CN109743203B - Distributed service security combination system and method based on quantitative information flow - Google Patents
Distributed service security combination system and method based on quantitative information flow Download PDFInfo
- Publication number
- CN109743203B CN109743203B CN201811620486.3A CN201811620486A CN109743203B CN 109743203 B CN109743203 B CN 109743203B CN 201811620486 A CN201811620486 A CN 201811620486A CN 109743203 B CN109743203 B CN 109743203B
- Authority
- CN
- China
- Prior art keywords
- service
- evaluation
- security
- cloud
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a distributed service security combination system and method based on quantitative information flow, which realize information flow analysis in the service combination process under a multi-cloud environment through a distributed quantitative information flow evaluation method and provide guidance for a user to select a proper combination service. Compared with the problem of service combination failure caused by overhigh safety requirement in qualitative analysis, the method has the advantages that the compromise between the service safety and the usability can be realized by a user in a mode of reducing the safety requirement (information flow safety threshold) in partial scenes, and the success rate of service combination is improved; the system and the method adopt a distributed evaluation framework, accord with a multi-cloud coexisting distributed network environment, and simultaneously overcome the problems of large single-point evaluation overhead, unbalanced cloud platform load and the like caused by a centralized architecture in the traditional quantitative information flow evaluation.
Description
Technical Field
The invention belongs to the technical field of electronic information, and particularly relates to a distributed service security combination system and method based on quantitative information flow.
Background
In recent years, the research on the internet of things and cloud computing technology is deepened, and a cloud platform constructed based on a virtualization technology becomes one of more effective and more convenient modes for providing IT services. In a multi-domain distributed service cloud, users can access various services provided in a cloud platform anytime and anywhere. Meanwhile, the combination and cooperation between different services is a new mode for the next generation internet to provide services, as shown in fig. 1. In this mode, the same service may be provided by different providers, such as location services, including Google Map, Foursquare, high-end Map, and Baidu Map, and the user may select a suitable service according to their own needs, such as QoS, trustworthiness, security, and the like.
However, the combined mode brings new security threats while greatly enriching the network service types. Due to the multi-domain nature of the service cloud, data located in different clouds may have different security levels. When these services are combined together, data with different security levels will be transmitted between these services, respectively. If these services are composed in an insecure manner, operations in the services may send confidential data to the public channel and cause information leakage.
Access control has been widely used to protect sensitive information of a single service from being released to unauthorized attackers. However, for a composite service, data may be processed by different service components from multiple clouds. The access control mechanism of a certain component cannot detect information leakage caused by the operation of other service components. Therefore, information flow security is one of the main problems faced by service composition in multi-domain distributed service cloud.
The existing information flow analysis method mainly comprises a type system, program analysis and model detection, and corresponding safety rules and verification methods are designed in the combination process to ensure the safety of the information flow of the combined service. However, all the methods belong to qualitative analysis, the information flow leakage amount is difficult to accurately analyze, the designed safety rules are often strict to ensure the combination safety, and the services are difficult to successfully combine in part of scenes, so that the usability of the whole combined service is reduced. In order to measure the leakage of the information flow more accurately, aiming at the problem of low power of service combination caused by inaccurate analysis and overhigh safety condition in the traditional qualitative analysis of the information flow, the patent adopts a quantitative mode to evaluate the safety of the information flow, sorts the combined services and provides guidance and recommendation for a user to select proper services.
In addition, the service cloud is a multi-domain distributed network system, the traditional information traffic method belongs to a centralized verification method aiming at quantitative evaluation of programs, verification cost is high, and deployment and implementation in the distributed network system are difficult. The patent designs a distributed information traffic assessment method aiming at a multi-cloud service combination scene, and realizes cooperative quantitative assessment among different cloud platforms in a multi-cloud environment.
Disclosure of Invention
The invention aims to overcome the defects, provides a distributed service security combination system and method based on quantitative information flow, solves the problems of inaccurate qualitative analysis and high quantitative analysis verification cost of the combined service information flow, and provides guidance and recommendation for a user to select a suitable combined service.
In order to achieve the purpose, the distributed service security combination system based on the quantitative information flow comprises a plurality of cloud platforms, wherein the cloud platforms are connected with corresponding cloud security management centers and are used for exchanging data with service terminals and other cloud platforms;
the service terminal is used for describing the combined service according to the user service request, collecting candidate service information in different service clouds according to each service requirement, generating each possible combined service, sending an information traffic evaluation request to each cloud platform according to each possible combined service, receiving the information traffic evaluation result of each combined service after evaluation is finished, performing security grade division according to the type of input data in the user service process, calculating the overall leakage amount of the combined service, sorting, and finally recommending the sorting result to the user;
the cloud platform consists of a service component library and a security assessment agent, the service component library is responsible for managing various software services loaded on the cloud platform, the security assessment agent is responsible for monitoring the quantitative assessment state of the combined service, performing quantitative assessment on information streams of adjacent services, and sending assessment results to the security agent of the cloud where the next service is located to perform next quantitative assessment after assessment is finished;
the cloud security management center is responsible for carrying out quantitative evaluation on information flow in the components and among the components, the quantitative evaluation stage in the components is carried out before software services are loaded into a cloud platform component library, information flow quantification certificates in the components are generated after the evaluation is finished, the quantitative evaluation stage among the components is carried out in the service combination process, the security management center calculates quantitative values among the components according to the input and output dependency relationship of adjacent services, and the calculated values are sent to the security agent after the calculation is finished.
The service terminal comprises a man-machine interaction interface, a combined service description engine and a terminal security agent;
the man-machine interaction interface is responsible for receiving a combined service request sent by a user and is convenient for the user to operate through a graphical interface;
the combination service description engine is responsible for describing the combination service input by the user by adopting BPEL language, and comprises the input and output of the combination service and the description of combination logic;
the terminal security agent is responsible for generating candidate combined services, sending combined service description to the cloud platform security evaluation agent, carrying out normalization processing on evaluation results, sorting the combined services, and finally recommending the sorting results to the user.
An intra-component evaluation engine is arranged in the cloud security management center and used for analyzing component codes and obtaining the dependency relationship between input and output in the components.
A working method of a distributed service security combination system based on quantitative information flow comprises the following steps:
the method comprises the steps that firstly, a cloud security management center conducts preliminary analysis on a service program loaded on a cloud platform, an information flow analysis method is adopted to obtain the dependency relationship between input and output, the information entropy transmission quantity between all output and input in the service program is calculated, and a certificate containing the information entropy transmission quantity is generated;
step two, a user of the service terminal initiates a service combination request, describes a combination sequence, and distributes the service combination request to each cloud platform for candidate service component statistics to generate a candidate combination service set;
step three, the cloud platform calculates the information entropy transmission quantity according to the information entropy transmission calculation rule aiming at each candidate combined service in the candidate combined service set, obtains the information entropy transmission quantity between all input and output in the candidate combined service, evaluates the information entropy transmission quantity, and finally sends the evaluation result to the service terminal;
step four, the service terminal carries out security grade division according to the security requirements of users, counts the transmission quantity between input and output of different grades in each candidate combined service, and takes the value as the information leakage quantity in the combined service process;
and fifthly, carrying out normalization processing on the information leakage quantity between the same input and output in different candidate combined services, designing the weight of the leakage quantity between the input and the output of different grades by a user, calculating the total leakage quantity of each candidate combined service by adopting a linear programming method, finally sequencing the services according to the total leakage quantity, and returning the sequencing result to the user of the service terminal.
In the first step, the service terminal adopts BPEL language to describe the combination sequence.
In the first step, the specific method for calculating the information entropy transmission quantity between all the outputs and the inputs in the service component is as follows:
firstly, a cloud security evaluation agent sends a source code of a service component to an in-component evaluation engine of a cloud security management center;
secondly, analyzing the component codes by the in-component evaluation engine based on a program dependency graph and a program slicing method to obtain the dependency relationship between input and output in the component;
thirdly, the evaluation engine in the component calculates the information entropy transmission quantity between each pair of input and output according to the dependency relationship;
and fourthly, the cloud security management center generates a service component certificate according to the calculation result, and the information entropy transmission quantity in the component is stored into a certificate library in a certificate form for quantitative evaluation in the subsequent combination process.
The cooperative work flows of the terminal security agent, the security assessment agent under different cloud environments and the security management center are as follows:
firstly, a terminal security agent constructs each possible combined service, and sends corresponding combined description and evaluation state to a cloud security evaluation agent to which a first service component belongs;
secondly, the service cloud security evaluation agent receives the combined service description and the evaluation state and forwards the combined service description and the evaluation state to the cloud security management center;
thirdly, the cloud security management center acquires the adjacent component certificate from the certificate library according to the combinational logic;
fourthly, calculating information entropy transmission quantity between input and output of adjacent service components by the aid of a quantitative evaluation engine between the cloud security management center components;
fifthly, calculating information entropy transmission quantity between input and output of the combined service by a quantitative evaluation engine among cloud security management center components;
sixthly, the cloud security management center quantitative evaluation engine returns the calculation result to the cloud security evaluation agent, and the cloud security evaluation agent updates the combined service evaluation state;
and seventhly, the cloud security evaluation agent judges whether the current service assembly is the last service assembly, if so, the evaluation result is returned to the service terminal, and if not, the current evaluation state is sent to the security evaluation agent of the cloud platform to which the next service assembly belongs to carry out the next evaluation until the evaluation is finished.
In the fifth step, the specific method for sequencing the services according to the total leakage amount is as follows:
the method comprises the steps that firstly, aiming at a candidate combined service set, service description and evaluation state are sent to a service cloud security agent, and a distributed quantitative evaluation process is started;
the second step, judge whether begins to evaluate to the candidate service set of combination, if, carry out the third step, otherwise, carry out the first step;
thirdly, the terminal security agent receives the quantitative evaluation result of each combined service;
fourthly, after receiving, defining input and output security levels in the combined service according to the security requirements of the user, wherein the current system supports two security levels, namely a high security level and a low security level;
fifthly, the terminal security agent counts the information entropy transmission quantity from each pair of high security level input to low security level output in the combined service, takes the value as the information leakage quantity between input and output, and then normalizes the leakage quantity between the same input and output of different combined services;
sixthly, the terminal security agent defines weights of leakage quantities among different input and output according to the security requirements of the user, then calculates the total leakage quantity from all high security input to low security output in each possible combined service by adopting a linear programming method, and finally sorts the services according to the total leakage quantity;
and seventhly, the terminal security agent returns the final sequencing result to the user.
Compared with the prior art, the system supports information flow analysis, overcomes the bottleneck problem that the safety is difficult to measure in the service combination process through the visual representation of the information leakage amount, and provides more sufficient basis for a user to select proper combination service; according to the invention, through the security evaluation agent of the cloud platform, the distributed verification state can be mastered in real time, and a foundation is provided for the next step of service component verification.
Furthermore, the service terminal of the invention utilizes the BPEL to describe the functions of the combined service, thereby ensuring the correctness of the combined service flow and the interface description.
According to the invention, by the distributed quantitative information flow evaluation method, information flow analysis in the service combination process under the multi-cloud environment is realized, and guidance is provided for a user to select a proper combination service. Compared with the problem of service combination failure caused by overhigh safety requirement in qualitative analysis, the method has the advantages that the compromise between the service safety and the usability can be realized by a user in a mode of reducing the safety requirement (information flow safety threshold) in partial scenes, and the success rate of service combination is improved; the system and the method adopt a distributed evaluation framework, accord with a multi-cloud coexisting distributed network environment, and simultaneously overcome the problems of large single-point evaluation overhead, unbalanced cloud platform load and the like caused by a centralized architecture in the traditional quantitative information flow evaluation.
Drawings
FIG. 1 is a block diagram of the system of the present invention;
FIG. 2 is a flow chart of the present invention;
FIG. 3 is a control diagram of the amount of entropy transfer of information within the components of the present invention;
FIG. 4 is a flow chart of entropy transfer evaluation of information within components in the present invention;
FIG. 5 is a control diagram of the amount of information entropy transfer between adjacent components in the present invention;
FIG. 6 is a control diagram of the amount of entropy transfer of information across inter-components (composite services) in the present invention;
FIG. 7 is a flow chart of the inter-component quantitative evaluation process according to the present invention.
Detailed Description
The invention will be further explained with reference to the drawings.
Referring to fig. 1 and 2, a distributed service security combination system based on quantitative information flow includes a plurality of cloud platforms, where the cloud platforms are connected to corresponding cloud security management centers, and the cloud platforms are used to exchange data with service terminals and other cloud platforms;
the service terminal is responsible for receiving user service requests, generating BPEL language description of combined services, collecting candidate services in a cloudy environment, generating possible combined services, sending quantitative evaluation requests for each combined service, receiving final evaluation results, analyzing and comparing evaluation results of different combined services, and sequencing the combined services according to safety. The system mainly comprises a human-computer interaction interface, a combined service description engine and a terminal security agent. The man-machine interaction interface is responsible for receiving a combined service request sent by a user, and the operation of the user is facilitated through the graphical interface. The combination service description engine is responsible for describing the combination service input by the user by adopting BPEL language, including the input and output of the combination service and the description of the combination logic. The terminal security agent module is responsible for generating candidate combined services, sending combined service description to the cloud platform security evaluation agent, carrying out normalization processing on evaluation results, sequencing the combined services, and finally recommending the security services to the user.
And the user is responsible for making a service request to the service terminal and receiving a final service evaluation result. The service request can be sent to the service terminal for processing through the man-machine interaction interface of the service terminal. And the service terminal returns the recommended service list after the evaluation of the possible combined services is completed.
The cloud platform is responsible for managing various software services, and meanwhile, safety quantitative evaluation is carried out on the combined services according to the combined service description of the service terminal, and the cloud platform mainly comprises a service component library and a safety evaluation agent. The service component library is responsible for managing software services loaded on the cloud platform and returning contents such as functions, input, output and input/output dependency relations of the service components according to the security assessment agent request. The safety evaluation agent is responsible for receiving an evaluation request sent by the service terminal/cloud platform safety evaluation agent, carrying out quantitative evaluation on information flow between adjacent service components with the cloud safety management center according to the current evaluation state, and updating the evaluation state according to an intermediate result after evaluation. After the evaluation is finished, judging whether the component belongs to the final component of the combined service, if so, sending the current evaluation state serving as an evaluation result back to the service terminal; and if not, sending the current evaluation state to a security evaluation agent of the cloud platform to which the next service component belongs, and carrying out the next evaluation processing.
The cloud security management center carries out quantitative evaluation on information flow of the software service based on an information entropy theory, the quantitative evaluation comprises two stages of intra-component quantitative evaluation and inter-component quantitative evaluation, and the cloud security management center is composed of an intra-component evaluation engine, a service component certificate library and an inter-component evaluation engine. And carrying out quantitative evaluation in the components when the software service is deployed on the cloud platform, and generating a corresponding component certificate after the evaluation is finished, wherein the corresponding component certificate indicates the information entropy transmission quantity between each input and each output in the components. And the inter-component quantitative evaluation is processed in the service combination process, the inter-component evaluation engine processes the inter-component quantitative evaluation according to the combination relation and the component certificate between the adjacent service components sent by the cloud platform security agent and the inter-component quantitative evaluation rule, and the entropy transmission quantity of each input and output information in the combined service is sent to the cloud platform security agent after the processing is finished. The service component certificate library is responsible for managing the generated component certificate, and comprises the functions of generation, storage, updating and the like.
Referring to fig. 2, the workflow of the present invention mainly includes three stages of intra-component evaluation, inter-component evaluation, and service recommendation.
1. In-component evaluation;
in order to realize the evaluation of the information entropy transmission quantity between the input and the output of the combined service, the information entropy transmission quantity between the input and the output of each component service is firstly needed to be evaluated
The evaluation is carried out, and the information entropy transmission quantity in the component is shown in figure 3.
As shown in fig. 2, the evaluation of the entropy transfer amount of the information in the component is mainly completed by the service component and the cloud security management center, and the main work flow is as shown in fig. 4. The specific method comprises the following steps:
(1) the cloud security evaluation agent first sends the source code of the service component to an in-component evaluation engine of the cloud security management center.
(2) And analyzing the component codes by the in-component evaluation engine based on the program dependency graph and the program slicing method to obtain the dependency relationship between input and output in the component.
(3) And the intra-component evaluation engine calculates the information entropy transmission quantity between each pair of input and output according to the dependency relationship.
(4) And the cloud security management center generates a service component certificate according to the calculation result, and stores the information entropy transmission quantity in the component into a certificate library in a certificate form for quantitative evaluation among the components in the subsequent combination process.
The evaluation process in the components is independent of evaluation among the components, so that the software service can be evaluated in an off-line mode before being loaded into a cloud platform, the evaluation process in the service combination process is simplified, the quantitative evaluation time for the combined service is reduced, and the efficiency of recommending the safe combined service is improved.
2. Evaluating among the components;
the evaluation stage among the components is executed in the service combination process, and the information entropy transmission quantity among each input and output in the combined service is calculated according to the combinational logic and mainly according to the quantitative evaluation result in the adjacent components
And after the evaluation is finished, transmitting the information entropy transmission quantity of each input and output in the combined service to the service terminal. The amount of entropy transfer of information between components is shown in fig. 5 and 6. Input of adjacent modules in FIG. 5
To the output
Entropy transfer of information
Input across Components (composite services) in FIG. 6
To the output
Entropy transfer of information
Referring to fig. 2, since the service components are located in different clouds, the evaluation of the entropy transfer amount of the information among the components is performed by using a distributed structure for quantitative evaluation, and is mainly completed by the cooperation of the terminal security agent, the security evaluation agent in different cloud environments, and the security management center, and the detailed working flow is as follows, and is also shown in fig. 7.
(1) And the terminal security agent constructs each possible combined service and sends corresponding combined description and evaluation state to the cloud security agent to which the first service component belongs.
(2) And the service cloud security evaluation agent receives the combined service description and the evaluation state and forwards the combined service description and the evaluation state to the cloud security management center.
(3) And the cloud security management center acquires the adjacent component certificate from the certificate library according to the combinational logic.
(4) And the inter-component quantitative evaluation engine of the cloud security management center calculates the information entropy transmission quantity between the input and the output of the adjacent service components.
(5) The cloud security management center inter-component quantitative evaluation engine expands and calculates the information entropy transfer amount between input and output of cross-components (combined services) according to the information entropy transfer amount of adjacent service components.
(6) And the cloud security management center quantitative evaluation engine returns the calculation result to the cloud security evaluation agent, and the agent updates the evaluation state of the combined service.
(7) And the cloud security evaluation agent judges whether the current service assembly is the last service assembly, if so, the evaluation result is returned to the service terminal, and if not, the current evaluation state is sent to the cloud platform security evaluation agent to which the next service assembly belongs to carry out the next evaluation until the evaluation is finished.
3. Recommending a service;
and after receiving the quantitative evaluation result, the service terminal sequences the safety of different combined services and finally recommends the safety to the user. The service recommendation is completed by the terminal security agent, and the detailed work flow is shown as the work flow of the terminal security agent in fig. 7.
(1) The terminal security agent receives the quantitative evaluation result of each combined service;
(2) after receiving, the terminal security agent defines the input and output security levels in the combined service according to the security requirements of the user, and the current system supports two security levels, namely a high security level and a low security level;
(3) the terminal security agent counts the information entropy transmission quantity from each pair of high security level input to low security level output in the combined service, takes the value as the information leakage quantity between input and output, and then normalizes the leakage quantity between the same input and output of different combined services;
(4) the terminal security agent defines the weight of leakage between different input and output according to the security requirements of a user, then calculates the total leakage from all high security input to low security output in each possible combined service by adopting a linear programming method, and finally sorts the services according to the total leakage;
(5) and the terminal security agent returns the final sequencing result to the user.
According to the invention, quantitative evaluation on the safety of the single component of the combined service and the information flow of the combined service can be realized by limiting the evaluation rule of the quantitative information flow in the component and among the components, information flow analysis in the service combination process under a multi-cloud environment is realized, and guidance is provided for a user to select a proper combined service. According to the invention, the cloud security management center carries out off-line evaluation on the quantitative information flow in the service assembly, so that the evaluation overhead can be effectively reduced, and the quantitative evaluation efficiency can be improved.
Claims (2)
1. A distributed service security combination system based on quantitative information flow is characterized by comprising a plurality of cloud platforms, wherein the cloud platforms are connected with corresponding cloud security management centers and are used for exchanging data with service terminals and other cloud platforms;
the service terminal comprises a man-machine interaction interface, a combined service description engine and a terminal security agent;
the service terminal is used for describing the combined services according to the user service request, collecting candidate service information in different cloud platforms according to each service requirement, generating each possible combined service, sending an information traffic evaluation request to each cloud platform according to each possible combined service, receiving the information traffic evaluation result of each combined service after evaluation is finished, performing security grade division according to the type of input data in the user service process, calculating the overall leakage amount of the combined services, sorting, and finally recommending the sorting result to the user; counting the information entropy transmission quantity from each pair of high-security-level input to low-security-level output in the combined service, and taking the value as the information leakage quantity between input and output; the terminal security agent defines the weight of leakage between different input and output according to the security requirements of a user, and then calculates the total leakage from all high security input to low security output in each possible combined service by adopting a linear programming method;
the cloud platform consists of a service component library and a security evaluation agent, the service component library is responsible for managing various software services loaded on the cloud platform, the security evaluation agent is responsible for monitoring the quantitative evaluation state of the combined services, the cloud security management center comprises an inter-component evaluation engine, the inter-component evaluation engine carries out quantitative evaluation on information flow of adjacent services according to the combination relation and component certificates between adjacent service components sent by the security evaluation agent of the cloud platform, the information flow of adjacent services is quantitatively evaluated according to an inter-component quantitative evaluation rule, an evaluation result is sent to the security evaluation agent after the evaluation is finished, and the security evaluation agent sends the security evaluation agent to the security evaluation agent of the cloud platform to which the next service belongs to carry out next quantitative evaluation;
the cloud security management center is responsible for carrying out quantitative evaluation on information flow in the components and among the components, the quantitative evaluation stage in the components is carried out before software services are loaded into a cloud platform component library, an information flow certificate in the components is generated after the evaluation is finished, the quantitative evaluation stage among the components is carried out in the service combination process, the cloud security management center calculates the quantitative value among the components according to the input and output dependency relationship of adjacent services, and the calculated value is sent to the platform security agent; an in-component evaluation engine is arranged in the cloud security management center and used for analyzing component codes and acquiring the dependency relationship between input and output in the components;
the man-machine interaction interface is responsible for receiving a combined service request sent by a user and is convenient for the user to operate through a graphical interface;
the combination service description engine is responsible for describing the combination service input by the user by adopting BPEL language, and comprises the input and output of the combination service and the description of combination logic;
the terminal security agent is responsible for generating candidate combined services, sending combined service description to the cloud platform security evaluation agent, carrying out normalization processing on evaluation results, sequencing the security of the combined services, and finally recommending the sequencing results to a user.
2. The working method of the distributed service security combination system based on the quantitative information flow as claimed in claim 1, characterized by comprising the following steps:
the cloud security management center carries out preliminary analysis on the service programs loaded on the cloud platform, obtains the dependency relationship between input and output by adopting an information flow analysis method, calculates the information entropy transmission quantity between all output and input in the service programs and generates a certificate containing the information entropy transmission quantity; the specific method for calculating the information entropy transmission quantity among all the outputs and the inputs in the service component is as follows:
firstly, a cloud security evaluation agent sends a source code of a service component to an in-component evaluation engine of a cloud security management center;
secondly, analyzing the component codes by the in-component evaluation engine based on a program dependency graph and a program slicing method to obtain the dependency relationship between input and output in the component;
thirdly, the evaluation engine in the component calculates the information entropy transmission quantity between each pair of input and output according to the dependency relationship;
fourthly, the cloud security management center generates a service component certificate according to the calculation result, and information entropy transmission quantity in the component is stored into a certificate library in a certificate form and is used for quantitative evaluation in the subsequent combination process;
a service terminal user initiates a service combination request, and the service terminal describes a combination sequence to generate a candidate combination service set;
aiming at the candidate combined service set, sending a service description and an evaluation state to a cloud security management center, and starting a distributed quantitative evaluation process;
determining whether evaluation is to begin for each of the candidate composite service sets;
the terminal security agent receives the quantitative evaluation result of each combined service;
after receiving, defining the input and output security level in the combined service according to the security requirement of the user;
the terminal security agent counts the information entropy transmission quantity from each pair of high security level input to low security level output in the combined service, takes the value as the information leakage quantity between input and output, and then normalizes the leakage quantity between the same input and output of different combined services;
the terminal security agent defines the weight of leakage between different input and output according to the security requirements of a user, then calculates the total leakage from all high security input to low security output in each possible combined service by adopting a linear programming method, and finally sorts the services according to the total leakage;
the terminal security agent returns the final sequencing result to the user;
the cooperative work flows of the terminal security agent, the security assessment agent under different cloud environments and the security management center are as follows:
firstly, a terminal security agent constructs each possible combined service, and sends corresponding combined description and evaluation state to a cloud security evaluation agent to which a first service component belongs;
secondly, the service cloud security evaluation agent receives the combined service description and the evaluation state and forwards the combined service description and the evaluation state to the cloud security management center;
thirdly, the cloud security management center acquires the adjacent component certificate from the certificate library according to the combinational logic;
fourthly, calculating information entropy transmission quantity between input and output of adjacent service components by the aid of a quantitative evaluation engine between the cloud security management center components;
fifthly, calculating information entropy transmission quantity between input and output of the combined service by a quantitative evaluation engine among cloud security management center components;
sixthly, the cloud security management center quantitative evaluation engine returns the calculation result to the cloud security evaluation agent, and the cloud security evaluation agent updates the combined service evaluation state;
and seventhly, the cloud security evaluation agent judges whether the current service assembly is the last service assembly, if so, the evaluation result is returned to the service terminal, and if not, the current evaluation state is sent to the security evaluation agent of the cloud platform to which the next service assembly belongs to carry out the next evaluation until the evaluation is finished.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811620486.3A CN109743203B (en) | 2018-12-28 | 2018-12-28 | Distributed service security combination system and method based on quantitative information flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811620486.3A CN109743203B (en) | 2018-12-28 | 2018-12-28 | Distributed service security combination system and method based on quantitative information flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109743203A CN109743203A (en) | 2019-05-10 |
| CN109743203B true CN109743203B (en) | 2022-02-01 |
Family
ID=66361799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811620486.3A Active CN109743203B (en) | 2018-12-28 | 2018-12-28 | Distributed service security combination system and method based on quantitative information flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109743203B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115062299B (en) * | 2022-07-26 | 2022-11-01 | 华控清交信息科技(北京)有限公司 | Security detection method and device for data leakage and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9047669B1 (en) * | 2012-09-20 | 2015-06-02 | Matrox Graphics Inc. | Bit rate control for data compression |
| CN104954465A (en) * | 2015-06-15 | 2015-09-30 | 北京工业大学 | Privacy policy synthesis method applicable to cloud service combined scene |
| US9712388B2 (en) * | 2014-09-16 | 2017-07-18 | Zscaler, Inc. | Systems and methods for detecting and managing cloud configurations |
| CN107403092A (en) * | 2017-07-27 | 2017-11-28 | 中国人民大学 | A kind of cell phone application privacy risk quantitative estimation method |
| CN108933700A (en) * | 2018-07-20 | 2018-12-04 | 辽宁工业大学 | A kind of cloud service acquisition methods trusted based on preference |
| CN108959934A (en) * | 2018-06-11 | 2018-12-07 | 平安科技(深圳)有限公司 | Safety risk estimating method, device, computer equipment and storage medium |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101820428B (en) * | 2010-04-22 | 2013-03-20 | 北京航空航天大学 | Composite service optimizing method and device based on protocol composition mechanism |
| KR20130051872A (en) * | 2011-11-10 | 2013-05-21 | 한국전자통신연구원 | Adaptive composite service path management apparatus and method |
| CN102780580B (en) * | 2012-06-21 | 2015-02-25 | 东南大学 | Trust-based composite service optimization method |
| CN102880784B (en) * | 2012-07-31 | 2015-09-30 | 东南大学 | The credible computing method of a kind of composite services based on data dependence |
| CN103488570B (en) * | 2013-09-29 | 2016-09-28 | 西安电子科技大学 | A kind of combined flow of information checking system and method for embedded software |
| CN103546471B (en) * | 2013-10-28 | 2017-01-25 | 北京工业大学 | Method for service quantification based on rough set in cloud computing |
| CN103701886A (en) * | 2013-12-19 | 2014-04-02 | 中国信息安全测评中心 | Hierarchic scheduling method for service and resources in cloud computation environment |
| CN105491157A (en) * | 2016-01-12 | 2016-04-13 | 浙江大学 | User collaborative regularization-based personalized Web service composition method |
| US10868737B2 (en) * | 2016-10-26 | 2020-12-15 | Arizona Board Of Regents On Behalf Of Arizona State University | Security policy analysis framework for distributed software defined networking (SDN) based cloud environments |
| CN107249015B (en) * | 2017-04-28 | 2020-07-28 | 西安财经学院 | Credible cloud service selection method based on risk assessment, cloud system and cloud server |
| CN107733895B (en) * | 2017-10-19 | 2020-09-29 | 国云科技股份有限公司 | Quantitative evaluation method for cloud computing platform security |
-
2018
- 2018-12-28 CN CN201811620486.3A patent/CN109743203B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9047669B1 (en) * | 2012-09-20 | 2015-06-02 | Matrox Graphics Inc. | Bit rate control for data compression |
| US9712388B2 (en) * | 2014-09-16 | 2017-07-18 | Zscaler, Inc. | Systems and methods for detecting and managing cloud configurations |
| CN104954465A (en) * | 2015-06-15 | 2015-09-30 | 北京工业大学 | Privacy policy synthesis method applicable to cloud service combined scene |
| CN107403092A (en) * | 2017-07-27 | 2017-11-28 | 中国人民大学 | A kind of cell phone application privacy risk quantitative estimation method |
| CN108959934A (en) * | 2018-06-11 | 2018-12-07 | 平安科技(深圳)有限公司 | Safety risk estimating method, device, computer equipment and storage medium |
| CN108933700A (en) * | 2018-07-20 | 2018-12-04 | 辽宁工业大学 | A kind of cloud service acquisition methods trusted based on preference |
Non-Patent Citations (2)
| Title |
|---|
| Distributed Secure Service Composition with Declassification;Ning Xi, Di Lu, Cong Sun, Jianfeng Ma, and Yulong Shen;《Mobile Information Systems》;20170214;全文 * |
| Information flow control on encrypted data for service composition among multiple clouds;Ning Xi, Jianfeng Ma, Cong Sun, Di Lu, Yulong Shen;《Distrib Parallel Databases》;20180601;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109743203A (en) | 2019-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107102941B (en) | Test case generation method and device | |
| CN106682906B (en) | Risk identification and service processing method and equipment | |
| CN110838031A (en) | Data operation method and device based on ABtest | |
| CN106156098B (en) | Error correction pair mining method and system | |
| CN110874744A (en) | Data anomaly detection method and device | |
| CN112016138A (en) | Method and device for automatic safe modeling of Internet of vehicles and electronic equipment | |
| CN113112026A (en) | Optimization method and device for federated learning model | |
| CN115204733A (en) | Data auditing method and device, electronic equipment and storage medium | |
| CN109743203B (en) | Distributed service security combination system and method based on quantitative information flow | |
| CN115114329A (en) | Method and device for detecting data stream abnormity, electronic equipment and storage medium | |
| CN116578911A (en) | Data processing method, device, electronic equipment and computer storage medium | |
| CN116955148A (en) | Service system testing method, device, equipment, storage medium and product | |
| CN109873836A (en) | A kind of methods of risk assessment and device of data | |
| CN110704614B (en) | Information processing method and device for predicting user group type in application | |
| CN115239066A (en) | Communication informationization data management and control platform | |
| CN114331446A (en) | Method, device, equipment and medium for realizing out-of-chain service of block chain | |
| CN114565105A (en) | Data processing method and deep learning model training method and device | |
| CN110087230B (en) | Data processing method, data processing device, storage medium and electronic equipment | |
| CN113516398A (en) | Risk equipment identification method and device based on hierarchical sampling and electronic equipment | |
| CN113190154A (en) | Model training method, entry classification method, device, apparatus, storage medium, and program | |
| CN112668842A (en) | Vehicle insurance claim settlement risk factor evaluation method and device, electronic equipment and medium | |
| CN112685610A (en) | False registration account identification method and related device | |
| CN110196925B (en) | Information retrieval system for laboratory engineering design | |
| CN113034123B (en) | Abnormal resource transfer identification method and device, electronic equipment and readable storage medium | |
| CN112799956B (en) | Asset identification capability test method, device and system device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |