CLC Number: 

  • TP309.2

Fig.1

Hierarchical security label tree"

Fig.2

Classification of safety sub-tags"

Fig.3

Security domain mode"

Fig.4

Level diagram of different subdomains in security domain"

Fig.5

Secure access control flow of framework"

Fig.6

Hive-based prototype system implementation model"

Table 1

Security domain and label definition"

安全域 级别 安全子域 标签
Tech 0 Tech.0 tagTech.0
Tech 1 Tech.1 tagTech.1
Tech 2 Tech.2 tagTech.2
Tech 3 Tech.3 tagTech.3
Tech 4 Tech.4 tagTech.4
Mark 0 Mark.0 tagMark.0
Mark 1 Mark.1 tagMark.1
Mark 2 Mark.2 tagMark.2
Mark 3 Mark.3 tagMark.3
Mark 4 Mark.4 tagMark.4

Table 2

Table structure for binding tags"

字段名称 字段类型 字段说明 安全子域 绑定标签
id String 人员编号 Tech.4/Mark.4 tagTech.4/tagMark.4
name String 姓名 Tech.4/Mark.4 tagTech.4/tagMark.4
group-name String 组名 Tech.4/Mark.4 tagTech.4/tagMark.4
sex String 性别 Tech.4/Mark.4 tagTech.4/tagMark.4
age String 年龄 Tech.2Mark.2 tagTech.4/tagMark.4
race String 种族 Tech.1/Mark.1 tagTech.1/tagMark.1
educational background String 教育背景 Tech.2/Mark.2 tagTech.2/tagMark.2
profession String 职业 Tech.3/Mark.3 tagTech.3/tagMark.3
income String 收入 Tech.0/Mark.0 tagTech.0/tagMark.0

Fig.7

Safety analysis experiment results"

Table 3

The read test comparison experiment results of Hive native permission system and security domain access control model"

记录条数 N-S/ms SD-DIPF/ms
10万 1.407 1.931
20万 3.218 3.535
30万 4.582 5.515
40万 5.743 6.338
50万 6.913 7.964
60万 8.275 10.325
70万 10.193 12.333
80万 11.574 13.296
90万 13.833 15.584
100万 14.641 17.926
1 THURAISINGHAM B. Big data security and privacy[C]//Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. San Antonio: ACM, 2015: 279-280.
2 FLESCA S , GRECO S , MASCIARI E , et al. A comprehensive guide through the italian database research over the last 25 years[M]. Switzerland: Springer, 2018.
3 冯登国, 张敏, 李昊. 大数据安全与隐私保护[J]. 计算机学报, 2014, 37 (1): 246- 258.
FENG Dengguo , ZHANG Min , LI Hao . Big data security and privacy protection[J]. Chinese Journal of Computers, 2014, 37 (1): 246- 258.
4 MORENO J, SERRANO M A, FERNÁNDEZ-MEDINA E, et al. Towards a security reference architecture for big data[C]//Proceedings of the 20th International Workshop on Design, Optimization, Languages and Analytical Processing of Big Data co-located with 10th EDBT/ICDT Joint Conference (EDBT/ICDT 2018). Vienna: CEUR Workshop, 2018.
5 SHAW S , VERMEULEN A F , GUPTA A , et al. Practical Hive: a guide to hadoop's data warehouse system[M]. New York: Apress, 2016: 11- 21.
6 THUSOO A, SARMA J S, JAIN N, et al. An attribute-based access control model for secure big data processing in Hadoop ecosystem[C]//Proceedings of the Third ACM Workshop on Attribute-Based Access Control. New York: ACM, 2018: 13-24.
7 杨腾飞, 申培松, 田雪, 等. 对象云存储中分类分级数据的访问控制方法[J]. 软件学报, 2017, 28 (9): 2334- 2353.
YANG Tengfei , SHEN Peisong , TIAN Xue , et al. Access control mechanism for classified and graded object storage in cloud computing[J]. Journal of Software, 2017, 28 (9): 2334- 2353.
8 ZHANG H B, WANG J S, CHANG J. A multi-level security access control framework for cross-domain networks[C]//2017 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC). New York: IEEE, 2017: 316-319.
9 ROY K , BHOWMICK A . A Proposed mechanism for cross-domain authorization in grid computing environment[J]. International Journal of Emerging Technology and Advanced Engineering, 2012, 2 (4): 163- 166.
10 熊雄, 王福喜, 左海洋. 面向多级多域信息系统的访问控制方法研究[J]. 计算机工程与设计, 2011, 32 (11): 3613- 3617.
XIONG Xiong , WANG Fuxi , ZUO Haiyang . Research of access control method on multi-level & multi-domain information system[J]. Computer Engineering and Design, 2011, 32 (11): 3613- 3617.
11 沈晴霓, 杨雅辉, 禹熹, 等. 一种面向多租户云存储平台的访问控制策略[J]. 小型微型计算机系统, 2011, 32 (11): 2223- 2229.
SHEN Qingni , YANG Yahui , YU Xi , et al. An access control policy for multi-tenancy cloud storage platform[J]. Journal of Chinese Computer Systems, 2011, 32 (11): 2223- 2229.
12 BISWAS P, SANDHU R, KRISHNAN R. Label-based access control: an ABAC model with enumerated authorization policy[C]//Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control. New York: ACM, 2016: 1-12.
13 LANGSTON M E . Materials in an Atlas-Agena shroud[J]. Metal Progress, 1967, 91 (2): 125- 128.
14 SANDHU R S . Lattice-based access control models[J]. Computer, 1993, 26 (11): 9- 19.
doi: 10.1109/2.241422
15 KUHN D R , COYNE E J , WEIL T R . Adding attributes to role-based access control[J]. Computer, 2010, 43 (6): 79- 81.
doi: 10.1109/MC.2010.155
16 NEUMAN B C , TS'O T . Kerberos: an authentication service for computer networks[J]. IEEE Communications Magazine, 1994, 32 (9): 33- 38.
doi: 10.1109/35.312841
[1] LI Yu-xi, WANG Kai-xuan, LIN Mu-qing, ZHOU Fu-cai. A P2P network privacy protection system based on anonymous broadcast encryption scheme [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(9): 84-91.
[2] TANG Qian, YANG Fei, HUANG Qi, LIN Guo-yuan. Security transfer model of access control information based on TCB subsets [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(7): 98-106.
[3] CAI Hong-yun, MA Xiao-xue. Access control based on relationship strength for online social network [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(7): 90-97.
[4] ZHAO Bin, HE Jing-sha, ZHANG Yi-xuan. The method of determining decision attribute weight based on information entropy and membership [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(3): 86-90.
[5] FENG Guo-he, WANG Dan-di, LI Mei-chan. Text topic mining of archives research based on SVD [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(1): 95-100.
[6] LÜ Meng, LIU Zhe, LIU Jian-wei. A trusted inter-domain access control scheme for enterprise WLAN [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(11): 82-88.
[7] DU Xi-hua, SHI Xiao-qin, FENG Chang-jun, LI Liang. rediction of chromatograph retention index by artificial neural  network by #br# study on volatile constituents of wild chinese chives [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(1): 50-53.
[8] ZOU De-qing, YANG Kai, ZHANG Xiao-xu, YUAN Bo-yang, FENG Ming-lu. Protection mechanism research of access control system in virtual domain [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(09): 135-141.
[9] YANG Xiao-hui, WANG Hong, JIANG Li-jun, CHANG Si-yuan. A cross-domain access control model of Web service based on trust measurement [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(09): 115-122.
[10] GAO Feng1, HE Jing-sha2. A  privacy protection method based on a trust and information flow model [J]. J4, 2011, 46(5): 39-43.
[11] CHEN Qin,FENG Jian-hua . Design and accomplishment of enterprise multimedia databases [J]. J4, 2007, 42(9): 46-50 .
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
[1] YANG Yong-wei1, 2, HE Peng-fei2, LI Yi-jun2,3. On strict filters of BL-algebras#br#[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 63 -67 .
[2] ZHAO Tong-xin1, LIU Lin-de1*, ZHANG Li1, PAN Cheng-chen2, JIA Xing-jun1. Pollinators and pollen polymorphism of  Wisteria sinensis (Sims) Sweet[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 1 -5 .
[3] GUO Lan-lan1,2, GENG Jie1, SHI Shuo1,3, YUAN Fei1, LEI Li1, DU Guang-sheng1*. Computing research of the water hammer pressure in the process of #br# the variable speed closure of valve based on UDF method[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 27 -30 .
[4] LI Min1,2, LI Qi-qiang1. Observer-based sliding mode control of uncertain singular time-delay systems#br#[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 37 -42 .
[5] HAN Ya-fei, YI Wen-hui, WANG Wen-bo, WANG Yan-ping, WANG Hua-tian*. Soil bacteria diversity in continuous cropping poplar plantation#br# by high throughput sequencing[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(05): 1 -6 .
[6] WANG Kai-rong, GAO Pei-ting. Two mixed conjugate gradient methods based on DY[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(6): 16 -23 .
[7] MA Yuan-yuan, MENG Hui-li, XU Jiu-cheng, ZHU Ma. Normal distribution of lattice close-degree based on granular computing[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(08): 107 -110 .
[8] XU Jun-feng. On the growth of the meromorphic solutions of complex algebraic differential equations[J]. J4, 2010, 45(6): 91 -93 .
[9] PEI Sheng-yu,ZHOU Yong-quan. A mult-objective particle swarm optimization algorithm based on  the  chaotic mutation[J]. J4, 2010, 45(7): 18 -23 .
[10] DU Ji-xiang1,2, YU Qing1, ZHAI Chuan-ming1. Age estimation of facial images based on non-negative matrix factorization with sparseness constraints[J]. J4, 2010, 45(7): 65 -69 .
Copyright 2018 © Editorial office of JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE)
Supported by Beijing Magtech Co.Ltd