| In the era of big data,massive data is shared among different organizations.Users must verify the credibility of data before using them to make key decisions.Data provenance,a kind of metadata which explains data,can be used to verify the authenticity of data,trace data history,deduce data processing,and so on.However,there may be some sensitive information in the provenance,so sensitive information must be sanitized when they are being exchanged or shared.Provenance sanitization is a new technology to modify the provenance graph and realize the safe provenance graph.The existing provenance sanitization research mainly focuses on the basic provenance sanitization mechanism and application.However,there are lack of the standardized security threat model,the scientific security evaluation model and the ability to solve security evaluation for complex sanitization operation.In order to solve the above problems,this paper constructs an provenance security threat model for multi-threat,provenance security evaluation model,and a security evaluation method based on cascade reasoning.Firstly,a provenance security threat model for multi-threat is constructed to fix the problem that the existing provenance security threat model does not fully consider the attack methods.The threat model laid a foundation for constructing the provenance security evaluation model.To construct the model,we first improved the inference rules and reasoning methods of the priori sub-graph security threat model in existing research.Then,according to the threat of provenance release,a security threat model based on input(I)-processing(P)-output(O)inference rules is proposed.The model defined the attacker's inference rules and the reasoning methods.We finally combined the above two security threat models and constructed a multi-threat-based provenance security threat model.The threat model clarifies that the security release of the provenance graph should face multiple security threats at the same time,and clearly defines the attacker's reasoning and inference rules.This thread modelprovides a theoretical basis for quantitative evaluation of the security of sanitization views.Secondly,aiming at the unsolved problem of single evaluation index and inaccurate evaluation result for the exiting security evaluation model,we constructed the provenance security evaluation model for the node to quantify the security of the sanitization view under the basic sanitization operation.To construct the model,we first formally defined the security of provenance,and discussed the basic principles of the provenance security evaluation model,and clarified that the evaluation model should be based on different types of security threat models.Then based on the priori subgraph security threat model,a priori subgraph security evaluation model is constructed.According to the reasoning difficulty of sensitive nodes,the model defined two security evaluation indicators: topology similarity and node similarity.Then based on the IPO security threat model,an IPO security evaluation model is constructed.According to the reasoning difficulty of sensitive nodes,the model defines two security evaluation indicators: structural reasoning probability and node inference probability,which laid a foundation for constructing IPO security evaluation model.We finally implemented the provenance security evaluation algorithm.The experimental results showed that the evaluation results of the evaluation algorithm are in line with the subjective experience of the experts and the performance is feasible.However,the model does not address the security assessment of sanitization views under complex sanitization operations.Thirdly,based on the research of provenance security threat model and provenance security evaluation model,we proposed a security evaluation method based on cascade reasoning to solve the security evaluation problem of sanitization view under complex filtering operation.To construct the method,we first proposed a reasoning method of cascaded reasoning based on the reasoning method in the provenance security threat model.The method clarified that the attacker should first infer the sensitive nodes that can be directly inferred according to the inference rules,and then infer other sensitive nodes according to the inferred sensitive nodes.Then based on the reasoning method and the provenance security evaluation model,we formed a security assessment method based on cascading reasoning.The method formalized the provenancesecurity evaluation function to quantify the security of the sanitization view under complex filtering operations.We Finally designed the security evaluation algorithm based on the security evaluation method.The experimental results show that the evaluation results are in line with the subjective experience of experts. |
PDF Full Text Request