CN111897768A - Method and device for configuring object access policy - Google Patents

Method and device for configuring object access policy Download PDF

Info

Publication number
CN111897768A
CN111897768A CN202010600255.7A CN202010600255A CN111897768A CN 111897768 A CN111897768 A CN 111897768A CN 202010600255 A CN202010600255 A CN 202010600255A CN 111897768 A CN111897768 A CN 111897768A
Authority
CN
China
Prior art keywords
policy
terminal
target
strategy
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010600255.7A
Other languages
Chinese (zh)
Other versions
CN111897768B (en
Inventor
孙瑜
何成成
王伟
夏攀
王大海
谢恩泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Original Assignee
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD filed Critical BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority to CN202010600255.7A priority Critical patent/CN111897768B/en
Publication of CN111897768A publication Critical patent/CN111897768A/en
Application granted granted Critical
Publication of CN111897768B publication Critical patent/CN111897768B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/11File system administration, e.g. details of archiving or snapshots
    • G06F16/122File system administration, e.g. details of archiving or snapshots using management policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a method and a device for configuring an object access policy, wherein the method comprises the following steps: sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for instructing a control operation on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, and the first policy learning process is a process for learning a first access log of the target object on the second terminal; under the condition of receiving a strategy acquisition request sent by a first terminal, responding to the strategy acquisition request and sending a target control strategy to the first terminal; and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating that the target control policy is confirmed to be validated on the first terminal. The method and the device solve the technical problem that the configuration efficiency of the object access strategy is low in the related technology.

Description

Method and device for configuring object access policy
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for configuring an object access policy.
Background
In the trusted computing field, a trusted management server configures a control policy for each terminal to control access operation of an object on the terminal. In the current configuration mode, the trusted management server selects configured contents to each terminal item by item for different terminals respectively, and the configuration efficiency of the mode is low.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The application provides a method and a device for configuring an object access policy, which are used for at least solving the technical problem of low efficiency in configuring the object access policy in the related art.
According to an aspect of an embodiment of the present application, there is provided a method for configuring an object access policy, including:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for instructing a control operation on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process for learning a first access log of the target object on the second terminal, and the first access log comprises the control operation on the target access behavior of the target object;
under the condition of receiving a strategy acquisition request sent by the first terminal, responding to the strategy acquisition request to send the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating that the target control policy is validated on the first terminal.
Optionally, the sending the policy acquisition indication to the first terminal includes:
determining one or more terminals, wherein the one or more terminals include the first terminal;
determining a first strategy template corresponding to the one or more terminals;
generating the target control strategy using the first strategy template;
sending the policy acquisition indication to the one or more terminals, wherein the policy acquisition indication is used for indicating the one or more terminals to acquire the target control policy from the trusted management server.
Optionally, the target control strategy includes: the policy module comprises a policy template belonging to a first type and a control policy belonging to a second type, wherein the control policy belonging to the first type is used for indicating an access terminal having access privileges to a target object, and the control policy belonging to the second type is used for preventing tampering of the target object.
Optionally, after sending the policy acquisition instruction to the first terminal, the method further includes:
sending a starting instruction to the first terminal, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
acquiring a second access log reported by the first terminal in the second policy learning process, wherein the second access log is generated by matching a target access behavior executed on the first terminal by using the target control policy;
sending a closing instruction to the first terminal, wherein the closing instruction is used for instructing to close the second strategy learning process;
and under the condition that the first terminal is confirmed to close the second strategy learning process, generating a second strategy template according to the second access log, wherein the second strategy template is used for generating a control strategy.
Optionally, generating a second policy template according to the second access log includes:
generating an object control strategy corresponding to the second access log;
acquiring a strategy template identifier, wherein the strategy template identifier is used for uniquely identifying the second strategy template;
generating the second policy template having the policy template identification and the object control policy.
Optionally, generating the second policy template having the policy template identifier and the object control policy comprises:
determining whether the policy template identifier is repeated with an identifier stored in a database, and whether the policy template identifier is empty;
determining whether the object control strategy is repeated with a control strategy stored in a database under the condition that the strategy template identification is not repeated with an identification stored in the database and the strategy template identification is not empty;
generating the second policy template having the policy template identification and the object control policy, if it is determined that the object control policy does not overlap with a control policy stored in the database.
Optionally, after receiving the policy validation information sent by the first terminal, the method further includes:
obtaining an audit log reported by the first terminal, wherein the audit log is generated by controlling a target access behavior executed on the first terminal by using the target control strategy;
and storing the audit log.
According to another aspect of the embodiments of the present application, there is also provided an apparatus for configuring an object access policy, including:
a first sending module, configured to send a policy acquisition instruction to a first terminal, where the policy acquisition instruction is used to instruct the first terminal to acquire a target control policy from a trusted management server, the target control policy is used to instruct a control operation performed on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes the control operation performed on the access behavior of the target object;
a second sending module, configured to send the target control policy to the first terminal in response to the policy acquisition request when receiving the policy acquisition request sent by the first terminal;
the first receiving module is configured to receive policy validation information sent by the first terminal, where the policy validation information is used to indicate that the target control policy is validated on the first terminal.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method through the computer program.
In the embodiment of the application, sending a policy acquisition instruction to a first terminal, where the policy acquisition instruction is used to instruct the first terminal to acquire a target control policy from a trusted management server, the target control policy is used to instruct a control operation performed on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes the control operation performed on the access behavior of the target object; under the condition of receiving a strategy acquisition request sent by a first terminal, responding to the strategy acquisition request and sending a target control strategy to the first terminal; receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the validation mode of the target control policy on the first terminal, generating a target control policy by a first policy learning process executed on a second terminal for learning a control policy of the target object on the second terminal, configuring the target control policy to a first terminal other than the second terminal, after the target control strategy takes effect on the first terminal, the first terminal can control the behavior of accessing the target object by executing the target control strategy, thereby avoiding repeated operation when selecting the control strategy, achieving the purpose of rapidly configuring the control strategy for object access, therefore, the technical effect of improving the configuration efficiency of the object access strategy is achieved, and the technical problem of low configuration efficiency of the object access strategy in the related technology is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a schematic diagram of a hardware environment for a method of configuring an object access policy according to an embodiment of the present application;
FIG. 2 is a flow chart of an alternative method for configuring an object access policy according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a configuration process for a policy template according to an alternative embodiment of the present application;
FIG. 4 is a schematic diagram of a backup process of an access log according to an embodiment of the application;
FIG. 5 is a schematic diagram of another policy template configuration process according to an alternative embodiment of the present application;
FIG. 6 is a flow chart of an alternative method of controlling object access according to an embodiment of the present application;
FIG. 7 is a schematic illustration of a control strategy validation process according to an alternative embodiment of the present application;
FIG. 8 is a schematic diagram of a policy learning process according to an alternative embodiment of the present application;
FIG. 9 is a schematic diagram of a process for accessing behavior according to an alternative embodiment of the present application;
FIG. 10 is a schematic diagram of an alternative configuration apparatus for object access policies according to an embodiment of the application;
fig. 11 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Optionally, in this embodiment, fig. 1 is a schematic diagram of a hardware environment of a configuration method of an object access policy according to an embodiment of the present application, and the configuration method of the object access policy may be applied to the hardware environment formed by the terminal 101 and the server 103 shown in fig. 1. As shown in fig. 1, a server 103 is connected to a terminal 101 through a network, which may be used to provide services (such as game services, application services, etc.) for the terminal or a client installed on the terminal, and a database may be provided on the server or separately from the server for providing data storage services for the server 103, and the network includes but is not limited to: the server 103 may be, but is not limited to, a wide area network, a metropolitan area network, or a local area network, and is used as a management center for managing an object access control policy on the terminal 101, including: configuration, modification, activation, shutdown, etc., and the terminal 101 is not limited to a PC, a mobile phone, a tablet computer, etc. The configuration method of the object access policy in the embodiment of the present application may be executed by the server 103, the terminal 101, or both the server 103 and the terminal 101. The configuration method for the terminal 101 to execute the object access policy according to the embodiment of the present application may also be executed by a client installed thereon.
According to an aspect of embodiments of the present application, an embodiment of a method for configuring an object access policy is provided. Fig. 2 is a flowchart of another optional object access policy configuration method according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
step S202, a policy acquisition instruction is sent to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for instructing a control operation performed on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes the control operation performed on the access behavior of the target object;
step S204, under the condition of receiving a strategy acquisition request sent by the first terminal, responding to the strategy acquisition request and sending the target control strategy to the first terminal;
step S206, receiving policy validation information sent by the first terminal, where the policy validation information is used to indicate that the target control policy is validated on the first terminal.
Through the above steps S202 to S206, the target control policy is generated through the first policy learning process executed on the second terminal and used for learning the control policy of the target object on the second terminal, and the target control policy is configured to the first terminal except the second terminal, so that after the target control policy becomes effective on the first terminal, the first terminal can control the behavior of accessing the target object by executing the target control policy, thereby avoiding repeated operations when selecting the control policy, achieving the purpose of rapidly configuring the control policy for object access, achieving the technical effect of improving the configuration efficiency of the object access policy, and further solving the technical problem of low configuration efficiency of the object access policy in the related art.
Optionally, in this embodiment, the method for configuring the object access policy may be, but is not limited to being, executed by the server 103.
In the technical solution provided in step S202, the target object may include, but is not limited to: files, folders, data packages (e.g., network data packages, local data packages), applications, applets, and the like.
Optionally, in this embodiment, the target control policy is used to control an operation of accessing the target object, and the behavior of accessing the target object may include, but is not limited to: read-write behavior (read, write, etc.), censorship behavior (delete, modify, etc.), query behavior, and so on.
Optionally, in this embodiment, the target control policy is generated by a first policy learning process executed on the second terminal, where the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes a control operation performed on an access behavior of the target object. When the first policy learning process is executed on the second terminal to learn the first access log of the target object on the second terminal, the target control policy corresponding to the first policy learning process can be generated. The generated target control strategy can be configured to other terminals except the second terminal, such as the first terminal, so that the first terminal can control the operation of accessing the target object.
Optionally, in this embodiment, the trusted management server may notify the first terminal to acquire the target control policy, but is not limited to this.
In the technical solution provided in step S204, after the first terminal receives the policy acquisition instruction and learns the target control policy that the first terminal needs to acquire, the trusted management server may provide the target control policy for the first terminal in a manner of, but not limited to, receiving a request sent by the first terminal. Such as: the first terminal sends a strategy acquisition request to the trusted management server to request a target control strategy from the trusted management server, the trusted management server responds to the strategy acquisition request of the first terminal to provide the target control strategy for the first terminal, and the first terminal acquires the target control strategy.
In the technical solution provided in step S206, the trusted management server confirms that the target control policy has come into effect at the first terminal by receiving the policy-taking-effect information sent by the first terminal.
Optionally, in this embodiment, after the target control policy takes effect on the first terminal, the trusted management server may further collect a second access log and an audit log uploaded by the first terminal, and the like.
As an optional embodiment, sending the policy acquisition indication to the first terminal includes:
s11, determining one or more terminals, wherein the one or more terminals comprise the first terminal;
s12, determining a first strategy template corresponding to the one or more terminals;
s13, generating the target control strategy by using the first strategy template;
s14, sending the policy obtaining indication to the one or more terminals, where the policy obtaining indication is used to indicate the one or more terminals to obtain the target control policy from the trusted management server.
Optionally, in this embodiment, the terminal and the policy template configured with the control policy each time may be selected more than necessary, for example: the target control strategy is configured to a plurality of terminals, a plurality of strategy templates are configured to one terminal, or a plurality of strategy templates are configured to a plurality of terminals, etc.
Optionally, in this embodiment, the target control strategy includes: the method comprises the steps of belonging to a first type of control policy and belonging to a second type of control policy, wherein the first type of control policy is used for indicating an access terminal with access privilege to a target object, and the second type of control policy is used for preventing tampering of the target object.
Optionally, in this embodiment, the target object may include, but is not limited to, a target file, that is, a target control policy is used to control an operation of the target file, and the control manner may include, but is not limited to: setting a control policy belonging to a first type for indicating an access terminal having an access privilege to a target file as an access white list, and setting a control policy belonging to a second type for preventing tampering with the target file.
Optionally, in this embodiment, the control policy belonging to the second type is definitely included in the target control policy and is used to protect the target object, the control policy belonging to the first type may be used as an optional item, and the target control policy may include the control policy belonging to the first type or may not include the control policy belonging to the first type.
As an optional embodiment, after sending the policy acquisition indication to the first terminal, the method further includes:
s21, sending a starting instruction to the first terminal, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
s22, acquiring a second access log reported by the first terminal in the second policy learning process, where the second access log is generated by matching a target access behavior executed on the first terminal using the target control policy;
s23, sending a closing instruction to the first terminal, wherein the closing instruction is used for instructing to close the second strategy learning process;
and S24, generating a second strategy template according to the second access log under the condition that the first terminal is confirmed to close the second strategy learning process, wherein the second strategy template is used for generating a control strategy.
Optionally, in this embodiment, the trusted management server may generate a second policy template by controlling the first terminal to perform a second policy learning process, and the second policy template may be, but is not limited to, used for generating a control policy.
Optionally, in this embodiment, the trusted management server may instruct the first terminal to start or close the second policy learning process by sending the instruction information, and the trusted management server collects a second access log generated by the first terminal in the second policy learning process executed by the first terminal, so as to generate the second policy template on the trusted management server. The first terminal is in the policy learning mode while the first terminal performs the second policy learning process.
In an optional implementation manner, a configuration process of a policy template is provided, fig. 3 is a schematic diagram of a configuration process of a policy template according to an optional implementation manner of the present application, and as shown in fig. 3, a terminal (may be selected more) is selected on a trusted management server, and a policy template (may be selected more), the trusted management server generates a control policy and creates a policy acquisition instruction using the selected policy template, notifies the terminal to acquire the control policy through heartbeat, provides the control policy for the terminal in response to a policy acquisition request sent by the terminal, and receives an access log reported by the terminal after the policy on the terminal becomes effective. The selected strategy template and the access log reported by the terminal can be written into the database.
Optionally, in this embodiment, the trusted management server may backup the acquired second access log reported by the first terminal. Fig. 4 is a schematic diagram of a backup process of an access log according to an embodiment of the present application, and as shown in fig. 4, a number of days for obtaining a reserved log file by reading a configuration file, and backing up the log every morning every day within a reservation term, determining whether a memory space is sufficient, and if so, backing up the log to a local sql file. And if the memory space is insufficient, detecting the disk space at regular time, initiating a space warning to prompt an administrator, and manually processing the space by the administrator.
As an alternative embodiment, the generating of the second policy template from the second access log includes:
s31, generating an object control strategy corresponding to the second access log;
s32, obtaining a strategy template mark, wherein the strategy template mark is used for uniquely marking the second strategy template;
s33, generating the second strategy template with the strategy template identification and the object control strategy.
Optionally, in this embodiment, the policy template identifier is used to uniquely identify the second policy template, and may be in the form of a template name, a template number, or the like.
Optionally, in this embodiment, the object control policy may include, but is not limited to, protecting a directory or a file.
As an alternative embodiment, generating the second policy template having the policy template identifier and the object control policy includes:
s41, determining whether the strategy template mark is repeated with the mark stored in the database, and whether the strategy template mark is empty;
s42, determining whether the object control strategy is repeated with the control strategy stored in the database under the condition that the strategy template identification is not repeated with the identification stored in the database and the strategy template identification is not empty;
s43, generating the second policy template having the policy template identifier and the object control policy, if it is determined that the object control policy does not overlap with the control policy stored in the database.
Optionally, in this embodiment, the template identifier configured for the policy template is not repeated and is not empty, so as to implement unique identification for the policy template.
Optionally, in this embodiment, the object control policy corresponding to the generated second access log is not repeated.
In an alternative embodiment, another configuration process of a policy template is provided, and fig. 5 is a schematic diagram of a configuration process of another policy template according to an alternative embodiment of the present application, as shown in fig. 5, a protection directory or a file is input on a trusted management server, a policy template name is input, whether the policy template name is null or repeated is determined, if the policy template name is null or repeated, a failure is prompted, and the failure reason is that the name is null or repeated. If not, judging whether the protection target is repeated, if so, prompting failure, wherein the failure reason is protection directory repetition. And if the protection directory is not repeated, creating a file access control strategy template, and writing the strategy information into the database.
As an optional embodiment, after receiving the policy validation information sent by the first terminal, the method further includes:
s51, obtaining an audit log reported by the first terminal, wherein the audit log is generated by controlling a target access behavior executed on the first terminal by using the target control strategy;
and S52, storing the audit log.
Optionally, in this embodiment, the trusted management server may further obtain and store an audit log reported by the first terminal, where the audit log may be used, but not limited to, to generate a policy template. The audit log is generated by controlling a target access behavior executed on the first terminal using a target control policy.
According to an aspect of embodiments of the present application, there is provided an embodiment of a method for controlling access to an object. Fig. 6 is a flowchart of a method for controlling optional object access according to an embodiment of the present application, and as shown in fig. 6, the method may include the following steps:
step S602, receiving a policy acquisition instruction, where the policy acquisition instruction is used to instruct a first terminal to acquire a target control policy from a trusted management server, the target control policy is used to instruct a control operation on a behavior for accessing a target object, the target control policy is generated by a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes the control operation on the access behavior of the target object;
step S604, responding to the policy obtaining instruction to obtain the target control policy from the trusted management server;
step S606, sending policy validation information to the trusted management server, where the policy validation information is used to indicate that the target control policy is validated on the first terminal;
step S608, executing the target control policy to control the behavior of accessing the target object on the first terminal.
Through the above steps S602 to S608, the target control policy is generated through the first policy learning process executed on the second terminal and used for learning the control policy of the target object on the second terminal, and the target control policy is configured to the first terminal except the second terminal, so that after the target control policy becomes effective on the first terminal, the first terminal can control the behavior of accessing the target object by executing the target control policy, thereby avoiding repeated operations when selecting the control policy, achieving the purpose of rapidly configuring the control policy for object access, achieving the technical effect of improving the configuration efficiency of the object access policy, and further solving the technical problem of low configuration efficiency of the object access policy in the related art.
Alternatively, in this embodiment, the method for controlling the object access may be, but is not limited to being, executed by the terminal 101. For the terminal 101, the server 103 may serve as a management center to provide management services of the object access control policy thereto, and the terminal 101 may also serve as a server to provide services for other terminals, such as: multimedia playing services, multimedia production services, live broadcast services, gaming services, shopping services, financial services, and the like. The terminal 101 may also include, but is not limited to, a mobile phone, a tablet, a smart wearable device, a smart home device, a PC, and the like.
In the technical solution provided in step S602, the target object may include, but is not limited to: files, folders, data packages (e.g., network data packages, local data packages), applications, applets, and the like.
Optionally, in this embodiment, the target control policy is generated by a first policy learning process executed on the second terminal, where the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes a control operation performed on an access behavior of the target object. When the first policy learning process is executed on the second terminal to learn the first access log of the target object on the second terminal, a policy template corresponding to the first policy learning process can be generated at the trusted management server, and the trusted management server can use the policy template to configure a corresponding target control policy for other terminals. The generated target control strategy can be configured to other terminals except the second terminal, such as the first terminal, so that the first terminal can control the operation of accessing the target object.
Optionally, in this embodiment, the first terminal may obtain, but is not limited to be notified of the policy acquisition indication in a heartbeat manner.
In the technical solution provided in step S604, after the first terminal receives the policy acquisition instruction and knows the target control policy that the first terminal needs to acquire, the first terminal may acquire the target control policy from the trusted management server in a manner of sending a request, but not limited to this. Such as: the first terminal sends a request to the trusted management server to request a target control strategy from the trusted management server, the trusted management server responds to the request of the first terminal to provide the target control strategy for the first terminal, and the first terminal obtains the target control strategy.
In the technical solution provided in step S606, after the first terminal acquires the target control policy from the trusted management server, the first terminal sends policy validation information indicating that the target control policy is validated on the first terminal to the trusted management server, so that the trusted management server knows that the target control policy is validated on the first terminal.
Optionally, in this embodiment, after the target control policy on the first terminal takes effect, the second access log may also be uploaded to the trusted management server.
In the technical solution provided in step S608, the first terminal may control a behavior of accessing the target object by executing the target control policy, where the behavior of accessing the target object may include, but is not limited to: read-write behavior (read, write, etc.), censorship behavior (delete, modify, etc.), query behavior, and so on.
In an alternative embodiment, a manner is provided in which a control policy is validated on a terminal, and fig. 7 is a schematic diagram of a control policy validation process according to an alternative embodiment of the present application, where as shown in fig. 7, a management center (corresponding to the above-mentioned trusted management server) issues a control policy to an agent installed on a terminal, the agent is responsible for storing and restarting and recovering the policy, and at the same time, the agent also processes the policy from a terminal management interface, and then sends the received control policy and the like to an Xbase service program, and the Xbase program parses the policy format, and finally configures to a kernel for execution.
As an optional embodiment, executing the target control policy to control, on the first terminal, an action of accessing the target object includes:
s61, intercepting a target access behavior executed on the first terminal;
s62, determining whether the first terminal is in a strategy learning mode;
s63, matching the target access behavior with the target control strategy to obtain a first matching result under the condition that the first terminal is determined to be in a strategy learning mode;
s64, generating a second access log according to the first matching result;
and S65, reporting the second access log, and releasing the target access behavior.
Optionally, in this embodiment, different operations are performed on the intercepted target access behavior when the first terminal is in different modes, and if the first terminal is in the policy learning mode, the target access behavior is matched with the target control policy to obtain a first matching result, and a second access log is generated and reported.
Optionally, in this embodiment, the policy learning mode may be, but is not limited to, an access control learning mode of a file, and the learning mode executed on the terminal may further include: a full-disk learning mode, a network-controlled learning mode, a white-list learning mode, and so forth. And only if the first terminal is determined to be in the access control learning mode of the file, the matching operation is executed on the target access behavior and the target control strategy, and a second access log is generated and reported. The first terminal may perform, but is not limited to, corresponding operations in other learning modes, such as: and the first terminal directly executes release operation on the target access behavior in the full-disk learning mode and generates and reports a log of the full-disk learning mode.
As an alternative embodiment, determining whether the first terminal is in the policy learning mode comprises:
s71, receiving a starting instruction, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process of a second object;
s72, initiating the second policy learning process in response to the initiation indication, and determining that the first terminal is in the policy learning mode;
s73, when receiving a shutdown instruction, shutting down the second policy learning process, and determining that the first terminal is not in the policy learning mode.
Optionally, in this embodiment, the execution of the second policy learning process by the first terminal is equivalent to the first terminal being in the policy learning mode.
Optionally, in this embodiment, the first terminal may start or close the second policy learning process according to an instruction of the trusted management server, second access logs generated in the second policy learning process may be uploaded to the trusted management server by the first terminal, and the trusted management server may generate a policy template for configuring a control policy for other terminals by using the second access logs.
Optionally, in this embodiment, the second policy learning process may be, but is not limited to, a process of learning a target control policy, the first terminal is in an access control learning state in the second policy learning process, and in the access control learning state, the first terminal may perform a releasing operation on all the intercepted target access behaviors, and select whether to report the second access log according to different first matching results. Such as: and if the first matching result indicates that the target access behavior is matched with the target control strategy, releasing the target access behavior and generating a second access log for reporting, and if the first matching result indicates that the target access behavior is not matched with the target control strategy, releasing the target access behavior but not generating the second access log.
As an optional embodiment, after determining whether the first terminal is in the policy learning mode, the method further includes:
s81, matching the target access behavior with the target control strategy to obtain a second matching result under the condition that the first terminal is not in the strategy learning mode;
s82, controlling the target access behavior according to the second matching result.
Optionally, in this embodiment, after the target control policy takes effect, the first terminal may use the target control policy to control a target access behavior executed on the first terminal, match the target access behavior intercepted from the first terminal with the target control policy, and process the target access behavior according to the current mode of the first terminal and the obtained matching result, thereby implementing control on the target access behavior. And if the first terminal is not in the strategy learning mode, matching the target access behavior with the target control strategy to obtain a second matching result, and controlling the target access behavior according to the second matching result, wherein the control mode can be but is not limited to releasing or intercepting the target access behavior and the like.
Optionally, in this embodiment, one or more processes are run in the first terminal, the processes may be classified into a super process and a normal process, the super process may be a process that implements a control function of the object access, different operations may be performed on target access behaviors intercepted from different types of processes, before the target access behaviors are matched with the target control policy to obtain a second matching result, it may be further determined whether the target access behaviors are from the super process, and the target access behaviors from the super process are directly released, and the target access behaviors from the normal process are matched with the target control policy.
As an alternative embodiment, controlling the target access behavior according to the second matching result comprises:
s91, if the target access behavior is matched with the control strategy belonging to the first type or the target access behavior is not matched with the control strategy belonging to the second type, releasing the target access behavior, wherein the control strategy belonging to the first type is used for indicating an access terminal with access privilege to a target object, and the control strategy belonging to the second type is used for preventing the target object from being tampered;
s92, intercepting the target access behavior under the condition that the target access behavior is matched with the control strategy belonging to the second type;
s93, generating an audit log, wherein the audit log is used for recording the control strategy matched with the target access behavior and the operation executed on the target access behavior;
and S94, reporting the audit log to the trusted management server.
Optionally, in this embodiment, matching the target access behavior with the control policy belonging to the first type may be regarded as that the target access behavior has access privilege to the target object, or, mismatching the target access behavior with the control policy belonging to the second type may be regarded as that tampering of the target object by the target access behavior is not required to be prevented, and the target access behavior in the above case may be subjected to release processing.
Optionally, in this embodiment, if it is considered that the target access behavior needs to be prevented from tampering with the target object if the target access behavior is matched with the control policy belonging to the second type, the target access behavior is intercepted, so as to avoid operating on the target object.
Optionally, in this embodiment, for a target access behavior matched to a target control policy, an audit log may be generated to record a control policy matched to the target access behavior and an operation performed on the target access behavior, and the audit log is reported to the trusted management server, and the trusted management server may continue to configure the control policy for the first terminal or another terminal according to the audit log.
In an optional embodiment, a policy learning process is provided, fig. 8 is a schematic diagram of a policy learning process according to an optional embodiment of the present application, as shown in fig. 8, a terminal is selected on a trusted management server, and a directory or a file to be protected is input, the trusted management server determines whether the terminal is in a learning state, if the terminal is not in the learning state, an open learning policy (equivalent to the above start instruction) is created and the terminal is notified to acquire the policy, the terminal opens a learning mode and sends an open confirmation to the trusted management server, in the learning process, the terminal reports a log generated in the learning process, and the trusted management server collects a second access log reported by the terminal. After the learning time is over, the trusted management server selects a terminal and judges whether the terminal is in a learning state, if so, the trusted management server creates a closing learning strategy (equivalent to the closing instruction) and notifies the terminal to acquire the strategy, and if the terminal acquires the closing learning strategy, the terminal closes the learning mode and performs closing confirmation on the trusted management server. After the learning mode is closed, a strategy template can be generated, and the generated strategy template allows editing, modification and other operations.
Optionally, in this optional embodiment, the policy generated by the trusted management server, the on state and the off state of the learning mode acknowledged by the terminal report, the log reported by the terminal, and the generated policy template may all be written into the database for storage.
Optionally, in this optional implementation, the terminal needs to be in an online state in the learning mode, and does not perform other learning tasks, and if the other learning tasks are being performed, an exception is prompted.
Optionally, in this optional embodiment, the terminal may be notified to acquire the learning mode policy through a heartbeat, but not limited to. After the terminal starts the learning mode, the log sent to the trusted management server can mark the log state as the learning mode state.
Alternatively, in this alternative embodiment, the off button of the current terminal that is set to the learning mode in the learning mode is clickable. After the terminal confirms that the learning mode is closed, the terminal can click and generate the strategy template for multiple times. And the generated strategy template can be edited and modified online.
As an optional embodiment, matching the target access behavior with the target control policy, and obtaining the second matching result includes:
s101, matching the target control strategy with strategies stored in a strategy cache library, wherein the strategy cache library is used for recording historical control strategies and execution results with corresponding relations, and the historical control strategies are control strategies executed on the first terminal;
s102, under the condition that a target historical control strategy is matched, processing the target access behavior according to an execution result corresponding to the target historical control strategy;
s103, under the condition that the target historical control strategy is not matched, the target access behavior is matched with the target control strategy to obtain a second matching result.
Alternatively, in this embodiment, a policy cache may be established to record a historical control policy and an execution result having a correspondence relationship, where the historical control policy is a control policy executed on the first terminal. The method comprises the steps that when a first terminal controls read-write operation by using a control strategy every time, the matched control strategy and execution results can be recorded in a strategy cache library, before a target control strategy is used for controlling target access behaviors, whether the corresponding relation between the corresponding control strategy and the execution results is recorded in the strategy cache library or not can be checked, if the corresponding relation is recorded, the target access behaviors are directly controlled according to the record in the strategy cache library, and otherwise, the target control strategy is matched. Therefore, the purposes of saving the operation time and improving the control efficiency can be achieved.
As an alternative embodiment, matching the target access behavior with the target control policy includes:
s111, matching the target access behavior with the control policy belonging to the first type under the condition that the target control policy comprises the control policy belonging to the first type, wherein the control policy belonging to the first type is used for indicating an access terminal having access privilege to a target object;
and S112, matching the target access behavior with a control policy belonging to a second type when the target access behavior does not match with the control policy belonging to the first type, or when the target control policy does not include the control policy belonging to the first type, where the control policy belonging to the second type is used to prevent tampering with the target object.
Optionally, in this embodiment, the target control policy may be divided into a control policy belonging to a first type and a control policy belonging to a second type, where the control policy belonging to the first type is used to indicate an access terminal having access privileges to the second object, and the control policy belonging to the second type is used to prevent tampering with the second object. In the matching process, the control strategies belonging to the first type are preferentially matched, and the control strategies belonging to the second type are secondarily matched.
Optionally, in this embodiment, the target object may include, but is not limited to, a target file, that is, a target control policy is used to control an operation of the target file, and the control manner may include, but is not limited to: setting a control policy belonging to a first type for indicating an access terminal having an access privilege to a target file as an access white list, and setting a control policy belonging to a second type for preventing tampering with the target file.
Optionally, in this embodiment, the control policy belonging to the second type may be a control policy that is certainly included in the target control policy and is used to protect the target object, the control policy belonging to the first type may be used as an optional item, and the target control policy may include the control policy belonging to the first type or may not include the control policy belonging to the first type.
Optionally, in this embodiment, if the target control policy includes a control policy belonging to the first type, the control policy belonging to the first type is preferentially matched, and a matching result is obtained. And if the target control strategy does not comprise the control strategy belonging to the first type, or the target access behavior is not matched with the control strategy belonging to the first type, continuing to match the control strategy belonging to the second type, and obtaining a matching result.
In an optional embodiment, a processing procedure of a terminal for an access behavior is provided, where a control policy configured on the terminal may be executed by, but not limited to, a kernel, the control policy is stored in the terminal by maintaining an access control policy library, the kernel updates the access control policy library after receiving the policy, and if the policy is a delete policy, the cache library may be emptied. Fig. 9 is a schematic diagram of a processing procedure of an access behavior according to an alternative embodiment of the present application, and as shown in fig. 9, a kernel intercepts an access behavior on a terminal and determines whether the terminal is in a learning mode.
If the terminal is not in the learning mode currently, the kernel can also determine whether the current access behavior is the access behavior of a super process (such as a product self process), and if so, directly release not to generate the audit. The terminal can store the control strategy executed once in the cache so as to obtain the strategy matching result quickly in the following. If the current access behavior is not the access behavior of the super process, judging whether the current access behavior is in the cache, if so, determining whether the current access behavior is in the cache to be released or intercepted according to the result in the cache, and finally generating audit. If not found in the cache, the privilege policy is preferentially matched, and if the privilege policy is matched, the cache library is updated, the current access behavior is released, and the audit is generated. And if the privilege policies are not matched, matching the anti-tampering policies, and if the privilege policies are matched, updating the cache library, intercepting the current access behavior and generating audit. If none match, then passing the current access activity generates no audit.
And if the terminal is in the learning mode currently, judging whether the terminal is in the full-disk learning state or the access control learning state, and if the terminal is in the full-disk learning state, directly releasing the current access behavior and generating audit. If the access control learning state is the access control learning state, the privilege strategy is matched preferentially, then the anti-tampering strategy is matched, any one strategy is matched, the current access behavior is released, and audit is generated; none of the matches, the current access behavior is passed through but no audit is generated.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
According to another aspect of the embodiments of the present application, there is also provided an object access policy configuration apparatus for implementing the object access policy configuration method. Fig. 10 is a schematic diagram of an alternative configuration apparatus for object access policy according to an embodiment of the present application, and as shown in fig. 10, the apparatus may include:
a first sending module 102, configured to send a policy acquisition instruction to a first terminal, where the policy acquisition instruction is used to instruct the first terminal to acquire a target control policy from a trusted management server, the target control policy is used to instruct a control operation on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes the control operation on the access behavior of the target object;
a second sending module 104, configured to, in a case that a policy obtaining request sent by the first terminal is received, send the target control policy to the first terminal in response to the policy obtaining request;
a first receiving module 106, configured to receive policy validation information sent by the first terminal, where the policy validation information is used to indicate that the target control policy is validated on the first terminal.
It should be noted that the first sending module 102 in this embodiment may be configured to execute step S202 in this embodiment, the second sending module 104 in this embodiment may be configured to execute step S204 in this embodiment, and the first receiving module 106 in this embodiment may be configured to execute step S206 in this embodiment.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may operate in a hardware environment as shown in fig. 1, and may be implemented by software or hardware.
Through the module, the target control strategy is generated through a first strategy learning process executed on the second terminal and used for learning the control strategy of the target object on the second terminal, and the target control strategy is configured to the first terminal except the second terminal, so that after the target control strategy takes effect on the first terminal, the first terminal can control the behavior of accessing the target object by executing the target control strategy, repeated operation during selection of the control strategy is avoided, the aim of rapidly configuring the control strategy for object access is achieved, the technical effect of improving the configuration efficiency of the object access strategy is achieved, and the technical problem of low configuration efficiency of the object access strategy in the related technology is solved.
As an alternative embodiment, the first sending module comprises:
a first determining unit, configured to determine one or more terminals, where the one or more terminals include the first terminal;
a second determining unit, configured to determine a first policy template corresponding to the one or more terminals;
a first generating unit configured to generate the target control strategy using the first strategy template;
a sending unit, configured to send the policy acquisition instruction to the one or more terminals, where the policy acquisition instruction is used to instruct the one or more terminals to acquire the target control policy from the trusted management server.
As an alternative embodiment, the target control strategy comprises: the method comprises the steps of belonging to a first type of control policy and belonging to a second type of control policy, wherein the first type of control policy is used for indicating an access terminal with access privilege to a target object, and the second type of control policy is used for preventing tampering of the target object.
As an alternative embodiment, the apparatus further comprises:
a third sending module, configured to send a start instruction to a first terminal after sending a policy acquisition instruction to the first terminal, where the start instruction is used to instruct the first terminal to start a second policy learning process;
a first obtaining module, configured to obtain a second access log reported by the first terminal in the second policy learning process, where the second access log is generated by matching a target access behavior executed on the first terminal using the target control policy;
a fourth sending module, configured to send a closing instruction to the first terminal, where the closing instruction is used to instruct to close the second policy learning process;
and the generating module is used for generating a second strategy template according to the second access log under the condition that the first terminal is confirmed to close the second strategy learning process, wherein the second strategy template is used for generating a control strategy.
As an alternative embodiment, the generating module includes:
the second generating unit is used for generating an object control strategy corresponding to the second access log;
an obtaining unit, configured to obtain a policy template identifier, where the policy template identifier is used to uniquely identify the second policy template;
a third generating unit for generating the second policy template having the policy template identity and the object control policy.
As an alternative embodiment, the third generating unit is configured to:
determining whether the policy template identifier is repeated with an identifier stored in a database, and whether the policy template identifier is empty;
determining whether the object control strategy is repeated with a control strategy stored in a database under the condition that the strategy template identification is not repeated with an identification stored in the database and the strategy template identification is not empty;
generating the second policy template having the policy template identification and the object control policy, if it is determined that the object control policy does not overlap with a control policy stored in the database.
As an alternative embodiment, the apparatus further comprises:
a second obtaining module, configured to obtain an audit log reported by the first terminal after receiving the policy validation information sent by the first terminal, where the audit log is generated by controlling a target access behavior executed on the first terminal using the target control policy;
and the storage module is used for storing the audit log.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.
According to another aspect of the embodiment of the present application, a server or a terminal for implementing the configuration method of the object access policy is also provided.
Fig. 11 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 11, the terminal may include: one or more processors 1101 (only one of which is shown), a memory 1103, and a transmission means 1105, as shown in fig. 11, the terminal may further include an input/output device 1107.
The memory 1103 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for configuring an object access policy in the embodiment of the present application, and the processor 1101 executes various functional applications and data processing by running the software programs and modules stored in the memory 1103, that is, implements the method for configuring an object access policy described above. The memory 1103 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1103 can further include memory located remotely from the processor 1101, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmitting device 1105 is used for receiving or sending data via a network, and can also be used for data transmission between the processor and the memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 1105 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmitting device 1105 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The memory 1103 is used for storing, among other things, application programs.
The processor 1101 may call an application stored in the memory 1103 through the transmission device 1105 to perform the following steps:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for instructing a control operation on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process for learning a first access log of the target object on the second terminal, and the first access log comprises the control operation on the access behavior of the target object;
under the condition of receiving a strategy acquisition request sent by the first terminal, responding to the strategy acquisition request to send the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating that the target control policy is validated on the first terminal.
By adopting the embodiment of the application, a scheme for configuring the object access policy is provided. The target control strategy is generated through a first strategy learning process executed on a second terminal and used for learning the control strategy of the target object on the second terminal, and the target control strategy is configured to the first terminal except the second terminal, so that after the target control strategy takes effect on the first terminal, the first terminal can control the behavior of accessing the target object by executing the target control strategy, repeated operation during selection of the control strategy is avoided, the aim of rapidly configuring the control strategy of object access is achieved, the technical effect of improving the configuration efficiency of the object access strategy is achieved, and the technical problem of low configuration efficiency of the object access strategy in the related technology is solved.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the terminal may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and a Mobile Internet Device (MID), a PAD, etc. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 11, or have a different configuration than shown in FIG. 11.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be used to execute a program code of a configuration method of an object access policy.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for instructing a control operation on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process for learning a first access log of the target object on the second terminal, and the first access log comprises the control operation on the access behavior of the target object;
under the condition of receiving a strategy acquisition request sent by the first terminal, responding to the strategy acquisition request to send the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating that the target control policy is validated on the first terminal.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method described in the embodiments of the present application.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (10)

1. A method for configuring an object access policy, comprising:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for instructing a control operation on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process for learning a first access log of the target object on the second terminal, and the first access log comprises the control operation on the access behavior of the target object;
under the condition of receiving a strategy acquisition request sent by the first terminal, responding to the strategy acquisition request to send the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating that the target control policy is validated on the first terminal.
2. The method of claim 1, wherein sending the policy acquisition indication to the first terminal comprises:
determining one or more terminals, wherein the one or more terminals include the first terminal;
determining a first strategy template corresponding to the one or more terminals;
generating the target control strategy using the first strategy template;
sending the policy acquisition indication to the one or more terminals, wherein the policy acquisition indication is used for indicating the one or more terminals to acquire the target control policy from the trusted management server.
3. The method of claim 1, wherein the target control strategy comprises: the method comprises the steps of belonging to a first type of control policy and belonging to a second type of control policy, wherein the first type of control policy is used for indicating an access terminal with access privilege to a target object, and the second type of control policy is used for preventing tampering of the target object.
4. The method of claim 1, wherein after sending the policy acquisition indication to the first terminal, the method further comprises:
sending a starting instruction to the first terminal, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
acquiring a second access log reported by the first terminal in the second policy learning process, wherein the second access log is generated by matching a target access behavior executed on the first terminal by using the target control policy;
sending a closing instruction to the first terminal, wherein the closing instruction is used for instructing to close the second strategy learning process;
and under the condition that the first terminal is confirmed to close the second strategy learning process, generating a second strategy template according to the second access log, wherein the second strategy template is used for generating a control strategy.
5. The method of claim 4, wherein generating a second policy template from the second access log comprises:
generating an object control strategy corresponding to the second access log;
acquiring a strategy template identifier, wherein the strategy template identifier is used for uniquely identifying the second strategy template;
generating the second policy template having the policy template identification and the object control policy.
6. The method of claim 5, wherein generating the second policy template having the policy template identification and the object control policy comprises:
determining whether the policy template identifier is repeated with an identifier stored in a database, and whether the policy template identifier is empty;
determining whether the object control strategy is repeated with a control strategy stored in a database under the condition that the strategy template identification is not repeated with an identification stored in the database and the strategy template identification is not empty;
generating the second policy template having the policy template identification and the object control policy, if it is determined that the object control policy does not overlap with a control policy stored in the database.
7. The method according to claim 1, wherein after receiving the policy validation information sent by the first terminal, the method further comprises:
obtaining an audit log reported by the first terminal, wherein the audit log is generated by controlling a target access behavior executed on the first terminal by using the target control strategy;
and storing the audit log.
8. An apparatus for configuring an object access policy, comprising:
a first sending module, configured to send a policy acquisition instruction to a first terminal, where the policy acquisition instruction is used to instruct the first terminal to acquire a target control policy from a trusted management server, the target control policy is used to instruct a control operation performed on a behavior for accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes the control operation performed on the access behavior of the target object;
a second sending module, configured to send the target control policy to the first terminal in response to the policy acquisition request when receiving the policy acquisition request sent by the first terminal;
the first receiving module is configured to receive policy validation information sent by the first terminal, where the policy validation information is used to indicate that the target control policy is validated on the first terminal.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 7 by means of the computer program.
CN202010600255.7A 2020-06-28 2020-06-28 Configuration method and device of object access policy Active CN111897768B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010600255.7A CN111897768B (en) 2020-06-28 2020-06-28 Configuration method and device of object access policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010600255.7A CN111897768B (en) 2020-06-28 2020-06-28 Configuration method and device of object access policy

Publications (2)

Publication Number Publication Date
CN111897768A true CN111897768A (en) 2020-11-06
CN111897768B CN111897768B (en) 2024-02-02

Family

ID=73207217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010600255.7A Active CN111897768B (en) 2020-06-28 2020-06-28 Configuration method and device of object access policy

Country Status (1)

Country Link
CN (1) CN111897768B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904939A (en) * 2021-10-27 2022-01-07 中国联合网络通信集团有限公司 Method, device and storage medium for managing target terminal
CN116132198A (en) * 2023-04-07 2023-05-16 杭州海康威视数字技术股份有限公司 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011076377A (en) * 2009-09-30 2011-04-14 Hitachi Solutions Ltd Terminal device and access control policy obtaining method in the terminal device
CN102904889A (en) * 2012-10-12 2013-01-30 北京可信华泰信息技术有限公司 Cross-platform-unified-management-supported mandatory access controlling system and method
CN103716354A (en) * 2012-10-09 2014-04-09 苏州慧盾信息安全科技有限公司 Security protection system and method for information system
CN105653725A (en) * 2016-01-22 2016-06-08 湖南大学 MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields
CN106330984A (en) * 2016-11-29 2017-01-11 北京元心科技有限公司 Dynamic updating method and device of access control strategy
CN108702360A (en) * 2016-02-15 2018-10-23 思科技术公司 Use the digital asset Preservation tactics of dynamic network attribute
CN109510842A (en) * 2018-12-29 2019-03-22 北京威努特技术有限公司 A kind of method and device of industry control network file Mandatory Access Control configuration
KR101992963B1 (en) * 2018-11-20 2019-06-26 주식회사 넷앤드 An automatic generation system for the whitelist command policy using machine learning
CN110298178A (en) * 2019-07-05 2019-10-01 北京可信华泰信息技术有限公司 Credible policy learning method and device, credible and secure management platform
CN110363007A (en) * 2019-07-05 2019-10-22 北京可信华泰信息技术有限公司 The update method and device of credible strategy
CN111159713A (en) * 2019-12-23 2020-05-15 北京工业大学 SELinux-based self-learning credible strategy construction method and system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011076377A (en) * 2009-09-30 2011-04-14 Hitachi Solutions Ltd Terminal device and access control policy obtaining method in the terminal device
CN103716354A (en) * 2012-10-09 2014-04-09 苏州慧盾信息安全科技有限公司 Security protection system and method for information system
CN102904889A (en) * 2012-10-12 2013-01-30 北京可信华泰信息技术有限公司 Cross-platform-unified-management-supported mandatory access controlling system and method
CN105653725A (en) * 2016-01-22 2016-06-08 湖南大学 MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields
CN108702360A (en) * 2016-02-15 2018-10-23 思科技术公司 Use the digital asset Preservation tactics of dynamic network attribute
CN106330984A (en) * 2016-11-29 2017-01-11 北京元心科技有限公司 Dynamic updating method and device of access control strategy
KR101992963B1 (en) * 2018-11-20 2019-06-26 주식회사 넷앤드 An automatic generation system for the whitelist command policy using machine learning
CN109510842A (en) * 2018-12-29 2019-03-22 北京威努特技术有限公司 A kind of method and device of industry control network file Mandatory Access Control configuration
CN110298178A (en) * 2019-07-05 2019-10-01 北京可信华泰信息技术有限公司 Credible policy learning method and device, credible and secure management platform
CN110363007A (en) * 2019-07-05 2019-10-22 北京可信华泰信息技术有限公司 The update method and device of credible strategy
CN111159713A (en) * 2019-12-23 2020-05-15 北京工业大学 SELinux-based self-learning credible strategy construction method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张佳乐: "基于行为分析的改进型可信网络连接研究", 信息科技辑 *
杜义峰 等: "一种基于信任值的雾计算动态访问控制方法", 信息网络安全 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904939A (en) * 2021-10-27 2022-01-07 中国联合网络通信集团有限公司 Method, device and storage medium for managing target terminal
CN116132198A (en) * 2023-04-07 2023-05-16 杭州海康威视数字技术股份有限公司 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Also Published As

Publication number Publication date
CN111897768B (en) 2024-02-02

Similar Documents

Publication Publication Date Title
JP6033832B2 (en) Apparatus and method for managing firmware verification on a wireless device
US8418226B2 (en) Persistent servicing agent
CA2601260C (en) Persistent servicing agent
JP2015092374A5 (en)
US7757296B2 (en) Method of managing software components that are integrated into an embedded system
US20190332765A1 (en) File processing method and system, and data processing method
US10268845B2 (en) Securing of the loading of data into a nonvolatile memory of a secure element
CN109213667B (en) Exception handling method of Android system and electronic equipment
CN109446259B (en) Data processing method and device, processor and storage medium
CN103403680A (en) Contextual history of computing objects
CN111901147B (en) Network access control method and device
CN111897768A (en) Method and device for configuring object access policy
CN111460404A (en) Double-recording data processing method and device, computer equipment and storage medium
JP3863401B2 (en) Software processing device
CN110688653A (en) Client security protection method and device and terminal equipment
CN113256296A (en) Intelligent contract execution method, system, device and storage medium
CN106484796A (en) File management method, document management apparatus and mobile terminal
CN112559124A (en) Model management system and target operation instruction processing method and device
CN111901146B (en) Object access control method and device
CN116302433A (en) Data processing method, device, computer equipment and storage medium
CN115935414A (en) Block chain based data verification method and device, electronic equipment and storage medium
CN110677483B (en) Information processing system and trusted security management system
CN111417109B (en) eSIM card and operator file management method and management system thereof
CN111901305A (en) Memory operation method and device, storage medium and electronic device
CN115830734B (en) Method for preventing card from being punched instead of card and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant