CN113765884A - Cross-network file mandatory access control method, device and system - Google Patents
Cross-network file mandatory access control method, device and system Download PDFInfo
- Publication number
- CN113765884A CN113765884A CN202110861832.2A CN202110861832A CN113765884A CN 113765884 A CN113765884 A CN 113765884A CN 202110861832 A CN202110861832 A CN 202110861832A CN 113765884 A CN113765884 A CN 113765884A
- Authority
- CN
- China
- Prior art keywords
- security
- data packet
- file
- mark
- client machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000005540 biological transmission Effects 0.000 claims abstract description 4
- 238000012550 audit Methods 0.000 claims description 9
- 230000001965 increasing effect Effects 0.000 abstract description 4
- 230000004069 differentiation Effects 0.000 abstract description 2
- 239000003550 marker Substances 0.000 description 5
- 238000006467 substitution reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000004215 lattice model Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a cross-network file mandatory access control method, a device and a system, wherein the method comprises the following steps: receiving a request for accessing a server file; acquiring a security label of a file to be accessed; setting a security mark for a data packet of a file to be accessed; after the setting is finished, transmitting the data packet to a client machine; after the transmission is finished, acquiring a security label of the data packet; acquiring a security label of a client machine user; and comparing the obtained security label of the data packet with the security label of the client machine user, and judging whether the client machine user has the access right to the server file. The security level differentiation of different users and files is increased, the forced access control of client users to server machine files is realized by comparing the security marks of client users and server data files, the security of remote file access is improved, and the security of data is enhanced.
Description
Technical Field
The invention relates to the technical field of cross-network access, in particular to a cross-network file mandatory access control method, device and system.
Background
The Linux operating system access control includes an autonomous access control (DAC) that is mainly determined by the owner of the object to access rights of other groups or users to the object, and a Mandatory Access Control (MAC). The Mandatory Access Control (MAC) determines whether a subject has an access right to an object by setting security marks for the subject and the object and determining the security marks possessed by the subject and the object.
In the existing mandatory access control implementation, most implementations are the mandatory access control of a subject to an object under the same computer operating system, and the access control of the existing network file is only limited to simple access control on a network message, and is not limited to the mandatory access control on user classification on a client. The mandatory access control of the object file on the target machine by different users of the client in different computer operating systems between networks is not realized.
Disclosure of Invention
The invention provides a cross-network file mandatory access control method, a device and a system, aiming at the problem that the mandatory access control of different users of clients in different computer operating systems among networks on object files on a target machine is not realized.
The technical scheme of the invention is as follows:
in a first aspect, a technical solution of the present invention provides a method for controlling cross-network file mandatory access, including the following steps:
receiving a request for accessing a server file;
acquiring a security label of a file to be accessed;
setting a security mark for a data packet of a file to be accessed;
after the setting is finished, transmitting the data packet to a client machine;
after the transmission is finished, acquiring a security label of the data packet;
acquiring a security label of a client machine user;
and comparing the obtained security label of the data packet with the security label of the client machine user, and judging whether the client machine user has the access right to the server file.
By comparing the security marks of the client user and the server data file, the client user can forcibly access and control the server machine file, the access security of the remote file is improved, and the data security is enhanced. The method and the device realize the mandatory access control of the client machine to the file on the server machine under the same network, and improve the security.
Further, after the step of receiving a request for accessing a server file, the method further includes:
judging whether a request sending end is a client machine or not;
and when the request sent by the client machine is judged, acquiring the security mark of the file to be accessed.
Further, the step of obtaining the security label of the file to be accessed further includes:
judging whether the security mark of the file to be accessed is successfully acquired;
if yes, executing the following steps: setting a security mark for a data packet of a file to be accessed;
if not: and recording a failure log, and defaulting to have no access right.
Further, the step of transmitting the data packet to the client machine further comprises:
judging whether the data packet is transmitted to a client machine or not;
when the data packet is judged to be transmitted to the client machine, executing the following steps: acquiring a security label of a data packet;
further, the step of obtaining the security label of the data packet further includes:
judging whether the security label of the data packet is successfully obtained;
if yes, executing the following steps: acquiring a security label of a client machine user;
if not, recording a failure log, and defaulting to have no access authority.
Further, the step of receiving a request for accessing a server file comprises:
setting security marks of client machine users and server files.
By adopting the invention, when the client machine user accesses the object file on the target machine, the client user and the server machine are provided with the security marks, and the security marks of the client user and the server machine are compared by using the mandatory access control device, so that the mandatory access control of different users on the client machine to the file on the server machine is realized, and the security of file access under the same network is improved.
In a second aspect, a technical solution of the present invention provides a cross-network file mandatory access control device, including a security tag setting module, a tag obtaining module, a packet tag setting module, a packet tag obtaining module, and a tag comparing module;
the security mark setting module is used for setting security marks of client machine users and server files;
the system comprises a mark acquisition module, a file access module and a file access module, wherein the mark acquisition module is used for acquiring a security mark of a file to be accessed; the system is also used for acquiring a security mark of a client machine user;
the data packet mark setting module is used for setting a security mark for a data packet of a file to be accessed;
the data packet mark acquisition module is used for acquiring a security mark of the data packet;
and the mark comparison module is used for comparing the obtained security mark of the data packet with the security mark of the client machine user and judging whether the client machine user has the access authority to the server file.
Further, the device also comprises an access judgment module;
the access judging module is used for judging whether a request sending end is a client machine or not after receiving a request for accessing the server file; and for determining whether the data packet is transmitted to the client machine;
the mark acquisition module is used for acquiring a security mark of a file to be accessed when the access judgment module judges that the request is sent by the client machine;
and the data packet mark acquisition module is used for acquiring the security mark of the data packet when the access judgment module judges that the data packet is transmitted to the client machine.
Further, the device also comprises an audit log module;
and the audit log module is used for recording a failure log when the acquisition of the mark acquisition module fails or the acquisition of the data packet mark acquisition module fails.
When accessing the server file, the client user increases the distinction of the security levels of different client users and the control of information flow among different security bundles (departments), realizes the mandatory access control of the client user to the file on the server machine under the same network, and improves the security. The method and the device realize the mandatory access control of the client machine to the file on the server machine under the same network, and improve the security.
In a third aspect, the present invention further provides a cross-network file mandatory access control system, including a client, a server and a control device;
the client communicates with the server; the control device is a cross-network file mandatory access control device as claimed in any one of claims 7-9;
the client is used for sending a request for accessing the server file to the server; the system is also used for acquiring the security label of the data packet through the data packet label acquisition module after receiving the data packet transmitted by the server; after the security mark of the data packet is successfully obtained, the security mark of a client machine user is obtained through a mark obtaining module; after the security identification of the user is obtained, the obtained security label of the data packet is compared with the security label of the client machine user through the label comparison module, and whether the client machine user has the access right to the server file or not is judged.
The server is used for receiving a request for accessing the server file; the system is also used for triggering the mark acquisition module to acquire a security mark of a file to be accessed; the system is also used for setting a security mark for the transmitted file data packet through the data packet mark setting module after the security mark is successfully acquired; and after the setting is completed, transmitting the data packet to the client.
When a client machine user accesses an object file on a target machine, the client user and the server machine are provided with security marks, and the security marks of the client user and the server machine are compared by using the mandatory access control device, so that the mandatory access control of different users on the client to the file on the server machine is realized, and the security of file access under the same network is improved.
The invention increases the security level differentiation of different users and files when the client user accesses the files on other machines, and realizes the forced access control of the client user on the files of the server machine by comparing the security marks of the client user and the server data files, thereby improving the security of remote file access and enhancing the security of data.
According to the technical scheme, the invention has the following advantages: the client user can access the files on other machines, the security level distinction of different users and files is increased, the client user can forcibly access the files of the server machine by comparing the security marks of the client user and the server data files, the remote file access security is improved, and the data security is enhanced.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Therefore, compared with the prior art, the invention has prominent substantive features and remarkable progress, and the beneficial effects of the implementation are also obvious.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention.
Fig. 2 is a schematic block diagram of an apparatus of one embodiment of the present invention.
In the figure, 11-a security mark setting module, 22-a mark acquisition module, 33-a data packet mark setting module, 44-a data packet mark acquisition module, 55-a mark comparison module, 66-an access judgment module and 77-an audit log module.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
netlabel: network label, which is a mechanism used by the kernel security module to attach security attributes to packets originating from user space and destined for the network. The kernel security module also uses the network label mechanism to read the security attributes of those packets coming from the network. The network number mechanism has 3 main parts: protocol engine, communication layer, kernel security module API.
DAC: the Linux autonomous access control mainly determines the access authority of other groups or users to the object by the owner of the object.
MAC: the Linux mandatory access control is to judge whether a subject has access right to an object by setting security marks for the subject and the object and judging the security marks owned by the subject and the object.
BLP model: and the mandatory access control model divides the security levels of the subject and the object by sensitivity, and judges whether the subject has access authority to the object according to the security levels of the subject and the object when the subject accesses the object.
And (3) a Lattice model: the mandatory access control model is an extension of the BLP model, which classifies users and resources and allows information to be exchanged between them.
As shown in fig. 1, an embodiment of the present invention provides a method for controlling cross-network file mandatory access, including the following steps:
step 1: receiving a request for accessing a server file;
step 2: acquiring a security label of a file to be accessed;
and step 3: setting a security mark for a data packet of a file to be accessed;
and 4, step 4: after the setting is finished, transmitting the data packet to a client machine;
and 5: after the transmission is finished, acquiring a security label of the data packet;
step 6: acquiring a security label of a client machine user;
and 7: and comparing the obtained security label of the data packet with the security label of the client machine user, and judging whether the client machine user has the access right to the server file.
And after the security label of the data packet is obtained, the security label of the user of the client machine is obtained, finally, the security labels of the user of the client machine and the data packet are compared, if the security labels of the user of the client machine and the data packet are consistent, the user of the client machine has the access authority to the file of the server machine, otherwise, the user of the client machine does not have the access authority to the file of the server machine, and the failure log is recorded.
By comparing the security marks of the client user and the server data file, the client user can forcibly access and control the server machine file, the access security of the remote file is improved, and the data security is enhanced.
Another embodiment of the present invention provides a method for controlling cross-network file mandatory access, including the following steps:
step 1: receiving a request for accessing a server file; this step is followed by: judging whether a request sending end is a client machine or not;
step 2: acquiring a security label of a file to be accessed; in the step, when the request sent by the client machine is judged, the security mark of the file to be accessed is obtained; after the security mark of the file to be accessed is obtained, whether the security mark of the file to be accessed is obtained successfully is judged; if the security label of the file is not acquired successfully, recording a failure log, and defaulting to have no access authority;
and step 3: setting a security mark for a data packet of a file to be accessed;
and 4, step 4: after the setting is finished, transmitting the data packet to a client machine; in this step, it is determined whether the data packet is transmitted to the client machine;
and 5: when the data packet is judged to be transmitted to the client machine, the security mark of the data packet is obtained; in the step, after the security label of the data packet is obtained, whether the security label of the data packet is successfully obtained is judged;
and if the security label of the data packet fails to be acquired, recording a failure log, and defaulting to have no access authority.
Step 6: acquiring a security label of a client machine user; in the step, the security mark of the data packet is executed after being successfully acquired;
and 7: and comparing the obtained security label of the data packet with the security label of the client machine user, and judging whether the client machine user has the access right to the server file.
Another embodiment of the present invention provides a method for controlling cross-network file mandatory access, including the following steps:
step 10: setting security marks of client machine users and server files.
Step 11: receiving a request for accessing a server file; this step is followed by: judging whether a request sending end is a client machine or not;
step 12: acquiring a security label of a file to be accessed; in the step, when the request sent by the client machine is judged, the security mark of the file to be accessed is obtained; after the security mark of the file to be accessed is obtained, whether the security mark of the file to be accessed is obtained successfully is judged; if the security label of the file is not acquired successfully, recording a failure log, and defaulting to have no access authority;
step 13: setting a security mark for a data packet of a file to be accessed;
step 14: after the setting is finished, transmitting the data packet to a client machine; in this step, it is determined whether the data packet is transmitted to the client machine;
step 15: when the data packet is judged to be transmitted to the client machine, the security mark of the data packet is obtained; in the step, after the security label of the data packet is obtained, whether the security label of the data packet is successfully obtained is judged;
and if the security label of the data packet fails to be acquired, recording a failure log, and defaulting to have no access authority.
Step 16: acquiring a security label of a client machine user; in the step, the security mark of the data packet is executed after being successfully acquired;
and step 17: and comparing the obtained security label of the data packet with the security label of the client machine user, and judging whether the client machine user has the access right to the server file.
By adopting the invention, when the client machine user accesses the object file on the target machine, the client user and the server machine are provided with the security marks, and the security marks of the client user and the server machine are compared by using the mandatory access control device, so that the mandatory access control of different users on the client machine to the file on the server machine is realized, and the security of file access under the same network is improved.
In specific application, when a client user accesses a file on the server machine, the server machine can acquire the security mark of the file through the mark acquisition module. After the server machine file security marker is acquired, the security marker is set for the transmitted data packet, and file access failure can be caused by security marker acquisition or setting failure. The data packet is transmitted to the client machine after the setting is successful. After the data packet is transmitted to the client machine, the security label of the data packet is obtained and then converted into a recognizable security label. And after the mark is successfully obtained, entering a forced access control judgment device, and judging whether the client machine has access authority to the file of the server.
As shown in fig. 2, an embodiment of the present invention further provides a cross-network file mandatory access control apparatus, which includes a security flag setting module 11, a flag obtaining module 22, a packet flag setting module 33, a packet flag obtaining module 44, and a flag comparing module 55;
a security mark setting module 11, configured to set security marks of client machine users and server files;
a mark acquisition module 22, configured to acquire a security mark of a file to be accessed; the system is also used for acquiring a security mark of a client machine user;
a data packet flag setting module 33, configured to set a security flag for a data packet to be accessed to a file;
a packet tag obtaining module 44, configured to obtain a security tag of a packet;
and a tag comparison module 55, configured to compare the obtained security tag of the data packet with the security tag of the client machine user, and determine whether the client machine user has an access right to the server file.
The embodiment of the invention also provides a cross-network file mandatory access control device, which comprises a security tag setting module 11, a tag obtaining module 22, a data packet tag setting module 33, a data packet tag obtaining module 44, a tag comparing module 55 and an access judging module 66;
a security mark setting module 11, configured to set security marks of client machine users and server files;
a tag acquisition module 22 for acquiring a security tag of a file to be accessed when the access determination module 66 determines that it is a request sent by the client machine; the system is also used for acquiring a security mark of a client machine user;
a packet tag obtaining module 44, configured to obtain the security tag of the packet when the access decision module 66 decides that the packet is transmitted to the client machine.
An access determination module 66, configured to determine whether a request sending end is a client machine after receiving a request for accessing a server file; and for determining whether the data packet is transmitted to the client machine;
a data packet flag setting module 33, configured to set a security flag for a data packet to be accessed to a file;
and a tag comparison module 55, configured to compare the obtained security tag of the data packet with the security tag of the client machine user, and determine whether the client machine user has an access right to the server file.
The embodiment of the invention also provides a cross-network file mandatory access control device, which comprises a security tag setting module 11, a tag obtaining module 22, a data packet tag setting module 33, a data packet tag obtaining module 44, a tag comparing module 55 and an access judging module 66;
a security mark setting module 11, configured to set security marks of client machine users and server files;
a tag acquisition module 22 for acquiring a security tag of a file to be accessed when the access determination module 66 determines that it is a request sent by the client machine; the system is also used for acquiring a security mark of a client machine user;
a packet tag obtaining module 44, configured to obtain the security tag of the packet when the access decision module 66 decides that the packet is transmitted to the client machine.
An access determination module 66, configured to determine whether a request sending end is a client machine after receiving a request for accessing a server file; and for determining whether the data packet is transmitted to the client machine;
a data packet flag setting module 33, configured to set a security flag for a data packet to be accessed to a file;
and a tag comparison module 55, configured to compare the obtained security tag of the data packet with the security tag of the client machine user, and determine whether the client machine user has an access right to the server file.
The apparatus also includes an audit log module 77;
and an audit log module 77, configured to record a failure log when the acquisition by the tag acquisition module 22 fails or the acquisition by the packet tag acquisition module 44 fails.
Specifically, the security marks of the client user and the server file are set through a security mark setting module. When a user of the client machine accesses the file of the server, the access judgment module judges whether the server machine or the client machine is. The server machine triggers a file mark acquisition module of the server to acquire a security mark of a file to be accessed, if the security mark of the file fails to be acquired, no access authority is defaulted, and an auditing device records a failure log. After the server-side security mark is successfully acquired, the security mark is set for the transmitted file data packet through the data packet identification mark setting module, and after the setting is completed, the data packet is transmitted to the client-side machine. After the data packet is transmitted to the client machine, the access determination module determines whether the data packet is the client machine. The client machine can obtain the security label of the data packet through the data packet label obtaining module, if the security label is not obtained, no access authority is defaulted, and the audit log module records the failure log. After the data packet mark acquisition module acquires the security mark of the data packet, the security mark of the user of the client main body is acquired through the mark acquisition module, finally the user of the client main body and the security mark of the data packet are compared through the mark comparison module, the client user has access authority to the file of the server machine through the mandatory access control device, otherwise, the client user does not have access authority to the file of the server machine, and the audit log module records the failure log.
When a client user accesses a server file, the method increases the distinction of the security levels of different client users and the control of information flow among different security bundles (departments), realizes the forced access control of the client user on the file on the server machine under the same network, and improves the security.
The embodiment of the invention also provides a cross-network file mandatory access control system, which comprises a client, a server and a control device;
the client communicates with the server; the control device comprises a security mark setting module 11, a mark acquisition module 22, a data packet mark setting module 33, a data packet mark acquisition module 44, a mark comparison module 55 and an access judgment module 66;
a security mark setting module 11, configured to set security marks of client machine users and server files;
a tag acquisition module 22 for acquiring a security tag of a file to be accessed when the access determination module 66 determines that it is a request sent by the client machine; the system is also used for acquiring a security mark of a client machine user;
a packet tag obtaining module 44, configured to obtain the security tag of the packet when the access decision module 66 decides that the packet is transmitted to the client machine.
An access determination module 66, configured to determine whether a request sending end is a client machine after receiving a request for accessing a server file; and for determining whether the data packet is transmitted to the client machine;
a data packet flag setting module 33, configured to set a security flag for a data packet to be accessed to a file;
and a tag comparison module 55, configured to compare the obtained security tag of the data packet with the security tag of the client machine user, and determine whether the client machine user has an access right to the server file.
The client is used for sending a request for accessing the server file to the server; the system is also used for acquiring the security label of the data packet through the data packet label acquisition module after receiving the data packet transmitted by the server; after the security mark of the data packet is successfully obtained, the security mark of a client machine user is obtained through a mark obtaining module; after the security identification of the user is obtained, the obtained security label of the data packet is compared with the security label of the client machine user through the label comparison module, and whether the client machine user has the access right to the server file or not is judged.
The server is used for receiving a request for accessing the server file; the system is also used for triggering the mark acquisition module to acquire a security mark of a file to be accessed; the system is also used for setting a security mark for the transmitted file data packet through the data packet mark setting module after the security mark is successfully acquired; and after the setting is completed, transmitting the data packet to the client.
The security marker model is based on a Lattice model, and the security marker mainly comprises 3 types: security bundle (represented by character strings L0, L1, and L2 … …, a subject may have multiple security bundles, and an object may have only one security bundle), security level (represented by unsigned integer, with the level gradually increasing from 0), data integrity level (represented by unsigned integer, with the level gradually increasing from 0). The security mark setting device module is mainly used for setting security marks for server users and files. The label obtaining module is based on netlabel, firstly obtains the security label of the file through the label obtaining module, and then attaches the security attribute to the data packet which is generated from the user space and sent to the network through a netlabel mechanism. The security label acquiring module of the kernel data packet also uses a netlabel mechanism to read the security attributes of the data packets from the network and convert the security attributes into corresponding labels. The mark comparison module judges whether the main body has the access right to the file from the network by comparing the security attributes of the main body and the data packet.
The security mark setting module sets security marks for the client user and the server file. The access judgment module judges whether the local machine is a server machine or a client machine. When a user accesses a file of a server machine, the server sets corresponding security attributes for a data packet which is transmitted back through a data packet identification setting module of a server kernel. After receiving the data packet from the server, the client machine acquires the security attribute of the data packet from the server machine through the data packet tag acquisition module of the kernel, and converts the security attribute into a corresponding security label format. When the client machine accesses the file on the server machine, the kernel mark comparison module compares the security marks of the data packet returned by the client user and the server to judge whether the client user has the access right to the server file.
Although the present invention has been described in detail by referring to the drawings in connection with the preferred embodiments, the present invention is not limited thereto. Various equivalent modifications or substitutions can be made on the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and these modifications or substitutions are within the scope of the present invention/any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. A cross-network file mandatory access control method is characterized by comprising the following steps:
receiving a request for accessing a server file;
acquiring a security label of a file to be accessed;
setting a security mark for a data packet of a file to be accessed;
after the setting is finished, transmitting the data packet to a client machine;
after the transmission is finished, acquiring a security label of the data packet;
acquiring a security label of a client machine user;
and comparing the obtained security label of the data packet with the security label of the client machine user, and judging whether the client machine user has the access right to the server file.
2. The method of claim 1, wherein the step of receiving a request for accessing a server file further comprises:
judging whether a request sending end is a client machine or not;
and when the request sent by the client machine is judged, acquiring the security mark of the file to be accessed.
3. The method of claim 2, wherein the step of obtaining the security label of the file to be accessed further comprises:
judging whether the security mark of the file to be accessed is successfully acquired;
if yes, executing the following steps: setting a security mark for a data packet of a file to be accessed;
if not: and recording a failure log, and defaulting to have no access right.
4. The method of claim 3, wherein the step of transmitting the data packet to the client machine is further followed by:
judging whether the data packet is transmitted to a client machine or not;
when the data packet is judged to be transmitted to the client machine, executing the following steps: and acquiring the security label of the data packet.
5. The method of claim 4, wherein the step of obtaining the security label of the data packet is further followed by:
judging whether the security label of the data packet is successfully obtained;
if yes, executing the following steps: acquiring a security label of a client machine user;
if not, recording a failure log, and defaulting to have no access authority.
6. The method of claim 1, wherein the step of receiving a request for access to a server file comprises:
setting security marks of client machine users and server files.
7. A cross-network file mandatory access control device is characterized by comprising a security label setting module, a label acquisition module, a data packet label setting module, a data packet label acquisition module and a label comparison module;
the security mark setting module is used for setting security marks of client machine users and server files;
the system comprises a mark acquisition module, a file access module and a file access module, wherein the mark acquisition module is used for acquiring a security mark of a file to be accessed; the system is also used for acquiring a security mark of a client machine user;
the data packet mark setting module is used for setting a security mark for a data packet of a file to be accessed;
the data packet mark acquisition module is used for acquiring a security mark of the data packet;
and the mark comparison module is used for comparing the obtained security mark of the data packet with the security mark of the client machine user and judging whether the client machine user has the access authority to the server file.
8. The apparatus for controlling file mandatory access across a network according to claim 7, characterized in that the apparatus further comprises an access decision module;
the access judging module is used for judging whether a request sending end is a client machine or not after receiving a request for accessing the server file; and for determining whether the data packet is transmitted to the client machine;
the mark acquisition module is used for acquiring a security mark of a file to be accessed when the access judgment module judges that the request is sent by the client machine;
and the data packet mark acquisition module is used for acquiring the security mark of the data packet when the access judgment module judges that the data packet is transmitted to the client machine.
9. The apparatus for controlling file mandatory access across a network according to claim 8, characterized in that the apparatus further comprises an audit log module;
and the audit log module is used for recording a failure log when the acquisition of the mark acquisition module fails or the acquisition of the data packet mark acquisition module fails.
10. A cross-network file mandatory access control system is characterized by comprising a client, a server and a control device;
the client communicates with the server; the control device is a cross-network file mandatory access control device as claimed in any one of claims 7-9;
the client is used for sending a request for accessing the server file to the server; the system is also used for acquiring the security label of the data packet through the data packet label acquisition module after receiving the data packet transmitted by the server; after the security mark of the data packet is successfully obtained, the security mark of a client machine user is obtained through a mark obtaining module; after the security identification of the user is obtained, the obtained security identification of the data packet is compared with the security identification of the client machine user through the identification comparison module, and whether the client machine user has the access right to the server file or not is judged;
the server is used for receiving a request for accessing the server file; the system is also used for triggering the mark acquisition module to acquire a security mark of a file to be accessed; the system is also used for setting a security mark for the transmitted file data packet through the data packet mark setting module after the security mark is successfully acquired; and after the setting is completed, transmitting the data packet to the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110861832.2A CN113765884A (en) | 2021-07-29 | 2021-07-29 | Cross-network file mandatory access control method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110861832.2A CN113765884A (en) | 2021-07-29 | 2021-07-29 | Cross-network file mandatory access control method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113765884A true CN113765884A (en) | 2021-12-07 |
Family
ID=78788230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110861832.2A Pending CN113765884A (en) | 2021-07-29 | 2021-07-29 | Cross-network file mandatory access control method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113765884A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102368760A (en) * | 2010-12-31 | 2012-03-07 | 中国人民解放军信息工程大学 | Data secure transmission method among multilevel information systems |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| CN102571698A (en) * | 2010-12-17 | 2012-07-11 | ***通信集团公司 | Access authority control method, system and device for virtual machine |
| CN105653725A (en) * | 2016-01-22 | 2016-06-08 | 湖南大学 | MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields |
| CN108092945A (en) * | 2016-11-22 | 2018-05-29 | 中兴通讯股份有限公司 | Definite method and apparatus, the terminal of access rights |
| CN108429749A (en) * | 2018-03-12 | 2018-08-21 | 重庆邮电大学 | A kind of outsourcing forced access control method based on stratification encryption attribute |
-
2021
- 2021-07-29 CN CN202110861832.2A patent/CN113765884A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571698A (en) * | 2010-12-17 | 2012-07-11 | ***通信集团公司 | Access authority control method, system and device for virtual machine |
| CN102368760A (en) * | 2010-12-31 | 2012-03-07 | 中国人民解放军信息工程大学 | Data secure transmission method among multilevel information systems |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| CN105653725A (en) * | 2016-01-22 | 2016-06-08 | 湖南大学 | MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields |
| CN108092945A (en) * | 2016-11-22 | 2018-05-29 | 中兴通讯股份有限公司 | Definite method and apparatus, the terminal of access rights |
| CN108429749A (en) * | 2018-03-12 | 2018-08-21 | 重庆邮电大学 | A kind of outsourcing forced access control method based on stratification encryption attribute |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7664828B2 (en) | Invalid policy detection | |
| KR101361161B1 (en) | System and method for reinforcing authentication using context information for mobile cloud | |
| EP0918282B1 (en) | Server and client | |
| CN102394885B (en) | Information classification protection automatic verification method based on data stream | |
| EP3852327A1 (en) | Exception access behavior identification method and server | |
| CN110650128A (en) | System and method for detecting digital currency stealing attack of Etheng | |
| CN112469044B (en) | Edge access control method and controller for heterogeneous terminal | |
| CN108965054B (en) | Method for quickly interacting data between client and server | |
| CN111711711A (en) | Block chain-based top-level domain name management and analysis method and system | |
| CN115495233A (en) | Cloud computing resource allocation method based on intelligent management platform | |
| CN112019330B (en) | Intranet security audit data storage method and system based on alliance chain | |
| CN113839966A (en) | Security management system based on micro-service | |
| CN111917706A (en) | Method for identifying NAT equipment and determining number of terminals behind NAT | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| CN113765884A (en) | Cross-network file mandatory access control method, device and system | |
| CN103503486A (en) | Video distribution method and system and video playing method and system | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN115174561B (en) | File segmented transmission method and system | |
| CN116956252A (en) | Self-adaptive management method and system for platform multi-user renting | |
| CN110633326A (en) | Method and system for uplink of weather data of Internet of things on block chain | |
| CN116467062A (en) | Block chain-based data processing method, equipment and readable storage medium | |
| CN112488724A (en) | Payment verification method and system based on block chain network and big data analysis | |
| CN108075932B (en) | Data monitoring method and device | |
| CN113595958A (en) | Safety detection system and method for Internet of things equipment | |
| CN110647769A (en) | Indoor air detection data chaining method and equipment of Internet of things by combining block chains |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211207 |