CN107733895B - Quantitative evaluation method for cloud computing platform security - Google Patents
Quantitative evaluation method for cloud computing platform security Download PDFInfo
- Publication number
- CN107733895B CN107733895B CN201710980250.XA CN201710980250A CN107733895B CN 107733895 B CN107733895 B CN 107733895B CN 201710980250 A CN201710980250 A CN 201710980250A CN 107733895 B CN107733895 B CN 107733895B
- Authority
- CN
- China
- Prior art keywords
- security
- cloud
- safety
- platform
- quantitative evaluation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention relates to the technical field of cloud computing safety, in particular to a quantitative evaluation method for cloud computing platform safety. The method comprises the steps that a cloud computing platform safety quantitative evaluation unit obtains relevant information of a cloud platform and carries out quantitative evaluation on the relevant information; the cloud computing platform security quantitative evaluation unit comprises an evaluation security scanning engine and a security quantitative evaluation model, and a security item set to be checked and a quantitative evaluation method are defined in the aspects of a computing security set, a storage security set, a network security set, an operation and maintenance security set and an application security set; the security scanning engine scans each set of the user after acquiring the relevant information of the interface, serially or parallelly checks different security check items corresponding to the resources, gives a specific score to each check item of each resource according to the running state of the resources, and summarizes to form a quantitative evaluation result of the overall security of the cloud platform. The invention solves the problem of safety quantitative evaluation of the cloud computing platform.
Description
Technical Field
The invention relates to the technical field of cloud computing safety, in particular to a quantitative evaluation method for cloud computing platform safety.
Background
The cloud computing platform has been accepted by many IT companies and government departments as a new mode for providing computing, storage and network capabilities. At present, a plurality of government departments and companies establish own public cloud or private cloud platforms, and original non-cloud applications are gradually migrated to the cloud platforms, so that the scale of the cloud platforms is rapidly increased.
The wide application of the cloud computing technology also expands the information security problem from a single system and a single physical machine to the whole cloud platform. Trojan horses or viruses aiming at cloud platforms such as OPENSTACK, VCLOUD and the like are generated, and the control capability of the whole cloud platform is acquired by permeating certain computing, storage and network resources on the cloud, so that the resources on the whole cloud platform are bound.
Therefore, the security of the cloud platform needs to be considered integrally, possible vulnerability items such as computation, storage, network, operation and maintenance and the like are uniformly and one by one scanned, and possible security threats are objectively evaluated. The cloud user can access only a part of the cloud platform resources, so that how to quantify the security condition of the access resources and provide a visual feeling for the user, and a unified model and mechanism are lacked.
Disclosure of Invention
The invention aims to provide a quantitative evaluation method for cloud computing platform security, which defines a security item set and a quantitative evaluation strategy to be checked from the aspects of computing security, storage security, network security, operation and maintenance security, application security and the like. Checking a resource set of a cloud resource view corresponding to a user according to a security item set to form a cloud security view of the user; and summarizing the cloud security views, and forming quantitative evaluation of cloud platform resources corresponding to the user according to a preset strategy.
The technical scheme for solving the technical problems is as follows:
the method comprises the steps that a cloud computing platform safety quantitative evaluation unit acquires relevant information of a cloud platform and carries out quantitative evaluation on the relevant information;
the cloud computing platform safety quantitative evaluation unit specifically comprises an evaluation safety scanning engine and a safety quantitative evaluation model;
the safety quantitative evaluation model defines a safety item set needing to be checked and a quantitative evaluation method in the aspects of a calculation safety set, a storage safety set, a network safety set, an operation and maintenance safety set and an application safety set;
after acquiring the relevant information of the interface, the security scanning engine scans a computing security set, a storage security set, a network security set, an operation and maintenance security set and an application security set of a user, serially or parallelly checks different security check items Pij of corresponding resources, gives a specific score to each check item of each resource according to the running state of the resource, and summarizes to form a quantitative evaluation result of the overall security of the cloud platform.
The cloud computing platform security quantitative evaluation unit comprises a security repair engine, and when a user selects to repair a security vulnerability, the repair engine is called to find a repair method Oij corresponding to the problematic security item Pij according to an evaluation result to guide the user to repair the security vulnerability of the platform;
the method for repairing the security vulnerabilities corresponding to each repairing method O ij comprises the following steps: downloading patches and changing configuration;
the security repair engine can automatically repair the bugs or guide users to change the configuration of the cloud platform by using interface interaction;
after the repair is completed, the evaluation results of each security check item of the platform can be counted again to obtain a new security quantitative evaluation result.
The computing security set comprises server system security, virtual machine system security, container system security and auxiliary expansion equipment security;
the storage security set comprises physical machine storage security, virtual machine storage security and network sharing storage security;
the network security set comprises network configuration, network behavior logs and network equipment system information of the whole cloud platform;
the operation and maintenance safety set mainly comprises management plan making, personnel authority distribution and achievement rate execution check items;
the application security set mainly comprises access control, system logs and behavior audit information of the application.
The security scanning engine firstly checks the security of the file system of each storage device by calling related plug-ins to ensure the security of the storage system; scanning each system file, and ensuring the safety of each file by scanning the file feature codes and the file features of the virus library and the Trojan library;
the security scanning engine checks the network configuration of the whole cloud platform item by item to determine the security of the network configuration, and then checks the system of each device and the configuration information of the device to determine the security of the device; the security scanning engine also checks the port opening behavior, the traffic service condition and the like of each device to ensure the security of the devices;
the security scanning engine checks the establishment and execution conditions of the whole cloud platform operation and maintenance system by calling the operation and maintenance management module of the cloud operating system/cloud management platform or the information of a third-party operation and maintenance system, and checks the operation and maintenance system by referring to systems such as ITIL, ITSS and the like;
the security scanning engine acquires information by calling a monitoring management module of the cloud operating system/cloud management platform 02 or an API (application programming interface) interface of a third party application, and checks the security and potential security threats of a certain application.
The cloud computing platform safety quantitative evaluation unit comprises a model establishing module and a model maintaining module;
the cloud computing platform security evaluation model is established through a model establishing module and maintained through a model maintaining module;
the model is established by a platform software provider or a security guarantee provider, and specifically, a set P of security evaluation elements is { P1, P2, P3, P4, …, PN }; each set Pi corresponds to the direction or the field of the cloud platform needing safety evaluation, and corresponds to a computing safety set, a storage safety set, a network safety set, an operation and maintenance safety set and an application safety set respectively;
each Pi in the set P corresponds to a different operable security check item Pij, including a list of vulnerabilities of the server operating system, the virtual machine operating system, the container, and the like, and all the security check items form a set Pi, { Pi ═ Pi1, Pi2, Pi3, Pij, …, PiM };
each check item Pij is distributed with a triple [ Sij, Lij, Oij ] according to whether the platform has a bug or the danger level of the bug, wherein Sij is the highest safe score, Lij is the bug level, and a link Oij points to a safe bug repairing or improving method is included; lij can be divided into a plurality of grades, two grades can be used under simple conditions, namely 1 is generally used, and 0 is strictly used;
each Pi corresponds to a score Si, and the sum of the scores of all the Si is a maximum value MAX;
si is a fixed value generally, namely a fixed value is preset according to calculation safety, storage safety, network safety, operation and maintenance safety and application safety; then, assigning values according to the weight and the number of the check items for Sij of each check item;
si can also be dynamically assigned according to the number of check items contained in the system or the number of core security check items according to the needs of the system.
