CN105915535B - A kind of virtual resources access control method based on user identity - Google Patents
A kind of virtual resources access control method based on user identity Download PDFInfo
- Publication number
- CN105915535B CN105915535B CN201610349749.6A CN201610349749A CN105915535B CN 105915535 B CN105915535 B CN 105915535B CN 201610349749 A CN201610349749 A CN 201610349749A CN 105915535 B CN105915535 B CN 105915535B
- Authority
- CN
- China
- Prior art keywords
- resource
- safety regulation
- user
- security strategy
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of virtual resources access control method based on user identity, this method comprises the following steps:Cloud resource management platform according to user's request distribution resource and sets up renewal resource associations table according to the use distribution condition of resource;Security strategy generation safety regulation of the secure policy manager in resource associations table and policy library;Security strategy performs entity and updates existing safety regulation and implement.This method can solve the problem that the problem of safety regulation caused in cloud computing environment due to Resource dynamic allocation is inaccurate, improve the accuracy and validity of safety regulation.
Description
Technical field
Reliable and effective peace is generated under cloud computing environment the present invention relates to field of information security technology, more particularly to one kind
The method of full rule.
Background technology
Cloud computing is a kind of model according to using charging, and it provides a kind of configured and reliable shared resource pond
(Including Internet resources, server, storage device, application program and service etc.)Convenience and network access on demand, from
And rapid deployment and resource reclaim etc. are realized, while and not needing the excessive participation of user and service provider.In order to strengthen
The security that its virtual resources is used, usually carries out security control using equipment such as fire walls to the access of virtual resources,
Safeguard the safety of network environment.
There is security, validity to virtual resources application access control method in cloud computing environment, but
It is due to the dynamically distributes of resource in cloud computing environment, user possesses resource and is continually changing so that each security strategy performs reality
Safety regulation in body occurs uncertain.Therefore design method is needed, can be according to the currently used resource situation of user and peace
Full strategy produces corresponding safety regulation, and reliable and effective safety regulation is provided to perform entity for security strategy.
The content of the invention
Present invention solves the technical problem that be to propose a kind of virtual resources access control method based on user identity,
Improve the accuracy and validity of safety regulation.Under cloud computing environment, Rule Builder is according to resource associations table and safe plan
Reliable and effective safety regulation is slightly generated, and is sent to corresponding security strategy and performs entity.
In order to solve problem above, a kind of virtual resources access control method based on user identity, including following step
Suddenly:
Cloud resource management platform according to user's request distribution resource and sets up renewal money according to the use distribution condition of resource
Source contingency table;
Security strategy generation safety regulation of the secure policy manager in resource associations table and policy library;
Security strategy performs entity and updates existing safety regulation and implement.
Further, as a preferred embodiment, the cloud resource management platform is according to user's request distribution resource and according to resource
Use distribution condition set up update resource associations table step further comprise:When setting up renewal resource associations table, in table
Data item should include detailed user profile, include the ID of user(Unique identity/user name/certificate etc.), occupied
The mark of resource(Resource type/resource name/IP address/MAC Address/port numbers etc.)And other information(Group belonging to user
Group/user's level of confidentiality/User reliability etc.).
Further, as a preferred embodiment, the cloud resource management platform is according to user's request distribution resource and according to resource
Use distribution condition set up update resource associations table step further comprise:For the establishment of resource associations table updates,
When resource allocation changes, create in time or update resource associations table.
Further, as a preferred embodiment, strategy of the secure policy manager in resource associations table and policy library
Generation safety regulation step further comprises:When generating safety regulation, secure policy manager is according to security strategy and resource
Contingency table generates final safety regulation, and is sent to corresponding security strategy execution entity.
Further, as a preferred embodiment, strategy of the secure policy manager in resource associations table and policy library
Generation safety regulation step further comprises:When generating strategy, safety officer passes through the strategy in secure policy manager
Module is formulated to formulate and change security strategy and update policy library.
Further, as a preferred embodiment, strategy of the secure policy manager in resource associations table and policy library
Generation safety regulation step further comprises:Generation safety regulation comprises the concrete steps that the rule generation mould in secure policy manager
Block is using the information inquired in resource associations table, including IP address, port numbers etc., replaces the corresponding part of security strategy, raw
Into the safety regulation for meeting Current resource distribution state.
Further, as a preferred embodiment, strategy of the secure policy manager in resource associations table and policy library
Generation safety regulation step further comprises:For secure policy manager, the resource of cloud resource management platform generation is closed
All information included in connection table and security strategy can be obtained by rule generation module parsing.
Further, as a preferred embodiment, the security strategy is performed, entity updates existing safety regulation and implementation steps are entered
One step includes:For security strategy performs entity, when resource allocation changes or security strategy changes, receive in time
Safety regulation and implement with updating.
The beneficial effects of the present invention are first, the resource that resource associations table is currently occupied by subscriber identity information, user
Information and other relevant informations are collectively constituted, and are capable of the basic condition of effecting reaction active user and its are occupied pass with resource
System, enhances the validity and real-time of resource associations table;Second, the resource that safety regulation is currently dynamically occupied using user is believed
Breath(For example, IP, port numbers etc.), it is ensured that the accuracy and validity of safety regulation;3rd, security strategy passes through security strategy pipe
Manage device to formulate and store, be easy to the unified management of security strategy;To sum up, this method can effectively solve the problem that in cloud computing environment by
The problem of the safety regulation that Resource dynamic allocation is caused is inaccurate, the accuracy and validity of safety regulation are improved.
Brief description of the drawings
When considered in conjunction with the accompanying drawings, by referring to following detailed description, can more completely more fully understand the present invention with
And the adjoint advantage of many of which is easily learnt, but accompanying drawing described herein is used for providing a further understanding of the present invention,
The part of the present invention is constituted, schematic description and description of the invention is used to explain the present invention, do not constituted to this hair
Bright improper restriction.
Fig. 1 is the work signal of the resource access control method based on user identity under cloud computing environment in the present invention.
Embodiment
Embodiments of the invention are illustrated referring to Fig. 1.
It is right with reference to the accompanying drawings and detailed description to enable above-mentioned purpose, feature and advantage more obvious understandable
The present invention is described in further detail.
A kind of virtual resources access control method based on user identity, comprises the following steps:
Cloud resource management platform according to user's request distribution resource and sets up renewal money according to the use distribution condition of resource
Source contingency table;
Security strategy generation safety regulation of the secure policy manager in resource associations table and policy library;
Security strategy performs entity and updates existing safety regulation and implement.
Embodiment one:
A kind of application of the virtual resources access control method in firewall box based on user identity.
As shown in figure 1, comprising the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer are formulated and modification firewall box phase by the policy development module in secure policy manager
The security strategy of pass simultaneously updates policy library;
Rule generation module query resource contingency table in S3, secure policy manager, is obtained needed for security strategy
The relevant information of user profile and currently used resource(For example, IP address, port numbers etc.);
S4, the relevant information using the S3 currently used resources of user inquired, according to the description of security strategy, generation is most
The five-tuple safety regulation at end is simultaneously sent to firewall box;
S5, firewall box update existing safety regulation and implemented.
In whole process, if causing the change of resource allocation because of user's operation, create at once or update money
Source contingency table.
Embodiment two:
A kind of application of the virtual resources access control method in gateway device based on user identity.
As shown in figure 1, comprising the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer formulate related to modification gateway device by the policy development module in secure policy manager
Security strategy and update policy library;
Rule generation module query resource contingency table in S3, secure policy manager, is obtained needed for security strategy
The relevant information of user profile and currently used resource(For example, IP address, port numbers etc.);
S4, the relevant information using the S3 currently used resources of user inquired, according to the description of security strategy, generation is most
The safety regulation at end is simultaneously sent to gateway device;
S5, gateway device update existing safety regulation and implemented.
In whole process, if causing the change of resource allocation because of user's operation, create at once or update money
Source contingency table.
Embodiment three:
A kind of application of the virtual resources access control method in intruding detection system based on user identity.
As shown in figure 1, comprising the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer are formulated and modification intruding detection system by the policy development module in secure policy manager
The security strategy of correlation simultaneously updates policy library;
Rule generation module query resource contingency table in S3, secure policy manager, is obtained needed for security strategy
The relevant information of user profile and currently used resource(For example, IP address, port numbers that Enable/Disable passes through etc.);
S4, the relevant information using the S3 currently used resources of user inquired, according to the description of security strategy, generation is most
Whole safety regulation and the security strategy performing module being sent in intruding detection system;
Security strategy performing module updates existing safety regulation and implemented in S5, intruding detection system.
In whole process, if causing the change of resource allocation because of user's operation, create at once or update money
Source contingency table.
Example IV:
A kind of application of the virtual resources access control method in intrusion prevention system based on user identity.
As shown in figure 1, comprising the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer are formulated and modification intrusion prevention system by the policy development module in secure policy manager
The security strategy of correlation simultaneously updates policy library;
Rule generation module query resource contingency table in S3, secure policy manager, is obtained needed for security strategy
The relevant information of user profile and currently used resource(For example, IP address, port numbers that Enable/Disable passes through etc.);
S4, the relevant information using the S3 currently used resources of user inquired, according to the description of security strategy, generation is most
Whole safety regulation and the security strategy performing module being sent in intrusion prevention system;
Security strategy performing module updates existing safety regulation and implemented in S5, intrusion prevention system.
In whole process, if causing the change of resource allocation because of user's operation, create at once or update money
Source contingency table.
Embodiment five:
A kind of application of the virtual resources access control method in network log-in management product based on user identity.
As shown in figure 1, comprising the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer are formulated and modification network log-in management by the policy development module in secure policy manager
The security strategy of correlation simultaneously updates policy library;
Rule generation module query resource contingency table in S3, secure policy manager, obtains network log-in management related
The relevant information of user profile and currently used resource needed for security strategy(For example, IP address, port numbers, affiliated group
Group etc.);
S4, the relevant information using the S3 currently used resources of user inquired, according to the description of security strategy, generation is most
The safety regulation at end is simultaneously sent to network log-in management product;
S5, the existing safety regulation of network log-in management product renewing are simultaneously implemented.
In whole process, if causing the change of resource allocation because of user's operation, create at once or update money
Source contingency table.
As described above, being explained to embodiments of the invention, as long as but essentially without this hair of disengaging
Bright inventive point and effect can have many deformations, and this will be readily apparent to persons skilled in the art.Therefore, this
The variation of sample is also integrally incorporated within protection scope of the present invention.
Claims (8)
1. a kind of virtual resources access control method based on user identity, it is characterised in that comprise the following steps:
Cloud resource management platform according to user's request distribution resource and sets up more new resources pass according to the use distribution condition of resource
Join table, the wherein use distribution condition of resource includes detailed user profile, includes ID, the mark of user occupancy resource of user
And generate other information required during safety regulation;
Security strategy generation safety regulation of the secure policy manager in resource associations table and policy library;
Security strategy performs entity and updates existing safety regulation and implement;
The ID of the user, refers to the unique identity of user, user name or certificate;
The mark of the user occupancy resource, refers to resource type, resource name, MAC Address, IP address, port numbers;
Required other information during the generation safety regulation, refers to the affiliated group of user, user's level of confidentiality, User reliability life
Required information during into safety regulation.
2. the virtual resources access control method according to claim 1 based on user identity, it is characterised in that we
Method is applied to cloud computing environment, and the virtual resources access control method of the identity-based includes two parts:Resource associations
Table foundation renewal part and secure policy manager generation safety regulation part, wherein resource associations table foundation renewal part are main
Complete foundation and renewal process of the cloud resource management platform to resource associations table, secure policy manager generation safety regulation part
The main formulation and the generation of final safety regulation for completing safety officer to security strategy.
3. the virtual resources access control method according to claim 1 based on user identity, wherein cloud resource are managed
Platform according to user's request distribution resource and sets up renewal resource associations table step according to the use distribution condition of resource, further
Including:Cloud resource management platform sets up resource associations table according to the use distribution condition of Current resource, because user's operation causes
When resource allocation conditions change, upgrade in time resource associations table, and is sent to secure policy manager.
4. the virtual resources access control method according to claim 1 based on user identity, wherein security strategy pipe
Strategy generating safety regulation step of the device in resource associations table and policy library is managed, is further comprised:When generation safety regulation
When, secure policy manager generates final safety regulation according to security strategy and resource associations table, and is sent to corresponding safety
Policy execution entity.
5. the virtual resources access control method according to claim 4 based on user identity, wherein security strategy pipe
Strategy generating safety regulation step of the device in resource associations table and policy library is managed, is further comprised:When generating strategy, peace
Full keeper is formulated by the policy development module in secure policy manager and changes security strategy and update policy library.
6. the virtual resources access control method according to claim 4 based on user identity, wherein security strategy pipe
Strategy generating safety regulation step of the device in resource associations table and policy library is managed, is further comprised:Generate safety regulation tool
Body step is rule generation module in secure policy manager using the information inquired in resource associations table, including IP
Location, port numbers, replace the corresponding part of security strategy, and generation meets the safety regulation that Current resource distributes state.
7. the virtual resources access control method according to claim 1 based on user identity, wherein security strategy is held
Row entity updates existing safety regulation and implementation steps, further comprises:Security strategy performs entity and receives new safety rule
Existing safety regulation is then updated afterwards and is disposed implements new safety regulation.
8. the virtual resources access control method according to claim 7 based on user identity, wherein security strategy is held
Row entity updates existing safety regulation and implementation steps, further comprises:Because user's operation causes resource allocation conditions
When change or security strategy change, security strategy performs entity and receives and update safety regulation in time and implement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610349749.6A CN105915535B (en) | 2016-05-24 | 2016-05-24 | A kind of virtual resources access control method based on user identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610349749.6A CN105915535B (en) | 2016-05-24 | 2016-05-24 | A kind of virtual resources access control method based on user identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105915535A CN105915535A (en) | 2016-08-31 |
| CN105915535B true CN105915535B (en) | 2017-10-31 |
Family
ID=56742236
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610349749.6A Active CN105915535B (en) | 2016-05-24 | 2016-05-24 | A kind of virtual resources access control method based on user identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105915535B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11882155B1 (en) | 2021-06-09 | 2024-01-23 | State Farm Mutual Automobile Insurance Company | Systems and methods for cybersecurity analysis and control of cloud-based systems |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108123924B (en) * | 2016-11-30 | 2021-02-12 | 中兴通讯股份有限公司 | Resource management method and system |
| CN109587095A (en) * | 2017-09-28 | 2019-04-05 | 中国电信股份有限公司 | Information security control method, device and system |
| CN109040106A (en) * | 2018-08-28 | 2018-12-18 | 广州城市信息研究所有限公司 | A kind of transmission control method and device of service hierarchy classification |
| CN112769825B (en) * | 2021-01-07 | 2023-02-21 | 深圳市永达电子信息股份有限公司 | Network security guarantee method, system and computer storage medium |
| CN112866220B (en) * | 2021-01-07 | 2022-08-23 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
| CN112866219B (en) * | 2021-01-07 | 2022-08-23 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system |
| CN118200924B (en) * | 2024-05-13 | 2024-08-30 | 中国铁道科学研究院集团有限公司通信信号研究所 | Railway 5G public and private network fusion application safety access management and control method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729403A (en) * | 2009-12-10 | 2010-06-09 | 上海电机学院 | Access control method based on attribute and rule |
| CN102624757A (en) * | 2011-01-26 | 2012-08-01 | 中山爱科数字家庭产业孵化基地有限公司 | Data security access method in cloud computing environment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100583737C (en) * | 2007-05-22 | 2010-01-20 | 网御神州科技(北京)有限公司 | A method and device for secure access control based on user |
| CN101321064A (en) * | 2008-07-17 | 2008-12-10 | 上海众恒信息产业有限公司 | Information system access control method and apparatus based on digital certificate technique |
| CN105184147B (en) * | 2015-09-08 | 2017-11-24 | 成都博元科技有限公司 | User safety management method in cloud computing platform |
-
2016
- 2016-05-24 CN CN201610349749.6A patent/CN105915535B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729403A (en) * | 2009-12-10 | 2010-06-09 | 上海电机学院 | Access control method based on attribute and rule |
| CN102624757A (en) * | 2011-01-26 | 2012-08-01 | 中山爱科数字家庭产业孵化基地有限公司 | Data security access method in cloud computing environment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11882155B1 (en) | 2021-06-09 | 2024-01-23 | State Farm Mutual Automobile Insurance Company | Systems and methods for cybersecurity analysis and control of cloud-based systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105915535A (en) | 2016-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105915535B (en) | A kind of virtual resources access control method based on user identity | |
| Li et al. | Blockchain-based trust management model for location privacy preserving in VANET | |
| Xu et al. | An efficient privacy‐enhanced attribute‐based access control mechanism | |
| CN108600163B (en) | Cloud environment distributed hash chain architecture and cloud data integrity verification method | |
| DE112019004913T5 (en) | DETECTING INAPPROPRIATE ACTIVITY IN THE PRESENCE OF UNAUTHORIZED API REQUESTS USING ARTIFICIAL INTELLIGENCE | |
| Thillaiarasu et al. | Enforcing security and privacy over multi-cloud framework using assessment techniques | |
| Zhang et al. | A reliable data-transmission mechanism using blockchain in edge computing scenarios | |
| CN110188563A (en) | A kind of trust data update method and device | |
| CN106572116A (en) | Role-and-attribute-based cross-domain secure switch access control method of integrated network | |
| Wu et al. | Cross-domain fine-grained data usage control service for industrial wireless sensor networks | |
| CN103338194A (en) | Credibility based cross- security domain access control system and method | |
| CN108712369B (en) | Multi-attribute constraint access control decision system and method for industrial control network | |
| Jiang et al. | LBlockchainE: A lightweight blockchain for edge IoT-enabled maritime transportation systems | |
| CN114666067B (en) | Cross-domain fine-grained attribute access control method and system based on block chain | |
| CN101242410B (en) | Grid subjective trust processing method based on simple object access protocol | |
| Zhou et al. | Research on multi-authority CP-ABE access control model in multicloud | |
| CN106301791A (en) | Method and system for realizing unified user authentication authorization based on big data platform | |
| CN102104599B (en) | Method for improving dRBAC model based on trust mechanism | |
| CN104166581B (en) | A kind of virtual method towards increment manufacturing equipment | |
| Sultanov et al. | Development of a centralized system for data storage and processing on operation modes and reliability indicators of power equipment | |
| CN111586045A (en) | Attribute encryption and dynamic security layer protection method and corresponding firewall | |
| CN110493008A (en) | A kind of block chain authentication method, device, equipment and medium | |
| Silva et al. | Model for cloud computing risk analysis | |
| Challagidad et al. | Determination of trustworthiness of cloud service provider and cloud customer | |
| CN113239255A (en) | Heterogeneous data resource sharing method and device, computer equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |