CN107612939A - The safety protecting method and device of self-service terminal - Google Patents
The safety protecting method and device of self-service terminal Download PDFInfo
- Publication number
- CN107612939A CN107612939A CN201711037901.8A CN201711037901A CN107612939A CN 107612939 A CN107612939 A CN 107612939A CN 201711037901 A CN201711037901 A CN 201711037901A CN 107612939 A CN107612939 A CN 107612939A
- Authority
- CN
- China
- Prior art keywords
- access
- label information
- safety label
- main body
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a kind of safety protecting method of self-service terminal and device, this method includes:The access request that Intercept Interview main body is sent;After access request is intercepted, the first safety label information and the second safety label information are obtained;Based on the first safety label information and the second safety label information, targeted security access strategy is determined, main body is accessed according to targeted security access strategy access object with control.In the safety protecting method of the self-service terminal of the present invention, access main body is enabled to be conducted interviews according to targeted security access strategy to accessing object, it fundamentally ensure that legal authorization accesses, access of the unauthorized access main body to access object can effectively be prevented, so, infringement of the viral wooden horse to access object can effectively be contained, realize the security protection of self-service terminal, alleviate in the prior art, also carry out the technical problem of effective security protection to self-service terminal without a kind of safety protecting method.
Description
Technical field
The present invention relates to the technical field of self-service terminal, more particularly, to a kind of security protection of self-service terminal
Method and device.
Background technology
Self-service terminal is widely used in social every field, receipt printer in bank ATM, office lobby,
Iron wire road enquiry machine etc. belongs to self-service terminal, and self-service terminal is substantially a computer, majority operation
Windows operating system, needed to run the peripheral hardware such as corresponding software, connection display, printer, speech ciphering equipment, envelope according to service
The equipment as box is dressed up, self-help operation is carried out according to the prompting of display when client uses, obtains required service.
Also just because of self-service terminal is substantially a computer, the same safe prestige of computer is faced so meeting
The side of body, the common safety prevention measure of common computer are to install anti-virus software, renewal leak patch, but self-service terminal
Be common in Intranet deployment, be not connected to internet, can not upgrade in time virus base and leak patch, in addition based on business it is stable, can
With considering for property, self-service terminal system will not be typically modified.Currently, substantial amounts of self-service terminal uses
Windows XP systems, Microsoft have stopped the upgrade maintenance to Windows XP, have no longer issued new patch.Cause
This, Windows XP system vulnerabilities are exploited after announcement, all Windows XP systems leak is opened wide it is in the air, except micro-
Soft outer other manufacturers do not have any technological means to reinforce upgrading to operating system patch installing.These self-service terminals are in
State in the air, serious security risk be present, when facing the attack for leak initiation, can not effectively be protected.
The virus of extorting in May, 2017 is exactly exemplary, extorts virus and has infected numerous domestic self-service equipment, causes to service
Interrupt, user can not be used, and significant impact is caused to government department's economy and reputation.
To sum up, in the prior art, it is anti-that effective safety is also carried out to self-service terminal without a kind of safety protecting method
Shield.
The content of the invention
In view of this, it is an object of the invention to provide a kind of safety protecting method of self-service terminal and device, with
Alleviate in the prior art, the technology for also carrying out effective security protection to self-service terminal without a kind of safety protecting method is asked
Topic.
In a first aspect, the embodiments of the invention provide a kind of safety protecting method of self-service terminal, methods described bag
Include:
The access request that Intercept Interview main body is sent;
After the access request is intercepted, the first safety label information and the second safety label information are obtained, wherein,
The first safety label information is the safety label information of the access main body, and the second safety label information is access visitor
The safety label information of body, the resource for accessing object to be accessed by the access main body, the safety label information are used
In expression safe class;
Based on the first safety label information and the second safety label information, targeted security access strategy is determined,
To control the access main body to access the access object according to the targeted security access strategy.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the first of first aspect, wherein, base
In the first safety label information and the second safety label information, determine that targeted security access strategy includes:
The first safety label information and the second safety label information are contrasted, obtain comparing result, its
In, the comparing result is used to represent that the grade between the first safety label information and the second safety label information to be closed
System;
The targeted security access strategy is determined in default secure access strategy based on the comparing result, wherein, institute
Stating default secure access strategy includes different grades of access main body to accessing access authority information possessed by object.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of second of first aspect, wherein, base
Determine that the targeted security access strategy includes in default secure access strategy in the comparing result:
When safe class of the comparing result represented by the first safety label information is higher than the described second safety
During safe class represented by label information, then first object secure access strategy is called, the first object security strategy is
The access main body is allowed to read and perform the content in the access object.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the third of first aspect, wherein, base
Determine that the targeted security access strategy also includes in default secure access strategy in the comparing result:
When the comparing result is safe class and second safety post represented by the first safety label information
When safe class represented by note information is identical, then the second targeted security access strategy, the second targeted security strategy are called
To allow the main body that accesses to carry out following any operation to the content in the access object:Read operation, operation is performed, repaiied
Change operation, deletion action.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 4th of first aspect kind, wherein, base
Determine that the targeted security access strategy also includes in default secure access strategy in the comparing result:
When safe class of the comparing result represented by the first safety label information is less than the described second safety
During safe class represented by label information, then the 3rd targeted security access strategy is called, the 3rd targeted security strategy is
The access main body is forbidden to conduct interviews the access object.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 5th of first aspect kind, wherein,
After intercepting the access request, methods described also includes:
If do not get the first safety label information of the access main body, the 4th targeted security is called to access plan
Slightly, wherein, the 4th targeted security access strategy is to forbid the access main body to conduct interviews the access object.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 6th of first aspect kind, wherein,
Before the access request that Intercept Interview main body is sent, methods described also includes:
Default safe class is obtained, wherein, the default safe class is used to represent the access main body and/or institute
The safe class for accessing object is stated, the default safe class comprises at least:Advanced, middle rank is rudimentary;
It is safety etc. corresponding to each access main body and/or each access object setting based on the default safe class
Level;
For each corresponding safe class addition mark letter for accessing main body and/or each access object setting
Breath.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 7th of first aspect kind, wherein, institute
To state and access the initiator that main body represents access resource, the object that accesses is represented by the resource of the access principal access,
Wherein, the access main body comprises at least:User, represent the process of user;
The access object comprises at least:File, process, registration table, external equipment.
Second aspect, the embodiment of the present invention additionally provide a kind of safety device of self-service terminal, described device
Including:
Blocking module, the access request sent for Intercept Interview main body;
First acquisition module, for after the access request is intercepted, obtaining the first safety label information and second
Safety label information, wherein, the first safety label information is the safety label information of the access main body, and described second pacifies
All mark information is to access the safety label information of object, the resource for accessing object to be accessed by the access main body,
The safety label information is used to represent safe class;
Determining module, for based on the first safety label information and the second safety label information, determining target
Secure access strategy, to control the access main body to access the access object according to the targeted security access strategy.
With reference to second aspect, the embodiments of the invention provide the possible embodiment of the first of second aspect, wherein, institute
Stating determining module includes:
Comparison unit, for the first safety label information and the second safety label information to be contrasted, obtain
To comparing result, wherein, the comparing result is used to represent that the first safety label information is believed with second safety label
Hierarchical relationship between breath;
Determining unit, for determining that the targeted security accesses in default secure access strategy based on the comparing result
Strategy, wherein, the default secure access strategy includes different grades of access main body to accessing access possessed by object
Authority information.
The embodiment of the present invention brings following beneficial effect:The embodiments of the invention provide a kind of peace of self-service terminal
Full protection method and device, this method include:The access request that Intercept Interview main body is sent;After access request is intercepted,
The first safety label information and the second safety label information are obtained, wherein, the first safety label information is to access the safety of main body
Label information, the second safety label information access object and accessed by accessed main body to access the safety label information of object
Resource, safety label information be used for represent safe class;Based on the first safety label information and the second safety label information, really
Set the goal secure access strategy, and main body is accessed according to targeted security access strategy access object with control.
In existing self-service terminal, typically no any safety prevention measure, self-service terminal is in throughout the year
State in the air, serious security risk be present.It is provided in an embodiment of the present invention self-service compared with existing self-service terminal
In the safety protecting method of service terminal, the access request of first Intercept Interview main body transmission, then, obtain and access the first of main body
Safety label information and the second safety label information for accessing object, finally, based on the first safety label information and the second safety
Label information determines targeted security access strategy, enters so that accessing main body according to targeted security access strategy to accessing object
Row accesses.In the safety protecting method of the self-service terminal of the present invention, access main body is enabled to be accessed according to targeted security
Strategy conducts interviews to accessing object, fundamentally ensure that legal authorization accesses, can effectively prevent unauthorized access master
Access of the body to access object, so, it can effectively contain viral wooden horse to accessing object (resource i.e. in operating system)
Infringement, realize the security protection of self-service terminal, alleviate in the prior art, also without a kind of safety protecting method pair
Self-service terminal carries out the technical problem of effective security protection.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims
And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate
Appended accompanying drawing, is described in detail below.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art
The required accompanying drawing used is briefly described in embodiment or description of the prior art, it should be apparent that, in describing below
Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid
Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of the safety protecting method of self-service terminal provided in an embodiment of the present invention;
Fig. 2 is the method flow diagram provided in an embodiment of the present invention for being access main body and accessing object addition label information;
Fig. 3 is based on the first safety label information and the second safety label information to be provided in an embodiment of the present invention, determines mesh
The method flow diagram of mark secure access strategy;
Fig. 4 is a kind of structured flowchart of the safety device of self-service terminal provided in an embodiment of the present invention.
Icon:
11- blocking modules;The acquisition modules of 12- first;13- determining modules.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention
Technical scheme be clearly and completely described, it is clear that described embodiment is part of the embodiment of the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
For ease of understanding the present embodiment, first to a kind of self-service terminal disclosed in the embodiment of the present invention
Safety protecting method describes in detail.
Embodiment one:
A kind of safety protecting method of self-service terminal, with reference to figure 1, this method includes:
The access request that S102, Intercept Interview main body are sent;
In embodiments of the present invention, the executive agent of this method is forced symmetric centralization product.Visit is sent when accessing main body
After asking request, before the operating system API that inner nuclear layer calls self-service terminal, forced symmetric centralization product can Intercept Interview
The access request that main body is sent.
Specifically, access request comprises at least:Read requests, request is performed, modification request, removal request, the present invention is in fact
Example is applied to be not particularly limited it.
S104, after access request is intercepted, obtain the first safety label information and the second safety label information, its
In, for the first safety label information to access the safety label information of main body, the second safety label information is to access the safety of object
Label information, object is accessed to be accessed the resource that main body is accessed, safety label information is used to represent safe class;
After access request is intercepted, the first safety label information for accessing main body and the second safety for accessing object are obtained
Label information, wherein, safety label information includes:First safety label information and the second safety label information, the first safety post
Remember that information is used to represent the safe class for accessing main body, the second safety label information is used to represent the safe class for accessing object.
S106, based on the first safety label information and the second safety label information, targeted security access strategy is determined, with control
System accesses main body according to targeted security access strategy access object.
After the first safety label information and the second safety label information is obtained, according to the first safety label information and second
Safety label information determines targeted security access strategy, enters so as to access main body according to targeted security access strategy to accessing object
Row accesses.
In existing self-service terminal, typically no any safety prevention measure, self-service terminal is in throughout the year
State in the air, serious security risk be present.It is provided in an embodiment of the present invention self-service compared with existing self-service terminal
In the safety protecting method of service terminal, the access request of first Intercept Interview main body transmission, then, obtain and access the first of main body
Safety label information and the second safety label information for accessing object, finally, based on the first safety label information and the second safety
Label information determines targeted security access strategy, enters so that accessing main body according to targeted security access strategy to accessing object
Row accesses.In the safety protecting method of the self-service terminal of the present invention, access main body is enabled to be accessed according to targeted security
Strategy conducts interviews to accessing object, fundamentally ensure that legal authorization accesses, can effectively prevent unauthorized access master
Access of the body to access object, so, it can effectively contain viral wooden horse to accessing object (resource i.e. in operating system)
Infringement, realize the security protection of self-service terminal, alleviate in the prior art, also without a kind of safety protecting method pair
Self-service terminal carries out the technical problem of effective security protection.
Security protection process of the above to self-service terminal carried out overall introduction, below to being directed to
Content describes in detail.
Alternatively, with reference to figure 2, before the access request that Intercept Interview main body is sent, this method also includes:
S201, default safe class is obtained, wherein, default safe class is used to represent to access main body and/or access
The safe class of object, default safe class comprise at least:Advanced, middle rank is rudimentary;
Specifically, software developer just has been defined for safely etc. when carrying out the exploitation of forced symmetric centralization product
Level, that is to say, that for the forced symmetric centralization product after the completion of exploitation, the product has just had safe class.User is being carried out
In use, when realizing, the default safe class of software developer is obtained.
In embodiments of the present invention, default safe class includes:It is advanced, intermediate and rudimentary, safe class part linear rows
Row, wherein, it is rudimentary<Middle rank<It is advanced.Different safe classes is represented with bitmap and/or numeral.The embodiment of the present invention is to default
Safe class is not particularly limited, and can also include other default safe classes.
Default safe class is to realize the precondition of forced symmetric centralization.
S202, based on default safe class for it is each access main body and/or it is each access object set corresponding to safety
Grade;
It is each access main body and/or each access based on default safe class after default safe class is obtained
Safe class corresponding to object setting.
When using the product, user initiates setting from figure operation and control interface according to the business demand of itself and acted, software
After setting action is received, for safe class corresponding to each access main body and/or each access object setting.
In embodiments of the present invention, access main body to represent to access the initiator of resource, access object and represent accessed main body
The resource of access,
Wherein, main body is accessed to comprise at least:User, represent the process of user;
Object is accessed to comprise at least:File, process, registration table, external equipment.
S203, the corresponding safe class for each access main body and/or each access object setting add label information.
After the setting action of user's transmission is received, product is each access main body and/or each access object addition
Label information.Acted specifically, the safety label component of product receives the setting that user is initiated by figure operation and control interface, so
Afterwards, advanced, intermediate, rudimentary middle any value is added to corresponding safety label item by safety label component, so, accesses main body
And/or access object and just carried safety label information.
Said process describe for access main body and access object add safety label process, below pair determine safety visit
Ask that the process of strategy is described.
Alternatively, with reference to figure 3, based on the first safety label information and the second safety label information, determine that targeted security is visited
Ask that strategy includes:
S301, the first safety label information and the second safety label information contrasted, obtain comparing result, wherein,
Comparing result is used to represent the hierarchical relationship between the first safety label information and the second safety label information;
Specifically, the first safety label information and the second safety label information are contrasted, that is, main body will be accessed
Safe class and access object safe class contrasted, obtain comparing result.
S302, targeted security access strategy determined in default secure access strategy based on comparing result, wherein, preset peace
Full access strategy includes different grades of access main body to accessing access authority information possessed by object.
After comparing result is obtained, targeted security strategy is determined in default secure access strategy according to comparing result.Tool
Body, default security strategy is software developer in the access rule set during software development.
S303, the safe class when comparing result represented by the first safety label information are higher than the second safety label information
During represented safe class, then first object secure access strategy is called, first object security strategy is allows to access main body
Read and perform the content accessed in object.
For example the first safe class represented by safety label information is advanced, and represented by the second safety label information
Safe class for it is intermediate when, then call first object secure access strategy, it is, now allow access main body read and
Perform the content accessed in object.
S304, when comparing result is the safe class represented by the first safety label information and the second safety label information institute
When the safe class of expression is identical, then the second targeted security access strategy is called, the second targeted security strategy is led to allow to access
Body carries out following any operation to the content accessed in object:Read operation, perform operation, modification operation, deletion action.
For example the first safe class represented by safety label information is advanced, and represented by the second safety label information
Safe class also for it is advanced when, then call the second targeted security access strategy, it is, now allow access main body to visit
Ask that the content in object is read out, perform, modification or deletion.
S305, the safe class when comparing result represented by the first safety label information are less than the second safety label information
During represented safe class, then the 3rd targeted security access strategy is called, the 3rd targeted security strategy is forbids accessing main body
Conducted interviews to accessing object.
For example the first safe class represented by safety label information is rudimentary, and represented by the second safety label information
Safe class for it is advanced when, then call the 3rd targeted security access strategy, it is, now forbid access main body to access
Object conducts interviews.
In addition, after forced symmetric centralization product intercepts access request,
If S306, do not get access main body the first safety label information when, call the 4th targeted security access
Strategy, wherein, the 4th targeted security access strategy conducts interviews to forbid accessing main body to accessing object.
It is to prevent the attack of virus in the case of this kind.For example when viral code is introduced into execution, fall ill malicious generation
Code, when accessing target object, is forced access control product and intercepts and refuse due to lacking the first safety label information
Absolutely, target object can not be infected, has reached the effect to virus immunity protection.
The present invention proposes a kind of safety protecting method of self-service terminal, and this method is real based on forced symmetric centralization
Existing, the forced symmetric centralization refers to that the secure access strategy that enforceable dependence is pre-set conducts interviews to target object,
The pregnable system file in self-service terminal, process, registration table, the crucial money such as external equipment and service can be protected
Source is fundamentally ensured that legal authorization accesses in a manner of forced symmetric centralization, realizes Self-Service from the attack of virus
The security protection of terminal.
The present invention proposes a kind of method that self-service terminal is protected using mandatory Access Control Mechanism, of the invention
It is noteworthy characterized by self-service terminal, realizes the forced symmetric centralization to self-service terminal operating system aspect resource,
Immune self-service terminal virus attack.
When principal access object, mandatory Access Control Mechanism is called, according to the safety label and access side for accessing main body
Formula, compare the safety label for accessing main body and the safety label for accessing object, determine whether to allow to access main body to accessing
The access of object.This method is marked by imparting system resource security, sets mandatory Access Control Mechanism, and sphere of action is from self-service
Service terminal operating system nucleus layer extends to client layer, and the protection that can effectively cover other security technology products is blind
Area, the deficiency in protection is made up, safeguard protection is carried out to file, registration table, database, there is provided the protected mode of more strength,
Protect self-service terminal that virus attack is immunized.
Embodiment two:
A kind of safety device of self-service terminal, with reference to figure 4, the device includes:
Blocking module 11, the access request sent for Intercept Interview main body;
First acquisition module 12, for after access request is intercepted, obtaining the first safety label information and the second peace
All mark information, wherein, for the first safety label information to access the safety label information of main body, the second safety label information is visit
The safety label information of object is asked, accesses object to be accessed the resource that main body is accessed, safety label information is used to represent to pacify
Congruent level;
Determining module 13, for based on the first safety label information and the second safety label information, determining that targeted security is visited
Strategy is asked, main body is accessed according to targeted security access strategy access object with control.
In the safety device of self-service terminal provided in an embodiment of the present invention, the visit of first Intercept Interview main body transmission
Request is asked, then, obtains the first safety label information for accessing main body and the second safety label information for accessing object, finally,
Targeted security access strategy is determined based on the first safety label information and the second safety label information, pressed so that accessing main body
Conducted interviews according to targeted security access strategy to accessing object.In the safety device of the self-service terminal of the present invention, energy
It is enough make it that access main body conducts interviews according to targeted security access strategy to accessing object, fundamentally ensure that legal authorization is visited
Ask, can effectively prevent access of the unauthorized access main body to access object, so, can effectively contain viral wooden horse pair
The infringement of object (resource i.e. in operating system) is accessed, the security protection of self-service terminal is realized, alleviates existing skill
In art, the technical problem of effective security protection is also carried out to self-service terminal without a kind of safety protecting method.
Optionally it is determined that module includes:
Comparison unit, for the first safety label information and the second safety label information to be contrasted, obtain contrast knot
Fruit, wherein, comparing result is used to represent the hierarchical relationship between the first safety label information and the second safety label information;
Determining unit, for determining targeted security access strategy in default secure access strategy based on comparing result, its
In, default secure access strategy includes different grades of access main body to accessing access authority information possessed by object.
Optionally it is determined that unit includes:
First calls subelement, for being safe class represented by the first safety label information when comparing result higher than the
During safe class represented by two safety label information, then first object secure access strategy, first object security strategy are called
The content accessed in object is read and performs to allow to access main body.
Optionally it is determined that unit also includes:
Second calls subelement, for being the safe class and second represented by the first safety label information when comparing result
When safe class represented by safety label information is identical, then the second targeted security access strategy, the second targeted security plan are called
Slightly allow to access main body to accessing the following any operation of the content progress in object:Read operation, perform operation, modification behaviour
Make, deletion action.
Optionally it is determined that unit also includes:
3rd calls subelement, for being safe class represented by the first safety label information when comparing result less than the
During safe class represented by two safety label information, then the 3rd targeted security access strategy, the 3rd targeted security strategy are called
Conducted interviews to forbid accessing main body to accessing object.
Alternatively, the device also includes:
Calling module, if the first safety label information of main body is accessed for not getting, call the 4th target
Secure access strategy, wherein, the 4th targeted security access strategy conducts interviews to forbid accessing main body to accessing object.
Alternatively, the device also includes:
Second acquisition module, for obtaining default safe class, wherein, default safe class is used to represent to access master
Body and/or the safe class for accessing object, default safe class comprise at least:Advanced, middle rank is rudimentary;
Setup module is used for, for being set based on default safe class for each access main body and/or each access object
Put corresponding safe class;
Mark module is added, for the corresponding safe class for each access main body and/or each access object setting
Add label information.
Alternatively, access main body to represent to access the initiator of resource, access the resource that object represents accessed principal access,
Wherein, main body is accessed to comprise at least:User, represent the process of user;
Object is accessed to comprise at least:File, process, registration table, external equipment.
The device that the embodiment of the present invention is provided, its realization principle and caused technique effect and preceding method embodiment phase
Together, to briefly describe, device embodiment part does not refer to part, refers to corresponding contents in preceding method embodiment.
A kind of safety protecting method of self-service terminal and the computer program of device that the embodiment of the present invention is provided
Product, including the computer-readable recording medium of program code is stored, the instruction that described program code includes can be used for performing
Method described in previous methods embodiment, specific implementation can be found in embodiment of the method, will not be repeated here.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description
With the specific work process of device, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In addition, in the description of the embodiment of the present invention, unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can
To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, Ke Yishi
The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this
Concrete meaning in invention.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with
It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ",
The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to
Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation,
With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ",
" the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
Finally it should be noted that:Embodiment described above, it is only the embodiment of the present invention, to illustrate the present invention
Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art
The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light
Change is readily conceivable that, or equivalent substitution is carried out to which part technical characteristic;And these modifications, change or replacement, do not make
The essence of appropriate technical solution departs from the spirit and scope of technical scheme of the embodiment of the present invention, should all cover the protection in the present invention
Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.
Claims (10)
1. a kind of safety protecting method of self-service terminal, it is characterised in that methods described includes:
The access request that Intercept Interview main body is sent;
After the access request is intercepted, the first safety label information and the second safety label information are obtained, wherein, it is described
First safety label information is the safety label information of the access main body, and the second safety label information is access object
Safety label information, the resource for accessing object to be accessed by the access main body, the safety label information are used for table
Show safe class;
Based on the first safety label information and the second safety label information, targeted security access strategy is determined, with control
Make the access main body and access the access object according to the targeted security access strategy.
2. according to the method for claim 1, it is characterised in that based on the first safety label information and second peace
All mark information, determine that targeted security access strategy includes:
The first safety label information and the second safety label information are contrasted, obtain comparing result, wherein, institute
Comparing result is stated to be used to represent the hierarchical relationship between the first safety label information and the second safety label information;
The targeted security access strategy is determined in default secure access strategy based on the comparing result, wherein, it is described pre-
If secure access strategy includes different grades of access main body to accessing access authority information possessed by object.
3. according to the method for claim 2, it is characterised in that based on the comparing result in default secure access strategy
Determine that the targeted security access strategy includes:
When safe class of the comparing result represented by the first safety label information is higher than second safety label
During safe class represented by information, then first object secure access strategy is called, the first object security strategy is allows
The main body that accesses reads and performed the content accessed in object.
4. according to the method for claim 2, it is characterised in that based on the comparing result in default secure access strategy
Determine that the targeted security access strategy also includes:
When the comparing result is the safe class and second safety label letter represented by the first safety label information
When the represented safe class of breath is identical, then the second targeted security access strategy is called, the second targeted security strategy is fair
Perhaps the described main body that accesses carries out following any operation to the content in the access object:Read operation, perform operation, modification behaviour
Make, deletion action.
5. according to the method for claim 2, it is characterised in that based on the comparing result in default secure access strategy
Determine that the targeted security access strategy also includes:
When safe class of the comparing result represented by the first safety label information is less than second safety label
During safe class represented by information, then the 3rd targeted security access strategy is called, the 3rd targeted security strategy is forbids
The access main body conducts interviews to the access object.
6. according to the method for claim 1, it is characterised in that after the access request is intercepted, methods described is also
Including:
If do not get the first safety label information of the access main body, the 4th targeted security access strategy is called,
Wherein, the 4th targeted security access strategy is to forbid the access main body to conduct interviews the access object.
7. according to the method for claim 1, it is characterised in that before the access request that Intercept Interview main body is sent, institute
Stating method also includes:
Default safe class is obtained, wherein, the default safe class is used to represent the access main body and/or the visit
The safe class of object is asked, the default safe class comprises at least:Advanced, middle rank is rudimentary;
It is safe class corresponding to each access main body and/or each access object setting based on the default safe class;
Label information is added for each corresponding safe class for accessing main body and/or each access object setting.
8. according to the method for claim 1, it is characterised in that the main body that accesses represents to access the initiator of resource, institute
Access object is stated to represent by the resource of the access principal access,
Wherein, the access main body comprises at least:User, represent the process of user;
The access object comprises at least:File, process, registration table, external equipment.
9. a kind of safety device of self-service terminal, it is characterised in that described device includes:
Blocking module, the access request sent for Intercept Interview main body;
First acquisition module, for after the access request is intercepted, obtaining the first safety label information and the second safety
Label information, wherein, the first safety label information for it is described access main body safety label information, second safety post
It is to access the safety label information of object to remember information, the resource for accessing object to be accessed by the access main body, described
Safety label information is used to represent safe class;
Determining module, for based on the first safety label information and the second safety label information, determining targeted security
Access strategy, to control the access main body to access the access object according to the targeted security access strategy.
10. device according to claim 9, it is characterised in that the determining module includes:
Comparison unit, for the first safety label information and the second safety label information to be contrasted, obtain pair
Than result, wherein, the comparing result be used to representing the first safety label information and the second safety label information it
Between hierarchical relationship;
Determining unit, for determining that the targeted security accesses plan in default secure access strategy based on the comparing result
Slightly, wherein, the default secure access strategy includes different grades of access main body to accessing access right possessed by object
Limit information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711037901.8A CN107612939A (en) | 2017-10-30 | 2017-10-30 | The safety protecting method and device of self-service terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711037901.8A CN107612939A (en) | 2017-10-30 | 2017-10-30 | The safety protecting method and device of self-service terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107612939A true CN107612939A (en) | 2018-01-19 |
Family
ID=61085030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711037901.8A Pending CN107612939A (en) | 2017-10-30 | 2017-10-30 | The safety protecting method and device of self-service terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107612939A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881219A (en) * | 2018-06-14 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of file permission management method and system based on forced symmetric centralization |
| CN110427770A (en) * | 2019-06-20 | 2019-11-08 | 中国科学院信息工程研究所 | A kind of Access and control strategy of database method and system for supporting service security to mark |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| US20150143546A1 (en) * | 2011-10-17 | 2015-05-21 | Raytheon Company | Service oriented secure collaborative system for compartmented networks |
| CN105827645A (en) * | 2016-05-17 | 2016-08-03 | 北京优炫软件股份有限公司 | Method, device and system for access control |
-
2017
- 2017-10-30 CN CN201711037901.8A patent/CN107612939A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727545A (en) * | 2008-10-10 | 2010-06-09 | 中国科学院研究生院 | Method for implementing mandatory access control mechanism of security operating system |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| US20150143546A1 (en) * | 2011-10-17 | 2015-05-21 | Raytheon Company | Service oriented secure collaborative system for compartmented networks |
| CN105827645A (en) * | 2016-05-17 | 2016-08-03 | 北京优炫软件股份有限公司 | Method, device and system for access control |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881219A (en) * | 2018-06-14 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of file permission management method and system based on forced symmetric centralization |
| CN110427770A (en) * | 2019-06-20 | 2019-11-08 | 中国科学院信息工程研究所 | A kind of Access and control strategy of database method and system for supporting service security to mark |
| CN110427770B (en) * | 2019-06-20 | 2021-04-20 | 中国科学院信息工程研究所 | Database access control method and system supporting service security marker |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103548320B (en) | The dangerous safety applied on device performs | |
| US10136324B2 (en) | Method and apparatus for reading verification information | |
| CN107645482A (en) | A kind of risk control method and device for business operation | |
| KR102315794B1 (en) | Methods and devices for connecting to accounts and providing service processes | |
| CN102739638B (en) | Establishing privileges through claims of valuable assets | |
| CN103605924A (en) | Method and device for preventing malicious program from attacking online payment page | |
| CN104182695B (en) | The system and method guaranteeing the confidentiality of information used by authentication vs. authorization during the operation | |
| CN105930726B (en) | A kind of processing method and user terminal of malicious operation behavior | |
| Kumar et al. | Law and adversarial machine learning | |
| CN105550875A (en) | System and method for protecting electronic money transactions | |
| CN105701423A (en) | Data storage method and device applied to cloud payment transactions | |
| CN107918911A (en) | System and method for performing safe web bank transaction | |
| CN106341369A (en) | Security control method and device | |
| CN107612939A (en) | The safety protecting method and device of self-service terminal | |
| CN107122664B (en) | Safety protection method and device | |
| CN103870761B (en) | Divulgence prevention method and device based on local virtual environment | |
| CN106209746A (en) | A kind of safety service provides method and server | |
| Egners et al. | Hackers in your pocket: A survey of smartphone security across platforms | |
| CN105635156A (en) | Large distributed financial terminal system | |
| CN109981611A (en) | A kind of safety defense method and device of multi-platform account | |
| CN111741115B (en) | Service processing method, device and system and electronic equipment | |
| CN104866761B (en) | A kind of high security Android intelligent terminal | |
| Chowdhury | Security risk modelling using SecureUML | |
| CN107743306B (en) | Intelligent POS machine WIFI setting method based on multi-password control and intelligent POS machine | |
| CN102737193A (en) | Equipment shielding method and device for data security prevention and control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180119 |
|
| RJ01 | Rejection of invention patent application after publication |