The cloud computing platform security quantitative evaluation unit defines a cloud resource set which can be accessed by a cloud user according to platform authorization as follows:
UP={UP1,UP2,UP3,UP4,…,UPN};
the UPi corresponds to Pi, and the Pi defines a safety check item to be carried out on the UPi;
the resource of each user is displayed by adopting a resource view; are a subset of the cloud platform global resource view; the view of the administrator with the highest authority is a global resource view;
the scanning engine serially or parallelly checks different safety check items Pij of corresponding resources according to a resource view of a cloud platform which can be accessed by a user and a safety quantitative evaluation unit of the cloud computing platform, and gives a specific score USij to each check item of each resource according to the running state of the resources; a score USi for a security check item;
the resource views which can be accessed by the user correspond to each other, and a cloud security view corresponding to the user can be formed and contains security information of all resources which can be accessed by the user; the cloud security bureau view is a security view of the cloud which is visible to an administrator and contains detailed scoring conditions of each resource of the cloud platform; based on the user security view, summarizing the evaluation results of the security check items of each security evaluation element to obtain the overall quantitative score of the cloud security visible to the user; the summarizing mode can adopt an average mode, namely the similar resources adopt the average mode and are weighted and summed; the mode of 'one vote' can also be adopted in combination, namely if a high-level leak occurs in each Pi, Lij is 0, then the whole USi is 0;
and T is the overall security evaluation score of the cloud platform resources which can be accessed by the user.
The computing platform safety quantitative evaluation unit is used as an independent plug-in or module to be inserted into a cloud operating system, a cloud management platform and third-party software; and acquiring related information.
The cloud computing platform security quantitative evaluation unit comprises an evaluation visualization module, and details and summary results of security quantitative evaluation, including distribution and description of security vulnerabilities, are displayed in a graphical mode.
In the invention, possible vulnerability items such as calculation, storage, network, operation and maintenance and the like are uniformly and one by one scanned in consideration of the whole cloud computing platform; checking a resource set of a cloud resource view corresponding to a user according to a security item set to form a cloud security view of the user; and summarizing the cloud security views, and forming quantitative evaluation of cloud platform resources corresponding to the user according to a preset strategy. Providing an intuitive experience to the user.
Drawings
The invention is further described below with reference to the accompanying drawings:
fig. 1 is a relationship diagram between a cloud computing platform security quantitative evaluation unit and a cloud operating system/cloud management platform according to the present invention;
FIG. 2 is a block diagram of a security quantitative evaluation unit of the cloud computing platform according to the present invention;
FIG. 3 is a system diagram of the cloud computing platform security quantitative evaluation of the present invention;
FIG. 4 is a cloud computing platform user resource view of the present invention;
FIG. 5 is a cloud platform user security view of the present invention.
Detailed Description
1. Cloud computing platform safety quantitative evaluation unit and structure thereof
A cloud computing platform security quantitative evaluation unit 01 is an executor of the security quantitative evaluation method, and as shown in fig. 1, it may be inserted into a cloud operating system or a cloud management platform 02 as an independent plug-in or module, such as OPENSTACK, CLOUDSTACK or a cloud operating system product of an enterprise, and obtains cloud platform related information by calling its open API interface, or may access an API interface of third-party software 03 such as extended operation and maintenance software to obtain related information, so as to perform security quantitative evaluation and vulnerability repair on the cloud operating system or the cloud management platform. The cloud computing platform security quantitative evaluation unit 01 supports different types of cloud operating systems or cloud management platform products to ensure compatibility and openness of the cloud operating systems or the cloud management platform products.
As shown in fig. 2, a cloud computing platform security quantitative evaluation unit 01 specifically includes an evaluation visualization display module 001, a security scanning engine 002, a security restoration engine 003, a security quantitative evaluation model 004, a model building module 005, and a model maintenance module 006.
2. Safety quantitative evaluation model and composition thereof
As shown in fig. 3, the security quantitative evaluation model 004 defines a security item set and a quantitative evaluation method that need to be checked in terms of a computing security set 101, a storage security set 102, a network security set 103, an operation and maintenance security set 104, an application security set 105, and the like.
The computing security set 101 includes server system security, virtual machine system security, container system security, attached expansion device security, and the like, and the security scanning engine 002 interacts with each system to start a built-in security scanning program by calling the server system, the virtual machine system, the attended client of the container system, a service, a plug-in or an API interface, and obtains related information of the systems, such as memory, a boot area, cached security information, and isolation information; the auxiliary expansion device comprises related devices accessed through USB, PCI-E or network expansion, such as a dongle, a watchdog, an expansion disk and the like.
The storage security set 102 includes physical machine storage security, virtual machine storage security, network sharing storage security, and the like; the security scanning engine firstly checks the security of the file system of each storage device by calling related plug-ins to ensure the security of the storage system; and scanning each system file, and scanning the file feature codes and the file features of the virus library and the Trojan library to ensure the security of each file.
The network security set 103 includes network configuration, network behavior logs, network device system information, and the like of the whole cloud platform; the security scanning engine 002 firstly checks the network configuration of the whole cloud platform item by item to determine the security of the network configuration, and then checks the system of each device and the configuration information of the device again to determine the security of the device; the security scan engine 002 also checks the port opening behavior, traffic usage, etc. of each device to ensure its security;
the operation and maintenance security set 104 mainly includes examination items such as management planning, personnel authority allocation, and execution achievement rate. The security scan engine 002 checks the establishment and execution conditions of the whole cloud platform operation and maintenance system by calling the operation and maintenance management module of the cloud operating system/cloud management platform 02 or the information of the third-party operation and maintenance system, and checks with reference to systems such as ITIL and ITSS.
The application security set 105 mainly includes information such as access control, system log, and behavior audit of the application. The security scan engine 002 obtains information by calling a monitoring management module of the cloud operating system/cloud management platform 02 or an API interface of a third party application, and checks the security and potential security threats of a certain application.
3. Safety quantitative evaluation flow and algorithm description
In practical application, each of the computing security set 101, the storage security set 102, the network security set 103, the operation and maintenance security set 104, and the application security set 105 is scanned by the security scanning engine 002, and each item is summarized according to a predefined evaluation policy to form a quantitative evaluation result of the overall security of the cloud platform, where the specific result is, for example, (0 to MAX) a score, and MAX may be 10 or 100, so that a user has a quantitative and intuitive understanding of the security of the platform, and is guided to timely repair security vulnerabilities of the cloud platform.
(1) Establishment and maintenance of safety evaluation model
1) The security evaluation model is established by a platform software provider or a security assurance provider, and is specifically a set of security evaluation elements, such as P ═ P1, P2, P3, P4, …, PN }. Each set Pi corresponds to a direction or a field of the cloud platform requiring security evaluation, such as a computing security set 101, a storage security set 102, a network security set 103, an operation and maintenance security set 104, an application security set 105, and the like.
2) For each Pi in P, there is a different operable security check item Pij, such as a list of vulnerabilities of a server operating system, a virtual machine operating system, a container, etc., and all the security check items form a set Pi. Pi ═ Pi1, Pi2, Pi3, Pij, …, PiM.
3) Each check item Pij is assigned with a triple [ Sij, Lij, Oij ] according to the specific condition of platform security, such as whether a vulnerability exists or not, or the danger level of the vulnerability, wherein Sij is the highest safe score, Lij is the vulnerability level, and a method for repairing or improving the vulnerability pointing to security by a link Oij is included. Lij can be divided into a plurality of levels, and under simple conditions, Lij can be divided into two levels, namely 1, and 0.
4) Each Pi corresponds to a score Si, with the sum of all Si scores being MAX (e.g., 100 or other maximum score).
Si is a fixed value, namely a fixed value is preset according to the directions of calculation safety, storage safety, network safety and the like. And then Sij of each check item is assigned according to the weight and the number of the check items.
Si can also be dynamically assigned according to the number of check items contained in the system or the number of core security check items according to the needs of the system.
(2) Application of safety evaluation model
1) Defining a cloud resource set accessible by a cloud user per platform authorization as
UP={UP1,UP2,UP3,UP4,…,UPN}。
UPi is in one-to-one correspondence with Pi, which defines the security check items to be performed on UPi.
As shown in fig. 4, the resource view of each user is a subset of the cloud platform global resource view 3001. And the view of the administrator with the highest authority is the global resource view.
2) The cloud platform security scanning 002 engine serially or parallelly checks different security check items Pij of corresponding resources according to a resource view of a cloud platform which can be accessed by a user and a security evaluation model of the cloud computing platform, and gives a specific score value USij to each check item of each resource according to the running state of the resource.
3) As shown in fig. 5, corresponding to the resource view that the user can access, a cloud security view corresponding to the user may be formed, which includes security information of all resources that the user can access. The cloud security bureau view 4001 is a security view of the cloud visible to the administrator, and contains detailed scoring conditions of each resource of the cloud platform.
4) Based on the user security view, summarizing the evaluation results of the security check items of each security evaluation element can obtain an overall quantitative score of the cloud security visible to the user. The summarizing mode can adopt an average mode, namely the similar resources adopt the average mode and are weighted and summed; a "one-vote-reject" mode may also be used in combination, i.e. if a high level leak occurs in each Pi, Lij is 0, and then the whole USi is 0.
And T is the overall security evaluation result of the cloud platform resources which can be accessed by the user.
5) And the evaluation visualization module 001 displays details and summary results of quantitative evaluation of security in a graphical mode, including distribution and description of security vulnerabilities.
(3) Repair of security vulnerabilities
When the user selects to repair the security vulnerabilities, the repair engine 003 calls the repair method Oij corresponding to the security item Pij of which the vulnerabilities are detected, so that the vulnerabilities are repaired one by one, and the security of the cloud computing platform is reinforced.
1) And the cloud platform administrator or the cloud user obtains a quantitative evaluation result T of resources which can be managed by the cloud platform administrator or the cloud user, and invokes the repair engine 003 to find out the O ij corresponding to the security item Pij with the problem according to the evaluation result so as to guide the user to repair the security hole of the platform.
2) Each O ij corresponds to a method for repairing a security vulnerability, such as downloading a patch, changing configuration, and the like; the fix engine 003 can automatically fix the vulnerability or guide the user to change the configuration of the cloud platform using interface interaction.
3) And after the repair engine 003 finishes repairing, re-counting the evaluation results of the security check items of the platform to obtain a new security quantitative evaluation result.
Claims (8)
1. A quantitative evaluation method for cloud computing platform security is characterized by comprising the following steps: the method comprises the steps that a cloud computing platform safety quantitative evaluation unit acquires relevant information of a cloud platform and carries out quantitative evaluation on the relevant information;
the cloud computing platform safety quantitative evaluation unit specifically comprises an evaluation safety scanning engine and a safety quantitative evaluation model;
the safety quantitative evaluation model defines a safety item set needing to be checked and a quantitative evaluation method in the aspects of a calculation safety set, a storage safety set, a network safety set, an operation and maintenance safety set and an application safety set;
after acquiring interface related information, the security scanning engine scans a computing security set, a storage security set, a network security set, an operation and maintenance security set and an application security set of a user, serially or parallelly checks different security check items Pij of corresponding resources, gives a specific score to each check item of each resource according to the running state of the resource, and summarizes to form a quantitative evaluation result of the overall security of the cloud platform;
the cloud computing platform security quantitative evaluation unit comprises a security repair engine, and when a user selects to repair a security vulnerability, the repair engine is called to find a repair method Oij corresponding to the problematic security item Pij according to an evaluation result to guide the user to repair the security vulnerability of the platform;
each repair method Oij corresponds to a method for repairing a security vulnerability, including: downloading patches and changing configuration;
the security repair engine can automatically repair the bugs or guide users to change the configuration of the cloud platform by using interface interaction;
after the repair is completed, the evaluation results of each security check item of the platform can be counted again to obtain a new security quantitative evaluation result.
2. The method of claim 1, wherein: said
The computing security set comprises server system security, virtual machine system security, container system security and auxiliary expansion equipment security;
the storage security set comprises physical machine storage security, virtual machine storage security and network sharing storage security;
the network security set comprises network configuration, network behavior logs and network equipment system information of the whole cloud platform;
the operation and maintenance safety set mainly comprises management plan making, personnel authority distribution and achievement rate execution check items;
the application security set mainly comprises access control, system logs and behavior audit information of the application.
3. The method of claim 1, wherein: said
The security scanning engine firstly checks the security of the file system of each storage device by calling related plug-ins to ensure the security of the storage system; scanning each system file, and ensuring the safety of each file by scanning the file feature codes and the file features of the virus library and the Trojan library;
the security scanning engine checks the network configuration of the whole cloud platform item by item to determine the security of the network configuration, and then checks the system of each device and the configuration information of the device to determine the security of the device; the security scanning engine also checks the port opening behavior, the traffic service condition and the like of each device to ensure the security of the devices;
the security scanning engine checks the establishment and execution conditions of the whole cloud platform operation and maintenance system by calling the operation and maintenance management module of the cloud operating system/cloud management platform or the information of a third-party operation and maintenance system, and checks the operation and maintenance system by referring to systems such as ITIL, ITSS and the like;
the security scanning engine acquires information by calling a monitoring management module of the cloud operating system/cloud management platform or an API (application programming interface) of a third party application, and checks the security and potential security threats of a certain application.
4. The method of claim 2, wherein: said
The security scanning engine firstly checks the security of the file system of each storage device by calling related plug-ins to ensure the security of the storage system; scanning each system file, and ensuring the safety of each file by scanning the file feature codes and the file features of the virus library and the Trojan library;
the security scanning engine checks the network configuration of the whole cloud platform item by item to determine the security of the network configuration, and then checks the system of each device and the configuration information of the device to determine the security of the device; the security scanning engine also checks the port opening behavior, the traffic service condition and the like of each device to ensure the security of the devices;
the security scanning engine checks the establishment and execution conditions of the whole cloud platform operation and maintenance system by calling the operation and maintenance management module of the cloud operating system/cloud management platform or the information of a third-party operation and maintenance system, and checks the operation and maintenance system by referring to systems such as ITIL, ITSS and the like;
the security scanning engine acquires information by calling a monitoring management module of the cloud operating system/cloud management platform or an API (application programming interface) of a third party application, and checks the security and potential security threats of a certain application.
5. The method according to any one of claims 1 to 4, characterized in that: the cloud computing platform safety quantitative evaluation unit comprises a model establishing module and a model maintaining module;
the cloud computing platform security evaluation model is established through a model establishing module and maintained through a model maintaining module;
the model is established by a platform software provider or a security guarantee provider, and specifically a set P of security evaluation elements is { P1, P2, P3, P4,.. said., PN }; each set Pi corresponds to the direction or the field of the cloud platform needing safety evaluation, and corresponds to a computing safety set, a storage safety set, a network safety set, an operation and maintenance safety set and an application safety set respectively;
each Pi in the set P corresponds to a different operable security check item Pij, including a list of vulnerabilities of a server operating system, a virtual machine operating system, a container, and the like, and all the security check items form a set Pi, { Pi1, Pi2, Pi3, Pij.
Each check item Pij is distributed with a triple [ Sij, Lij, Oij ] according to whether the platform has a bug or the danger level of the bug, wherein Sij is the highest safe score, Lij is the bug level, and a link Oij points to a safe bug repairing or improving method is included; lij can be divided into a plurality of grades, two grades can be used under simple conditions, namely 1 is generally used, and 0 is strictly used;
each Pi corresponds to a score Si, and the sum of the scores of all the Si is a maximum value MAX;
si is a fixed value generally, namely a fixed value is preset according to calculation safety, storage safety, network safety, operation and maintenance safety and application safety; then, assigning a value to Sij of each check item according to the weight and the number of the check items; si can also be dynamically assigned according to the number of check items contained in the system.
6. The method of claim 5, wherein: the cloud computing platform security quantitative evaluation unit defines a cloud resource set which can be accessed by a cloud user according to platform authorization as follows:
UP={UP1,UP2,UP3,UP4,…,UPN};
the UPi corresponds to Pi, and the Pi defines a safety check item to be carried out on the UPi;
the resource of each user is displayed by adopting a resource view; are a subset of the cloud platform global resource view; the view of the administrator with the highest authority is a global resource view;
the scanning engine serially or parallelly checks different safety check items Pij of corresponding resources according to a resource view of a cloud platform which can be accessed by a user and a safety quantitative evaluation unit of the cloud computing platform, and gives a specific score USij to each check item of each resource according to the running state of the resources; a score USi for a security check item;
the resource views which can be accessed by the user correspond to each other, and a cloud security view corresponding to the user can be formed and contains security information of all resources which can be accessed by the user; the cloud security bureau view is a security view of the cloud which is visible to an administrator and contains detailed scoring conditions of each resource of the cloud platform; based on the user security view, summarizing the evaluation results of the security check items of each security evaluation element to obtain the overall quantitative score of the cloud security visible to the user; the summarizing mode can adopt an average mode, namely the similar resources adopt the average mode and are weighted and summed; or a 'one-vote' mode is adopted, namely if a high-level leak occurs in each Pi, if Lij is 0, the whole USi is 0;
and T is the overall security evaluation score of the cloud platform resources which can be accessed by the user.
7. The method of claim 6, wherein: the computing platform safety quantitative evaluation unit is used as an independent plug-in or module to be inserted into a cloud operating system, a cloud management platform and third-party software; and acquiring related information.
8. The method of claim 7, wherein: the cloud computing platform security quantitative evaluation unit comprises an evaluation visualization module, and details and summary results of security quantitative evaluation, including distribution and description of security vulnerabilities, are displayed in a graphical mode.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710980250.XA CN107733895B (en) | 2017-10-19 | 2017-10-19 | Quantitative evaluation method for cloud computing platform security |
| PCT/CN2017/109496 WO2019075795A1 (en) | 2017-10-19 | 2017-11-06 | Method for evaluating security of cloud computing platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710980250.XA CN107733895B (en) | 2017-10-19 | 2017-10-19 | Quantitative evaluation method for cloud computing platform security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107733895A CN107733895A (en) | 2018-02-23 |
| CN107733895B true CN107733895B (en) | 2020-09-29 |
Family
ID=61212195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710980250.XA Active CN107733895B (en) | 2017-10-19 | 2017-10-19 | Quantitative evaluation method for cloud computing platform security |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107733895B (en) |
| WO (1) | WO2019075795A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743203B (en) * | 2018-12-28 | 2022-02-01 | 西安电子科技大学 | Distributed service security combination system and method based on quantitative information flow |
| CN111404743A (en) * | 2020-03-13 | 2020-07-10 | 黄东 | General evaluation system for cloud resource service capability |
| CN111885191B (en) * | 2020-07-30 | 2021-08-17 | 西安电子科技大学 | Computer network communication system |
| CN112199127A (en) * | 2020-10-10 | 2021-01-08 | Oppo(重庆)智能科技有限公司 | Image data processing method and device, mobile terminal and storage medium |
| CN114157572A (en) * | 2021-11-29 | 2022-03-08 | 中国光大银行股份有限公司 | Security configuration checking system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379112A (en) * | 2012-04-30 | 2013-10-30 | 刘宝旭 | Cloud computing environment safety quantitative evaluating system |
| CN104883369A (en) * | 2015-05-29 | 2015-09-02 | 天津大学 | Cloud configuration safety assessment method |
| CN105487936A (en) * | 2015-11-30 | 2016-04-13 | 中国航天科工集团第二研究院七〇六所 | Information system security evaluation method for classified protection under cloud environment |
| CN106131004A (en) * | 2016-07-04 | 2016-11-16 | 福州大学 | A kind of method for the assessment of cloud computing security intensity |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2015103212A (en) * | 2013-11-28 | 2015-06-04 | 株式会社日立製作所 | Security evaluation system and security evaluation method |
| KR101591910B1 (en) * | 2014-02-24 | 2016-02-18 | 경희대학교 산학협력단 | Apparatus and method for evaluating security risks in cloud computing and method of recommendation about cloud service provider using result of evaluation of security risks |
| US9319384B2 (en) * | 2014-04-30 | 2016-04-19 | Fortinet, Inc. | Filtering hidden data embedded in media files |
| CN104735063B (en) * | 2015-03-11 | 2018-01-02 | 广东电子工业研究院有限公司 | A kind of safe evaluating method for cloud infrastructure |
| US9762616B2 (en) * | 2015-08-08 | 2017-09-12 | International Business Machines Corporation | Application-based security rights in cloud environments |
| CN106713267A (en) * | 2016-11-16 | 2017-05-24 | 湖南优图信息技术有限公司 | Network security assessment method and system |
| CN106487810B (en) * | 2016-11-25 | 2019-10-18 | 中国科学院信息工程研究所 | A kind of cloud platform security postures cognitive method |
-
2017
- 2017-10-19 CN CN201710980250.XA patent/CN107733895B/en active Active
- 2017-11-06 WO PCT/CN2017/109496 patent/WO2019075795A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379112A (en) * | 2012-04-30 | 2013-10-30 | 刘宝旭 | Cloud computing environment safety quantitative evaluating system |
| CN104883369A (en) * | 2015-05-29 | 2015-09-02 | 天津大学 | Cloud configuration safety assessment method |
| CN105487936A (en) * | 2015-11-30 | 2016-04-13 | 中国航天科工集团第二研究院七〇六所 | Information system security evaluation method for classified protection under cloud environment |
| CN106131004A (en) * | 2016-07-04 | 2016-11-16 | 福州大学 | A kind of method for the assessment of cloud computing security intensity |
Non-Patent Citations (1)
| Title |
|---|
| 《云计算平台安全评估指标模型研究》;黄肖滢;《中国优秀硕士学位论文全文数据库信息科技辑》;20170512;第48页10-15行、第56页16-20行、第58页8-15行,图5-10,表5.7-5.23、5.25 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019075795A1 (en) | 2019-04-25 |
| CN107733895A (en) | 2018-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107733895B (en) | Quantitative evaluation method for cloud computing platform security | |
| US9450940B2 (en) | Intelligent system for enabling automated secondary authorization for service requests in an agile information technology environment | |
| TWI559166B (en) | Threat level assessment of applications | |
| AU2019232785A1 (en) | Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring | |
| CN104134038A (en) | Safe and credible operation protective method based on virtual platform | |
| Halton et al. | The top ten cloud-security practices in next-generation networking | |
| CN104951354A (en) | Virtual machine dispatch algorithm security verification method based on dynamic migration | |
| Hammad et al. | Determination and enforcement of least-privilege architecture in android | |
| CN106341386A (en) | Threat assessment level determination and remediation for cloud-based multi-layer security architecture | |
| Zhan et al. | TPTVer: A trusted third party based trusted verifier for multi-layered outsourced big data system in cloud environment | |
| CN109241730A (en) | A kind of defence method, device, equipment and the readable storage medium storing program for executing of container risk | |
| Torkura et al. | Csbauditor: Proactive security risk analysis for cloud storage broker systems | |
| KR101994664B1 (en) | Vulnerability checking system based on cloud service | |
| Chadha et al. | Security aspects of cloud computing | |
| Granata et al. | Risk analysis automation process in it security for cloud applications | |
| Han et al. | Empirical study on anti-virus architecture for container platforms | |
| Midtrapanon et al. | Linux patch management: with security assessment features | |
| Armando et al. | Mobile App Security Analysis with the MAVeriC Static Analysis Module. | |
| MacDonald et al. | Market guide for cloud workload protection platforms | |
| Zhou et al. | Dtstm: dynamic tree style trust measurement model for cloud computing | |
| Powers et al. | Whitelist malware defense for embedded control system devices | |
| Zenker et al. | A review of testing cloud security | |
| Anisetti et al. | Moon cloud: a cloud platform for ICT security governance | |
| US20150295947A1 (en) | Method and system for verifying the security of an application with a view to the use thereof on a user device | |
| Jiang et al. | Protection Tiers and Their Applications for Evaluating Untrusted Code on A Linux-Based Web Server. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: 523808 19th floor, Cloud Computing Center, Chinese Academy of Sciences, No.1 Kehui Road, Songshanhu high tech Industrial Development Zone, Dongguan City, Guangdong Province Patentee after: G-CLOUD TECHNOLOGY Co.,Ltd. Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province Patentee before: G-CLOUD TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |