CN114398623A - Method for determining security policy - Google Patents

Method for determining security policy Download PDF

Info

Publication number
CN114398623A
CN114398623A CN202111302299.2A CN202111302299A CN114398623A CN 114398623 A CN114398623 A CN 114398623A CN 202111302299 A CN202111302299 A CN 202111302299A CN 114398623 A CN114398623 A CN 114398623A
Authority
CN
China
Prior art keywords
access
level
resource
access request
extracting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111302299.2A
Other languages
Chinese (zh)
Inventor
唐培全
高冰
马勇
申大伟
李�杰
王晓磊
王志翔
范伟宁
孙崇武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaneng Information Technology Co Ltd
Original Assignee
Huaneng Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaneng Information Technology Co Ltd filed Critical Huaneng Information Technology Co Ltd
Priority to CN202111302299.2A priority Critical patent/CN114398623A/en
Publication of CN114398623A publication Critical patent/CN114398623A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9035Filtering based on additional data, e.g. user or group profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of network security, and discloses a method for determining a security policy, which comprises the steps of extracting all object resources, encrypting the object resources and setting access levels; the object resources are recorded and established in a safety database, the object resources are stored in the safety database, a permission retrieval list is generated after the characteristic names and the access levels of the object resources are extracted, and the characteristic names refer to marks of the object resources corresponding to the characteristic names; and sending an access request, wherein the access request comprises the feature name of the object resource to be browsed and a corresponding permission level, the permission level refers to the highest access level which can be consulted, and if the permission level is higher than or equal to the access level of the object resource to be browsed in the access request, the object resource is extracted. Compared with the traditional system in which the corresponding access right is obtained through examination and approval of an administrator, the system has higher efficiency.

Description

Method for determining security policy
Technical Field
The invention relates to the technical field of network security, in particular to a method for determining a security policy.
Background
The AIduration security middle platform is a SaaS-based security management, namely a service platform, connects a security policy and AIduration security infrastructure, forms a coherent human-process-technology security management system, and ensures that the security policy is correctly implemented. The core of the security middleware is the security protection of the data assets, and the security capability is scheduled through the execution of the security policy to provide a security environment for the data assets. The ability of the security middlebox to provide security services for data assets is to take a security identifier as a core and invoke the arrangement, scheduling and execution of security policies through the setting of the security identifier. The security middleboxes need to provide rich interfaces to be in butt joint with the data middleboxes to perform security identification on data assets, corresponding security policies can be scheduled to be calculated and arranged according to the attributes of the security identifications through a security identification policy calculation engine, and the arranged security policies are subjected to security protection by driving various security capabilities (equipment and software) through a policy execution engine.
Because the system typically requires a large amount of reference or customer data to be stored within the system, these resources are collectively referred to as guest resources, which may be related to different levels and have different economic or other values. In the daily operation process of the system, the object resources with higher value are always in an encrypted state. The user can not browse at will, so that the user needs to apply corresponding decryption authority or key to the administrator when browsing is needed, and the purpose of browsing the encrypted object resource is achieved. However, in the daily operation process of the system, an administrator needs to process a large number of requests, delay is often caused to the batch replication of requesting to browse encrypted object resources, and further work efficiency is affected.
Disclosure of Invention
The present invention is directed to a method for determining a security policy, so as to solve the problems in the background art.
In order to achieve the purpose, the invention provides the following technical scheme:
a method for determining a security policy, the method comprising:
extracting all object resources, encrypting the object resources and setting access levels, wherein the access levels are divided according to the values of the object resources, and the object resources with higher values have higher corresponding access levels;
the object resources are recorded and a safety database is established, the object resources are stored in the safety database, an authority retrieval list is generated after the characteristic names and the access levels of the object resources are extracted, the characteristic names refer to marks of the object resources corresponding to the characteristic names, the object resources can be retrieved from the safety database through the characteristic names, and the characteristic names of any two object resources are different;
and sending an access request, wherein the access request comprises the feature name of the object resource to be browsed and a corresponding permission level, the permission level refers to the highest access level which can be consulted, and if the permission level is higher than or equal to the access level of the object resource to be browsed in the access request, the object resource is extracted.
As a further scheme of the present invention, the conventional guest resource is in an encrypted state, and when it is referred to, decryption operation is required, and the specific decryption steps are as follows:
extracting the characteristic name of the object resource and the key of the object resource to generate a key retrieval list;
receiving an access request, and extracting a feature name and an authority level in the access request;
extracting the access level of the object resource under the characteristic name, and comparing the access level with the authority level in the access request;
if the authority level is greater than or equal to the access level of the object resource, extracting the key of the object resource from the key retrieval list;
and decrypting the object resource through the key.
As a further scheme of the present invention, in order to ensure the confidentiality of the guest resource, the guest resource enters a self-destruction state after being decrypted, wherein the self-destruction state means that the guest resource enters countdown after being decrypted, and the guest resource is destroyed when the countdown is zero.
As a further scheme of the present invention, in order to ensure that the object resource is missing or damaged when the object resource is extracted from the secure database each time, a copy needs to be used as an extracted object instead of the original, and the specific steps are as follows:
accessing the secure database, and retrieving object resources needing to be extracted in the secure database through the feature names;
extracting the object resource and the key of the object resource, and decrypting the object resource;
extracting the decrypted object resource and copying the object resource;
carrying out encryption operation on the original copy of the object resource again;
and extracting a copy of the object resource.
As a further aspect of the present invention, when the permission level in the access request is lower than the access level of the object resource specified by the feature name in the access request, the access request is rejected and is not passed.
As a further scheme of the present invention, after the same access request is rejected for multiple times, the method enters a mandatory access phase, and the mandatory access specifically includes the following steps:
extracting the feature name in the access request, and obtaining the access level of the object resource corresponding to the feature name;
randomly issuing an access request to a plurality of mandatory access ports, wherein the authority level of the mandatory access ports is higher than or equal to the access level of the object resource;
counting the proportion of the mandatory access ports which agree with the access request, and if the proportion is greater than or equal to a set threshold value, determining that the access request passes the mandatory access limit;
extracting the access level of the object resource corresponding to the characteristic name in the access request, formulating an authority level equal to the access level according to the access level, wherein the authority level is defined as a mandatory authority level, and replacing the mandatory authority level with the authority level in the access request;
and sending the updated access request.
As a further aspect of the present invention, if the mandatory access port granting the access request is smaller than the set threshold in the mandatory access phase, it is determined that the access request is an irrational access, and the sending of the access request is terminated.
As a further aspect of the present invention, the mandatory privilege level shares all functions with the same privilege level, but has a limited number of uses, which are invalidated after a single use, i.e., the mandatory privilege level loses all functions with the same privilege level after the single use is completed.
As a further scheme of the present invention, when the value of the object resource changes due to reasons such as timeliness, the access level of the object resource needs to be modified, and the specific modification steps are as follows:
extracting the feature name and the latest access level of the object resource;
and extracting the authority retrieval list, and updating the access level under the characteristic name corresponding to the object resource in the list.
Compared with the prior art, the invention has the beneficial effects that: all object resources, namely a large amount of reference information or client data and other data recorded in the system are subjected to quantitative classification, and the individual object resources are subjected to grade classification, so that in the subsequent stage of accessing and browsing the object data, a certain permission grade can only access the object resources which are equal to or the first permission grade.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention.
Fig. 1 is a schematic flowchart of a method for determining a security policy according to an embodiment of the present invention.
Fig. 2 is a schematic flowchart of a process for decrypting an object resource according to a preferred embodiment of the present invention.
Fig. 3 is a schematic flow chart of extracting a secret object resource according to a preferred embodiment of the present invention.
Fig. 4 is a flow chart of a forced access according to a preferred embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, if there is a directional indication (such as up, down, left, right, front, and back) in the embodiment of the present invention, it is only used to explain the relative position relationship between the components, the motion situation, and the like in a certain posture, and if the certain posture is changed, the directional indication is changed accordingly.
In addition, if the description of "first", "second", etc. is referred to in the present invention, it is used for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
The following detailed description of specific implementations of the present invention is provided in conjunction with specific embodiments:
because the system typically requires a large amount of reference or customer data to be stored within the system, these resources are collectively referred to as guest resources, which may be related to different levels and have different economic or other values. In the daily operation process of the system, the object resources with higher value are always in an encrypted state. The user can not browse at will, so that the user needs to apply corresponding decryption authority or key to the administrator when browsing is needed, and the purpose of browsing the encrypted object resource is achieved. However, in the daily operation process of the system, an administrator needs to process a large number of requests, delay is often caused to the batch replication of requesting to browse encrypted object resources, and further work efficiency is affected.
In this embodiment, all object resources are extracted, encrypted, and an access level is set; the object resources are recorded and established in a safety database, the object resources are stored in the safety database, and a permission retrieval list is generated after the characteristic names and the access levels of the object resources are extracted; and sending an access request and extracting the object resource. All object resources, namely a large amount of reference information or client data and other data recorded in the system are subjected to quantitative classification, and the individual object resources are subjected to level classification, so that in the subsequent stage of accessing and browsing the object data, a certain permission level can only access the object resources at the level equal to or the first level, and compared with the traditional system in which corresponding access permissions are obtained through examination and approval by an administrator, the system is higher in efficiency.
Example 1
Fig. 1 shows an implementation flow of a method for determining a security policy in the present invention, where the method for determining a security policy is applied to a device capable of connecting to the internet in real time, where the device may be a communication device such as a mobile phone, a tablet computer, and a computer, and is not specifically limited herein, and the method for determining a security policy is described in detail as follows:
step S100, extracting all object resources, encrypting the object resources and setting access levels, wherein the access levels are divided according to the values of the object resources, and the object resources with higher values have higher corresponding access levels;
step S200, the object resources are recorded and established in a safety database, the object resources are stored in the safety database, a permission retrieval list is generated after the characteristic names and the access levels of the object resources are extracted, the characteristic names refer to marks of the object resources corresponding to the characteristic names, the object resources can be retrieved from the safety database through the characteristic names, and the characteristic names of any two object resources are different;
step S300, sending an access request, wherein the access request comprises the feature name of the object resource to be browsed and the corresponding permission level, the permission level refers to the highest access level capable of being consulted, and if the permission level is higher than or equal to the access level of the object resource to be browsed in the access request, the object resource is extracted.
Access rights, mechanisms that restrict access to certain information items or certain controls based on the identities of the users in various predefined groups and their membership. Access control is typically used by system administrators to control user access to network resources (e.g., servers, directories, and files), and is typically implemented by granting users and groups access to particular objects.
In addition, as shown in fig. 2, the object resource is in an encrypted state, and a decryption operation is required when the object resource is referred to, and the specific decryption steps are as follows:
step S101, extracting the characteristic name of the object resource and the key of the object resource, and generating a key retrieval list;
step S102, receiving an access request, and extracting a feature name and an authority level in the access request;
step S103, extracting the access level of the object resource under the characteristic name, and comparing the access level with the authority level in the access request;
step S104, if the authority level is larger than or equal to the access level of the object resource, extracting the key of the object resource from the key retrieval list;
step S105, decrypting the object resource with the key.
In the embodiment of the present invention, it can be understood that, in order to ensure the confidentiality of the guest resource, the guest resource enters a self-destruction state after being decrypted, where the self-destruction state refers to that the guest resource enters a countdown after being decrypted, and the guest resource is destroyed when the countdown is zero.
A key (secret key) refers to secret information used to perform cryptographic applications such as encryption, decryption, integrity verification, and the like. In symmetric cryptography (or key cryptography), the same key is used for encryption and decryption, and therefore the key needs to be kept secret. In public key cryptography (or asymmetric cryptography), the keys used for encryption and decryption are different: typically one is public, called the public key; the other is secret, called private key. The cryptosystem may be divided into a symmetric cryptosystem (also called a single-key cryptosystem, a secret key cryptosystem, a symmetric key cryptosystem) and an asymmetric cryptosystem (also called a double-key cryptosystem, a public key cryptosystem, an asymmetric key cryptosystem) according to whether an encryption key and a decryption key used in the cryptographic algorithm are the same or not and whether the decryption process can be derived from the key encryption process (or the encryption process can be derived from the decryption process). Symmetric key encryption, also known as private key encryption or session key encryption algorithm, is the use of the same key by both the sender and receiver of information to encrypt and decrypt data. The most important advantage is that the encryption/decryption speed is fast and suitable for encrypting large data volumes, so in practical applications, people usually combine the two together, for example, a symmetric key encryption system is used for storing large data information, and a public key encryption system is used for encrypting keys.
In addition, in the embodiment of the present invention, when the authority level in the access request is lower than the access level of the object resource specified by the feature name in the access request, the access request is rejected and is not passed.
Fig. 3 illustrates another preferred embodiment of the present invention, which illustrates the process of extracting the guest resource, because it is necessary to use a copy instead of an original as the extracted object in order to ensure that the guest resource is missing or damaged each time the guest resource is extracted from the secure database, the specific steps are as follows:
step S201, accessing a security database, and retrieving object resources needing to be extracted in the security database through feature names;
step S202, extracting the object resource and the key of the object resource, and decrypting the object resource;
step S203, extracting the decrypted object resource and copying the object resource;
step S204, carrying out encryption operation on the original copy of the object resource again;
in step S205, the replica of the object resource is extracted.
As shown in fig. 4, another preferred embodiment of the present invention is provided, after the same access request is rejected for multiple times, the mandatory access phase is entered, where the mandatory access phase specifically includes the following steps:
step S301, extracting the feature name in the access request, and obtaining the access level of the object resource corresponding to the feature name;
step S302, randomly issuing access requests to a plurality of mandatory access ports, wherein the authority level of the mandatory access ports is higher than or equal to the access level of the object resources;
step S303, counting the proportion of the mandatory access port which agrees to the access request, and if the proportion is greater than or equal to the set threshold value, determining that the access request passes the mandatory access limit;
step S304, extracting the access level of the object resource corresponding to the characteristic name in the access request, making an authority level equal to the access level according to the access level, wherein the authority level is defined as a mandatory authority level, and replacing the mandatory authority level with the authority level in the access request;
step S305, the updated access request is sent.
It is understood that, in this embodiment, if the mandatory access port that grants the access request in the mandatory access phase is smaller than the set threshold, the access request is determined to be an irrational access, and the sending of the access request is terminated.
It should be noted that the mandatory privilege level cannot permanently replace the original privilege level, and although the mandatory privilege level enjoys all functions with the same privilege level, the mandatory privilege level has a limited number of uses, and is invalidated after a single use, that is, the mandatory privilege level loses all functions with the same privilege level after the single use is completed.
In another preferred embodiment of the present invention, when the value of the object resource changes due to reasons such as timeliness, the access level of the object resource needs to be modified, and the specific modification steps are as follows:
extracting the feature name and the latest access level of the object resource;
and extracting the authority retrieval list, and updating the access level under the characteristic name corresponding to the object resource in the list.
The functions that can be realized by the method for determining the safety strategy are all completed by a computer device, the computer device comprises one or more processors and one or more memories, and at least one program code is stored in the one or more memories and is loaded and executed by the one or more processors to realize the functions of the power grid engineering unit management method.
The processor fetches instructions and analyzes the instructions one by one from the memory, then completes corresponding operations according to the instruction requirements, generates a series of control commands, enables all parts of the computer to automatically, continuously and coordinately act to form an organic whole, realizes the input of programs, the input of data, the operation and the output of results, and the arithmetic operation or the logic operation generated in the process is completed by the arithmetic unit; the Memory comprises a Read-Only Memory (ROM) for storing a computer program, and a protection device is arranged outside the Memory.
Illustratively, a computer program can be partitioned into one or more modules, which are stored in memory and executed by a processor to implement the present invention. One or more of the modules may be a series of computer program instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the terminal device.
Those skilled in the art will appreciate that the above description of the service device is merely exemplary and not limiting of the terminal device, and may include more or less components than those described, or combine certain components, or different components, such as may include input output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is the control center of the terminal equipment and connects the various parts of the entire user terminal using various interfaces and lines.
The memory may be used to store computer programs and/or modules, and the processor may implement various functions of the terminal device by operating or executing the computer programs and/or modules stored in the memory and calling data stored in the memory. The memory mainly comprises a storage program area and a storage data area, wherein the storage program area can store an operating system, application programs (such as an information acquisition template display function, a product information publishing function and the like) required by at least one function and the like; the storage data area may store data created according to the use of the berth-state display system (e.g., product information acquisition templates corresponding to different product types, product information that needs to be issued by different product providers, etc.), and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The terminal device integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the modules/units in the system according to the above embodiment may be implemented by a computer program, which may be stored in a computer-readable storage medium and used by a processor to implement the functions of the embodiments of the system. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, recording medium, U.S. disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (9)

1. A method for determining a security policy, the method comprising:
extracting all object resources, encrypting the object resources and setting access levels, wherein the access levels are divided according to the values of the object resources, and the object resources with higher values have higher corresponding access levels;
the object resources are recorded and a safety database is established, the object resources are stored in the safety database, an authority retrieval list is generated after the characteristic names and the access levels of the object resources are extracted, the characteristic names refer to marks of the object resources corresponding to the characteristic names, the object resources can be retrieved from the safety database through the characteristic names, and the characteristic names of any two object resources are different;
and sending an access request, wherein the access request comprises the feature name of the object resource to be browsed and a corresponding permission level, the permission level refers to the highest access level which can be consulted, and if the permission level is higher than or equal to the access level of the object resource to be browsed in the access request, the object resource is extracted.
2. The method for determining a security policy of claim 1, wherein the conventional guest resource is in an encrypted state, and the reference to the conventional guest resource requires a decryption operation, and the specific decryption steps are as follows:
extracting the characteristic name of the object resource and the key of the object resource to generate a key retrieval list;
receiving an access request, and extracting a feature name and an authority level in the access request;
extracting the access level of the object resource under the characteristic name, and comparing the access level with the authority level in the access request;
if the authority level is greater than or equal to the access level of the object resource, extracting the key of the object resource from the key retrieval list;
and decrypting the object resource through the key.
3. A method for determining a security policy according to claim 3, wherein in order to ensure the confidentiality of the guest resource, the guest resource enters a self-destruction state after being decrypted, the self-destruction state means that the guest resource enters a countdown after being decrypted, and the guest resource is destroyed when the countdown is zero.
4. A method for determining a security policy according to any one of claims 1 to 4, wherein in order to ensure that the object resource is missing or damaged each time the object resource is extracted from the secure database, a copy is used instead of the original as the extracted object, and the method comprises the following steps:
accessing the secure database, and retrieving object resources needing to be extracted in the secure database through the feature names;
extracting the object resource and the key of the object resource, and decrypting the object resource;
extracting the decrypted object resource and copying the object resource;
carrying out encryption operation on the original copy of the object resource again;
and extracting a copy of the object resource.
5. The method of claim 5, wherein the access request is rejected and not passed if the permission level in the access request is lower than the access level of the guest resource specified by the feature name in the access request.
6. The method according to claim 5, wherein after the same access request is rejected for a plurality of times, the method enters a mandatory access phase, and the mandatory access specifically includes the following steps:
extracting the feature name in the access request, and obtaining the access level of the object resource corresponding to the feature name;
randomly issuing an access request to a plurality of mandatory access ports, wherein the authority level of the mandatory access ports is higher than or equal to the access level of the object resource;
counting the proportion of the mandatory access ports which agree with the access request, and if the proportion is greater than or equal to a set threshold value, determining that the access request passes the mandatory access limit;
extracting the access level of the object resource corresponding to the characteristic name in the access request, formulating an authority level equal to the access level according to the access level, wherein the authority level is defined as a mandatory authority level, and replacing the mandatory authority level with the authority level in the access request;
and sending the updated access request.
7. The method of claim 6, wherein if the mandatory access port granting the access request is smaller than the set threshold in the mandatory access phase, the access request is determined to be irrational access, and the sending of the access request is terminated.
8. A method for determining a security policy according to claim 6, wherein said enforcing rights level enjoys all functions with equal rights level but has a limit to the number of uses, which is revoked after a single use, i.e. after a single use is completed, said enforcing rights level loses all functions with its rights level.
9. The method for determining a security policy of claim 6, wherein when the value of the guest resource changes due to aging or the like, the access level of the guest resource needs to be modified, and the specific modification steps are as follows:
extracting the feature name and the latest access level of the object resource;
and extracting the authority retrieval list, and updating the access level under the characteristic name corresponding to the object resource in the list.
CN202111302299.2A 2021-11-04 2021-11-04 Method for determining security policy Pending CN114398623A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111302299.2A CN114398623A (en) 2021-11-04 2021-11-04 Method for determining security policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111302299.2A CN114398623A (en) 2021-11-04 2021-11-04 Method for determining security policy

Publications (1)

Publication Number Publication Date
CN114398623A true CN114398623A (en) 2022-04-26

Family

ID=81225892

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111302299.2A Pending CN114398623A (en) 2021-11-04 2021-11-04 Method for determining security policy

Country Status (1)

Country Link
CN (1) CN114398623A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115878295A (en) * 2023-03-02 2023-03-31 国网江西省电力有限公司信息通信分公司 Software defined security middlebox scheduling method based on deep reinforcement learning
CN116962090A (en) * 2023-09-21 2023-10-27 华能信息技术有限公司 Industrial Internet security control method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115878295A (en) * 2023-03-02 2023-03-31 国网江西省电力有限公司信息通信分公司 Software defined security middlebox scheduling method based on deep reinforcement learning
CN116962090A (en) * 2023-09-21 2023-10-27 华能信息技术有限公司 Industrial Internet security control method and system
CN116962090B (en) * 2023-09-21 2024-02-13 华能信息技术有限公司 Industrial Internet security control method and system

Similar Documents

Publication Publication Date Title
CN109144961B (en) Authorization file sharing method and device
US9515832B2 (en) Process authentication and resource permissions
EP2513804B1 (en) Trustworthy extensible markup language for trustworthy computing and data services
RU2501081C2 (en) Multi-factor content protection
EP2396922B1 (en) Trusted cloud computing and services framework
EP2396921B1 (en) Trusted cloud computing and services framework
US7913309B2 (en) Information rights management
US20110276490A1 (en) Security service level agreements with publicly verifiable proofs of compliance
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN109347839B (en) Centralized password management method and device, electronic equipment and computer storage medium
US11128457B2 (en) Cryptographic key generation using external entropy generation
CN112825520A (en) User privacy data processing method, device, system and storage medium
CN114398623A (en) Method for determining security policy
CN111917711B (en) Data access method and device, computer equipment and storage medium
Almutairi et al. Survey of centralized and decentralized access control models in cloud computing
CN110602132A (en) Data encryption and decryption processing method
US11481515B2 (en) Confidential computing workflows
Sharma et al. Blockchain-based distributed application for multimedia system using Hyperledger Fabric
Shepherd et al. Remote credential management with mutual attestation for trusted execution environments
CN113468545A (en) File encryption and decryption method, device and system
WO2022144024A1 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization
EP3975015B1 (en) Applet package sending method and device and computer readable medium
EP3893177A1 (en) Cross-service rulebook management in a dynamic and adversarial environment
Ferretti et al. Verifiable delegated authorization for user-centric architectures and an OAuth2 implementation
CN113946864B (en) Confidential information acquisition method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination