CN107733895A - A kind of method for quantitatively evaluating of cloud computing platform safety - Google Patents

A kind of method for quantitatively evaluating of cloud computing platform safety Download PDF

Info

Publication number
CN107733895A
CN107733895A CN201710980250.XA CN201710980250A CN107733895A CN 107733895 A CN107733895 A CN 107733895A CN 201710980250 A CN201710980250 A CN 201710980250A CN 107733895 A CN107733895 A CN 107733895A
Authority
CN
China
Prior art keywords
safety
security
cloud
platform
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710980250.XA
Other languages
Chinese (zh)
Other versions
CN107733895B (en
Inventor
孙傲冰
季统凯
劳作媚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201710980250.XA priority Critical patent/CN107733895B/en
Priority to PCT/CN2017/109496 priority patent/WO2019075795A1/en
Publication of CN107733895A publication Critical patent/CN107733895A/en
Application granted granted Critical
Publication of CN107733895B publication Critical patent/CN107733895B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to cloud computing security technology area, particularly a kind of method for quantitatively evaluating of cloud computing platform safety.The method of the present invention is to obtain cloud platform relevant information by cloud computing platform security quantification evaluation unit to carry out quantitatively evaluating to it;Cloud computing platform security quantification evaluation unit includes evaluation security sweep engine, security quantification evaluation model, from calculating safety set, the set of storage safety, network security set, O&M set, the method that aspect defines secure item set that needs check and quantitatively evaluating using safe set safely;Each set after security sweep engine acquisition interface relevant information to user is scanned, serial or parallel inspection corresponds to the different safety inspection item of resource, and according to the running status of resource, to one specific score value of each check item of each resource, the quantitative evaluation result of the overall security of cloud platform is aggregated to form.The present invention solves cloud computing platform security quantification evaluation problem.

Description

A kind of method for quantitatively evaluating of cloud computing platform safety
Technical field
The present invention relates to cloud computing security technology area, particularly a kind of method for quantitatively evaluating of cloud computing platform safety.
Background technology
Cloud computing platform as a kind of brand-new calculating, storage, network capabilities offer pattern by numerous IT companies, Government department is received.Currently there are numerous government departments, company to establish the public cloud of oneself or privately owned cloud platform, it is original Non- cloud application also progressively to migrating in cloud platform, makes the scale rapid growth of cloud platform.
The extensive use of cloud computing technology, also information security issue is passed through from triangular web, single one physical machine to whole cloud Platform extends.There is the wooden horse or virus for such as OPENSTACK, VCLOUD cloud platform, by permeating certain on cloud One calculates, stores, Internet resources, the control ability of whole cloud platform is obtained, so as to kidnap the resource in whole cloud platform.
Therefore the security needs of cloud platform are from overall consideration, for calculating, storing, network, the equiprobable leak item of O&M Unified scanning one by one is carried out, and an objective appraisal is carried out to possible security threat.That the user of cloud can access It is a part for cloud platform resource, the security situation for how accessing it resource quantifies, and provides the user with one intuitively Impression, still lack unified model and mechanism.
The content of the invention
Present invention solves the technical problem that being to provide a kind of method for quantitatively evaluating of cloud computing platform safety, pacify from calculating Entirely, storage safety, network security, O&M are safe, the secure item set for needing to check is defined using safety etc., and quantify Evaluation Strategy.Checked by a pair resource collection for cloud resource view corresponding with user by secure item set, form user Yunan County's full view;By collecting to Yunan County's full view, the amount of cloud platform resource as corresponding to preset strategy forms user Change evaluation.
The present invention solve above-mentioned technical problem technical scheme be:
Described method is to obtain cloud platform relevant information to its amount of progress by cloud computing platform security quantification evaluation unit Change evaluation;
Described cloud computing platform security quantification evaluation unit specifically includes evaluation security sweep engine, security quantification evaluation Model;
The security quantification evaluation model is safe from the set of calculating safety, the set of storage safety, network security set, O&M The method of set, the secure item set checked using safe set aspect definition needs and quantitatively evaluating;
Calculating after security sweep engine acquisition interface relevant information to user is gathered safely, storage safety is gathered, network Safety set, O&M are gathered safely, are scanned using safety set, and serial or parallel inspection corresponds to the different safety inspection of resource A Pij is looked into, and according to the running status of resource, to one specific score value of each check item of each resource, is aggregated to form cloud The quantitative evaluation result of the overall security of platform.
Described cloud computing platform security quantification evaluation unit includes safety and repairs engine, when user selects to repair safety leakage During hole, call repair engine the secure item Pij to go wrong is found according to evaluation result corresponding to restorative procedure Oij go guiding use Repair the security breaches of platform in family;
The method that each restorative procedure O ij correspond to the reparation of security breaches, including:Download patch, change configuration;
Safety repair engine can automatic patching bugs, or using interface alternation guiding user change cloud platform configuration;
Complete after repairing, the evaluation result of each safety inspection item of platform can be counted again, show that new security quantification is commented Valency result.
It is safe, attached that described calculating safety set includes server system safety, dummy machine system safety, containment system Expansion equipment safety;
Storage safety set includes physical machine storage safety, virtual machine storage safety and network share storage safety;
Network security set includes network configuration, network behavior daily record, the network equipment system information of whole cloud platform;
Set mainly includes governing plan formulation, the distribution of personnel's authority of office, performs delivery rate inspection project O&M safely;
Mainly include access control, system journal, the behavior auditing information of application using safety set.
Described security sweep engine is by calling related plug-in unit, the security first to the file system of each storage device Checked, it is ensured that storage system safety;Each system file is scanned again, by by file eigenvalue and virus base and wood Horse library file feature is scanned, it is ensured that the security of each file;
Security sweep engine, which to the network configuration of whole cloud platform check item by item, determines its security, then again to each The system and its configuration information of equipment are checked, determine its security;Security sweep engine is also to the open-ended of each equipment Behavior, flow service condition etc. are checked, it is ensured that its security;
Security sweep engine is by calling operation management module or the third party's O&M system of cloud operating system/cloud management platform The information of system, foundation and the implementation status of whole cloud platform operation and maintenance system are checked, is checked with reference to systems such as ITIL and ITSS;
Security sweep engine should by the monitoring management module or third party's fortune for calling cloud operating system/cloud management platform 02 Api interface obtains information, checks the security of a certain application and potential security threat.
Described cloud computing platform security quantification evaluation unit includes model building module and model maintenance module;
Described cloud computing platform Model for Safety Evaluation is established by model building module, is carried out by model maintenance module Safeguard;
Described model is established to be established by platform software provider or safety guarantee provider, a specifically safety evaluation The set P={ P1, P2, P3, P4 ..., PN } of element;Each set Pi needs the direction or field of safety evaluation with cloud platform Corresponding, the safe set of corresponding calculating, the safe set of storage, network security set, O&M safety are gathered, using safe collection respectively Close;
For each Pi in set P, and different exercisable safety inspection item Pij is corresponded to respectively, including server The list of the leak of operating system, VME operating system, container etc., all safety inspection items constitute set Pi, Pi= {Pi1,Pi2,Pi3,Pij,…,PiM};
Each check item Pij according to the no danger classes that leak or leak be present of platform distribute a triple [Sij, Lij, Oij], its Sij is safe highest score, and Lij is leak grade, while includes the leakage that a link Oij points to safety Hole is repaired or the method for lifting;Lij can be divided into multiple grades, can be that two grades are typically represented with 1 under the conditions of simple, sternly 0 is reused to represent;
Each Pi corresponding score value a Si, all Si score value sum are maximum MAX;
Si is usually fixed value, i.e., by safety, storage safety, network security, O&M safety and application safety is calculated, presets One fixed value;Then the Sij of each check item, then regarding weight and check item quantity assignment;
Si can also need the Number dynamics tax depending on its check item quantity or core security check item that include according to system Value.
Described cloud computing platform security quantification evaluation unit defines the cloud resource that cloud user can be accessed by platform mandate Collection is combined into:
UP=UP1, UP2, UP3, UP4 ..., UPN };
UPi and Pi is corresponded, and Pi defines the safety inspection item to be carried out to UPi;
The resource of each user is shown using resource view;All it is a subset of cloud platform Global Resource Picture;Possess The view of the keeper of highest authority is Global Resource Picture;
The resource view for the cloud platform that scanning engine can access according to user and cloud computing platform security quantification evaluation are single Member, serial or parallel inspection correspond to the different safety inspection item Pij of resource, and according to the running status of resource, to each resource The specific score value USij of each check item one;The score value USi of some safety inspection item;
The resource view that user can access is corresponding, can form Yunan County corresponding with user full view, can comprising user With the security information of all resources of access;Wherein Yunan County's global view is the secured views of the visible cloud of keeper, and it is included The detailed scoring situation of each resource of cloud platform;Based on user security view, the safety for collecting each safety evaluation key element is examined The overall quantization scoring of the visible cloud security of user can be drawn by looking into the evaluation result of item;Summarized manner can use the side of average Formula, i.e., similar resource is by the way of average, then weighted sum;The pattern using " veto by one vote " can also be combined, i.e., it is each If there is high-level leak in Pi, Lij 0, then whole USi is just 0;
T is the overall safety evaluation score for the cloud platform resource that user can access.
The described calculating platform security quantification evaluation unit plug-in unit independent as one or module insertion cloud operating system, Cloud management platform, third party software;Obtain relevant information.
Described cloud computing platform security quantification evaluation unit includes evaluation visualization model, is shown in a manner of patterned Go out the details and summarized results of safe quantitatively evaluating, include the distribution situation and explanation of security breaches.
The present invention considers from the entirety of cloud computing platform, and to calculating, storing, network, the equiprobable leak item of O&M are carried out Unified scanning one by one;Checked by a pair resource collection for cloud resource view corresponding with user by secure item set, shape Into Yunan County's full view of user;By collecting to Yunan County's full view, the cloud platform money as corresponding to preset strategy forms user The quantitatively evaluating in source.One is provided the user with intuitively to experience.
Brief description of the drawings
The present invention is further described below in conjunction with the accompanying drawings:
Fig. 1 is cloud computing platform security quantification evaluation unit of the present invention and cloud operating system/cloud management platform graph of a relation;
Fig. 2 is cloud computing platform security quantification evaluation unit composition figure of the present invention;
Fig. 3 is cloud computing platform security quantification appraisement system figure of the present invention;
Fig. 4 is cloud computing platform user resources view of the present invention;
Fig. 5 is cloud platform user security view of the present invention.
Embodiment
1st, cloud computing platform security quantification evaluation unit and its composition
One cloud computing platform security quantification evaluation unit 01 is the executor of security quantification evaluation method, as shown in Figure 1 It can be independent as one plug-in unit or module insertion cloud operating system or cloud management platform 02, as OPENSTACK, In CLOUDSTACK or the cloud operating system product of enterprise, by calling its opening API interface to obtain cloud platform relevant information, Can access the api interface for the O&M software that third party software 03 such as extends, obtain relevant information, with to cloud operating system or Cloud management platform carries out quantitatively evaluating and the leak reparation of safety.Cloud computing platform security quantification evaluation unit 01 is by difference The cloud operating system of model or the support of cloud management platform product, ensure its compatibility and opening.
As shown in Fig. 2 a cloud computing platform security quantification evaluation unit 01, which specifically includes evaluation, visualizes module 001st, security sweep engine 002, safety repair engine 003, security quantification evaluation model 004, model building module 005, model Maintenance module 006.
2nd, security quantification evaluation model and its composition
As shown in figure 3, security quantification evaluation model 004 gathers 101, storage safety set 102, network peace from safety is calculated Universal class 103, O&M gather safely 104, define the secure item set for needing to check and amount using safety set 105 etc. Change the method for evaluation.
Wherein calculate safety set 101 include server system safety, dummy machine system safety, containment system safety, Attached expansion equipment safety etc., security sweep engine 002 by invoking server system, dummy machine system, containment system value The form and each system interaction for keeping client, service, plug-in unit or api interface start built-in security scanning program, obtain these The relevant information of system, such as internal memory, boot section, the security information and isolation information cached;Attached expansion equipment includes logical Cross USB, PCI-E or the relevant device of network extension access, such as softdog, house dog, extension disk.
Storage safety set 102 includes physical machine storage safety, virtual machine storage safety and network share storage safety etc.; Security sweep engine is checked the security of the file system of each storage device first by calling related plug-in unit, it is ensured that Storage system safety;Each system file is scanned again, by by file eigenvalue and virus base and wooden horse library file feature It is scanned, it is ensured that the security of each file.
Network security set 103 includes network configuration, network behavior daily record, the network equipment system information of whole cloud platform Deng;Security sweep engine 002 carries out checking its security of determination item by item to the network configuration of whole cloud platform first, then again The system and its configuration information of each equipment are checked, determine its security;Security sweep engine 002 is also to the port of each equipment Open behavior, flow service condition etc. are checked, it is ensured that its security;
Set 104 mainly includes governing plan formulation, the distribution of personnel's authority of office, performs the check items such as delivery rate O&M safely Mesh.Security sweep engine 002 is by calling operation management module or the third party's O&M system of cloud operating system/cloud management platform 02 The information of system, foundation and the implementation status of whole cloud platform operation and maintenance system are checked, is checked with reference to systems such as ITIL and ITSS.
Using information such as access control of the safety set 105 mainly including application, system journal, behavior auditings.Safety is swept Retouch the api interface that engine 002 transports application by the monitoring management module or third party of calling cloud operating system/cloud management platform 02 Information is obtained, checks the security of a certain application and potential security threat.
3rd, security quantification evaluation rubric and algorithmic descriptions
In actual applications, by security sweep engine 002 to it is each calculating safety set 101, storage safety set 102, Network security set 103, O&M are gathered 104 safely, are scanned using safety set 105, and items press predefined evaluation plan Slightly it is aggregated to form the quantitative evaluation result of the overall security of cloud platform, specific result is such as (0 to MAX) score value, such as MAX can be 10 or 100, so that user has a quantization to get information about to platform security, and guide user to repair in time The security breaches of duplicatus platform.
(1) foundation and maintenance of Model for Safety Evaluation
1) Model for Safety Evaluation is established by platform software provider or safety guarantee provider, a specifically safety evaluation The set of element, such as P={ P1, P2, P3, P4 ..., PN }.Each set Pi and cloud platform need safety evaluation direction or Field is corresponding, such as corresponds to respectively and calculates safety set 101, storage safety set 102, network security set 103, O&M safe collection Close 104, using safety set 105 etc..
2) for each Pi in P, and different exercisable safety inspection item Pij, such as server operation are corresponded to respectively List of the leak of system, VME operating system, container etc. etc., all safety inspection items constitute set Pi.Pi= {Pi1,Pi2,Pi3,Pij,…,PiM}。
3) each check item Pij is according to the concrete condition of platform safety, such as whether leak be present, or the danger classes of leak A triple [Sij, Lij, Oij] is distributed, its Sij is safe highest score, and Lij is leak grade, while includes one Link Oij and point to method of leak reparation or lifting of safety etc..Lij can be divided into multiple grades, can be two under the conditions of simple Individual grade is typically represented with 1, is seriously represented with 0.
4) each Pi corresponding score value Si, all Si score value sum is MAX (such as 100 or other highest score).
Si is usually fixed value, i.e., by the directions such as safety, storage safety, network security are calculated, presets a fixed value.So The Sij of each check item afterwards, then regarding weight and check item quantity assignment.
Si can also need the Number dynamics tax depending on its check item quantity or core security check item that include according to system Value.
(2) application of Model for Safety Evaluation
1) the cloud resource collection that defining cloud user can be accessed by platform mandate is combined into
UP=UP1, UP2, UP3, UP4 ..., UPN }.
UPi and Pi is corresponded, and Pi defines the safety inspection item to be carried out to UPi.
As shown in figure 4, the resource view of each user is a subset of cloud platform Global Resource Picture 3001.Possess The view of the keeper of highest authority is Global Resource Picture.
2) resource view and cloud computing platform for the cloud platform that the engine of cloud platform security sweep 002 can access according to user Model for Safety Evaluation, serial or parallel inspection correspond to the different safety inspection item Pij of resource, and according to the running status of resource, The specific score value USij of each check item one to each resource.
3) it is as shown in figure 5, corresponding with the resource view that user can access, cloud security corresponding with user can be formed and regarded Figure, contain the security information for all resources that user can access.Wherein Yunan County's global view 4001 is that keeper is visible The secured views of cloud, it comprises the detailed scoring situation of each resource of cloud platform.
4) user security view is based on, collecting the evaluation result of the safety inspection item of each safety evaluation key element can draw The overall quantization scoring of the visible cloud security of user.Summarized manner can be by the way of average, i.e., similar resource uses average Mode, then weighted sum;The pattern using " veto by one vote " can also be combined, i.e., if there is high-level leakage in each Pi Hole, Lij 0, then whole USi is just 0.
T is the overall safety evaluation result for the cloud platform resource that user can access.
5) visualization model 001 is evaluated, the details of safe quantitatively evaluating is shown in a manner of patterned and collects knot Fruit, include the distribution situation and explanation of security breaches.
(3) reparation of security breaches
When user selects to repair security breaches, repair engine 003 and check that the secure item Pij to spring a leak is corresponding by calling Restorative procedure Oij, leak is repaired one by one, to cloud computing platform carry out security hardening.
1) cloud platform keeper or cloud user have drawn the quantitative evaluation result T of its resource that can be managed, and call and repair Engine 003 the secure item Pij to go wrong is found according to evaluation result corresponding to O ij go guide user repair platform safety Leak.
2) method that each O ij have corresponded to the reparation of security breaches, patch, change configuration etc. are such as downloaded;Repair engine 003 can remove automatic patching bugs, or the configuration of cloud platform is changed using interface alternation guiding user.
3) repair engine 003 to complete after repairing, count the evaluation result of each safety inspection item of platform again, draw new peace Full quantitative evaluation result.

Claims (10)

  1. A kind of 1. method for quantitatively evaluating of cloud computing platform safety, it is characterised in that:Described method is pacified by cloud computing platform Full dose evaluation unit obtains cloud platform relevant information and carries out quantitatively evaluating to it;
    Described cloud computing platform security quantification evaluation unit specifically includes evaluation security sweep engine, security quantification evaluation mould Type;
    The security quantification evaluation model is gathered from calculating safety, stores safety set, network security set, O&M safe collection Close, using the secure item set and the method for quantitatively evaluating that definition needs check in terms of safe set;
    Calculating after security sweep engine acquisition interface relevant information to user is gathered safely, storage safety is gathered, network security Set, O&M are gathered safely, are scanned using safety set, and serial or parallel inspection corresponds to the different safety inspection item of resource Pij, and according to the running status of resource, to one specific score value of each check item of each resource, it is aggregated to form cloud platform Overall security quantitative evaluation result.
  2. 2. according to the method for claim 1, it is characterised in that:Described cloud computing platform security quantification evaluation unit includes Safety repairs engine, and when user selects to repair security breaches, calling repairs engine and finds what is gone wrong according to evaluation result Restorative procedure Oij corresponding to secure item Pij goes the security breaches for guiding user to repair platform;
    The method that each restorative procedure Oij corresponds to the reparation of security breaches, including:Download patch, change configuration;
    Safety repair engine can automatic patching bugs, or using interface alternation guiding user change cloud platform configuration;
    Complete after repairing, the evaluation result of each safety inspection item of platform can be counted again, draw new security quantification evaluation knot Fruit.
  3. 3. according to the method for claim 1, it is characterised in that:Described
    Calculating safety set includes server system safety, dummy machine system safety, containment system safety, attached expansion equipment peace Entirely;
    Storage safety set includes physical machine storage safety, virtual machine storage safety and network share storage safety;
    Network security set includes network configuration, network behavior daily record, the network equipment system information of whole cloud platform;
    Set mainly includes governing plan formulation, the distribution of personnel's authority of office, performs delivery rate inspection project O&M safely;
    Mainly include access control, system journal, the behavior auditing information of application using safety set.
  4. 4. according to the method for claim 2, it is characterised in that:Described
    Calculating safety set includes server system safety, dummy machine system safety, containment system safety, attached expansion equipment peace Entirely;
    Storage safety set includes physical machine storage safety, virtual machine storage safety and network share storage safety;
    Network security set includes network configuration, network behavior daily record, the network equipment system information of whole cloud platform;
    Set mainly includes governing plan formulation, the distribution of personnel's authority of office, performs delivery rate inspection project O&M safely;
    Mainly include access control, system journal, the behavior auditing information of application using safety set.
  5. 5. according to the method for claim 4, it is characterised in that:Described
    Security sweep engine checked the security of the file system of each storage device by calling related plug-in unit first, Ensure storage system safety;Each system file is scanned again, by by file eigenvalue and virus base and wooden horse library file Feature is scanned, it is ensured that the security of each file;
    Security sweep engine, which to the network configuration of whole cloud platform check item by item, determines its security, then again to each equipment System and its configuration information checked, determine its security;Security sweep engine also the open-ended behavior to each equipment, Flow service condition etc. is checked, it is ensured that its security;
    Security sweep engine is by calling the operation management module or third party's operational system of cloud operating system/cloud management platform Information, foundation and the implementation status of whole cloud platform operation and maintenance system are checked, is checked with reference to systems such as ITIL and ITSS;
    Security sweep engine transports application by the monitoring management module or third party for calling cloud operating system/cloud management platform 02 Api interface obtains information, checks the security of a certain application and potential security threat.
  6. 6. according to the method described in any one of claim 1 to 5, it is characterised in that:Described cloud computing platform security quantification is commented Valency unit includes model building module and model maintenance module;
    Described cloud computing platform Model for Safety Evaluation is established by model building module, is tieed up by model maintenance module Shield;
    Described model is established to be established by platform software provider or safety guarantee provider, a specifically safety evaluation element Set P={ P1, P2, P3, P4 ..., PN };Each set Pi needs the direction or field pair of safety evaluation with cloud platform Should, the safe set of corresponding calculating, the safe set of storage, network security set, O&M safety are gathered, using safe set respectively;
    For each Pi in set P, and different exercisable safety inspection item Pij is corresponded to respectively, including server operation The list of the leak of system, VME operating system, container etc., all safety inspection items constitute set Pi, Pi=Pi1, Pi2, Pi3, Pij ..., PiM };
    Each check item Pij according to the no danger classes that leak or leak be present of platform distribute a triple [Sij, Lij, Oij], its Sij is safe highest score, and Lij is leak grade, while includes the leak that a link Oij points to safety and repair Multiple or lifting method;Lij can be divided into multiple grades, can be that two grades are typically represented with 1 under the conditions of simple, serious to use 0 represents;
    Each Pi corresponding score value a Si, all Si score value sum are maximum MAX;
    <mrow> <mi>S</mi> <mi>i</mi> <mo>=</mo> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>M</mi> </munderover> <mi>S</mi> <mi>i</mi> <mi>j</mi> <mo>,</mo> <mi>M</mi> <mi>A</mi> <mi>X</mi> <mo>=</mo> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </munderover> <mi>S</mi> <mi>i</mi> <mo>;</mo> </mrow>
    Si is usually fixed value, i.e., by safety, storage safety, network security, O&M safety and application safety is calculated, presets one Fixed value;Then the Sij of each check item, then regarding weight and check item quantity assignment;
    Si can also need the Number dynamics assignment of the check item quantity or core security check item included depending on it according to system.
  7. 7. according to the method for claim 6, it is characterised in that:Described cloud computing platform security quantification evaluation unit definition The cloud resource collection that cloud user can be accessed by platform mandate is combined into:
    UP={ UP1, UP2, UP3, UP4 ..., UPN };
    UPi and Pi is corresponded, and Pi defines the safety inspection item to be carried out to UPi;
    The resource of each user is shown using resource view;All it is a subset of cloud platform Global Resource Picture;Possess highest The view of the keeper of authority is Global Resource Picture;
    The resource view and cloud computing platform security quantification evaluation unit for the cloud platform that scanning engine can access according to user, string Row or the parallel safety inspection item Pij for checking that corresponding resource is different, and according to the running status of resource, to each of each resource The specific score value USij of check item one;The score value USi of some safety inspection item;
    <mrow> <mi>U</mi> <mi>S</mi> <mi>i</mi> <mo>=</mo> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>M</mi> </munderover> <mi>U</mi> <mi>S</mi> <mi>i</mi> <mi>j</mi> <mo>;</mo> </mrow>
    The resource view that user can access is corresponding, can form Yunan County corresponding with user full view, can be visited comprising user The security information for all resources asked;Wherein Yunan County's global view is the secured views of the visible cloud of keeper, and it comprises cloud The detailed scoring situation of each resource of platform;Based on user security view, collect the safety inspection item of each safety evaluation key element Evaluation result can draw the visible cloud security of user overall quantization scoring;Summarized manner can by the way of average, I.e. similar resource is by the way of average, then weighted sum;The pattern using " veto by one vote " can also be combined, i.e., in each Pi If there is high-level leak, Lij 0, then whole USi is just 0;
    <mrow> <mi>T</mi> <mo>=</mo> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </munderover> <mi>U</mi> <mi>S</mi> <mi>i</mi> </mrow>
    T is the overall safety evaluation score for the cloud platform resource that user can access.
  8. 8. according to the method for claim 7, it is characterised in that:Described calculating platform security quantification evaluation unit is as one Individual independent plug-in unit or module insertion cloud operating system, cloud management platform, third party software;Obtain relevant information.
  9. 9. according to the method for claim 7, it is characterised in that:Described cloud computing platform security quantification evaluation unit includes Visualization model is evaluated, the details and summarized results of safe quantitatively evaluating are shown in a manner of patterned, including leak safely The distribution situation and explanation in hole.
  10. 10. according to the method for claim 8, it is characterised in that:Described cloud computing platform security quantification evaluation unit bag Evaluation visualization model is included, the details and summarized results of safe quantitatively evaluating, including safety are shown in a manner of patterned The distribution situation and explanation of leak.
CN201710980250.XA 2017-10-19 2017-10-19 Quantitative evaluation method for cloud computing platform security Active CN107733895B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710980250.XA CN107733895B (en) 2017-10-19 2017-10-19 Quantitative evaluation method for cloud computing platform security
PCT/CN2017/109496 WO2019075795A1 (en) 2017-10-19 2017-11-06 Method for evaluating security of cloud computing platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710980250.XA CN107733895B (en) 2017-10-19 2017-10-19 Quantitative evaluation method for cloud computing platform security

Publications (2)

Publication Number Publication Date
CN107733895A true CN107733895A (en) 2018-02-23
CN107733895B CN107733895B (en) 2020-09-29

Family

ID=61212195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710980250.XA Active CN107733895B (en) 2017-10-19 2017-10-19 Quantitative evaluation method for cloud computing platform security

Country Status (2)

Country Link
CN (1) CN107733895B (en)
WO (1) WO2019075795A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109743203A (en) * 2018-12-28 2019-05-10 西安电子科技大学 A kind of Distributed Services security combination system and method based on quantitative information stream
CN111404743A (en) * 2020-03-13 2020-07-10 黄东 General evaluation system for cloud resource service capability
CN111885191A (en) * 2020-07-30 2020-11-03 西安电子科技大学 Computer network communication system
CN112199127A (en) * 2020-10-10 2021-01-08 Oppo(重庆)智能科技有限公司 Image data processing method and device, mobile terminal and storage medium
CN114157572A (en) * 2021-11-29 2022-03-08 中国光大银行股份有限公司 Security configuration checking system and method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12015630B1 (en) * 2020-04-08 2024-06-18 Wells Fargo Bank, N.A. Security model utilizing multi-channel data with vulnerability remediation circuitry

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103379112A (en) * 2012-04-30 2013-10-30 刘宝旭 Cloud computing environment safety quantitative evaluating system
CN104883369A (en) * 2015-05-29 2015-09-02 天津大学 Cloud configuration safety assessment method
CN105487936A (en) * 2015-11-30 2016-04-13 中国航天科工集团第二研究院七〇六所 Information system security evaluation method for classified protection under cloud environment
CN106131004A (en) * 2016-07-04 2016-11-16 福州大学 A kind of method for the assessment of cloud computing security intensity
US20160337316A1 (en) * 2014-04-30 2016-11-17 Fortinet, Inc. Filtering hidden data embedded in media files

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015103212A (en) * 2013-11-28 2015-06-04 株式会社日立製作所 Security evaluation system and security evaluation method
KR101591910B1 (en) * 2014-02-24 2016-02-18 경희대학교 산학협력단 Apparatus and method for evaluating security risks in cloud computing and method of recommendation about cloud service provider using result of evaluation of security risks
CN104735063B (en) * 2015-03-11 2018-01-02 广东电子工业研究院有限公司 A kind of safe evaluating method for cloud infrastructure
US9762616B2 (en) * 2015-08-08 2017-09-12 International Business Machines Corporation Application-based security rights in cloud environments
CN106713267A (en) * 2016-11-16 2017-05-24 湖南优图信息技术有限公司 Network security assessment method and system
CN106487810B (en) * 2016-11-25 2019-10-18 中国科学院信息工程研究所 A kind of cloud platform security postures cognitive method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103379112A (en) * 2012-04-30 2013-10-30 刘宝旭 Cloud computing environment safety quantitative evaluating system
US20160337316A1 (en) * 2014-04-30 2016-11-17 Fortinet, Inc. Filtering hidden data embedded in media files
CN104883369A (en) * 2015-05-29 2015-09-02 天津大学 Cloud configuration safety assessment method
CN105487936A (en) * 2015-11-30 2016-04-13 中国航天科工集团第二研究院七〇六所 Information system security evaluation method for classified protection under cloud environment
CN106131004A (en) * 2016-07-04 2016-11-16 福州大学 A kind of method for the assessment of cloud computing security intensity

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
黄肖滢: "《云计算平台安全评估指标模型研究》", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109743203A (en) * 2018-12-28 2019-05-10 西安电子科技大学 A kind of Distributed Services security combination system and method based on quantitative information stream
CN111404743A (en) * 2020-03-13 2020-07-10 黄东 General evaluation system for cloud resource service capability
CN111885191A (en) * 2020-07-30 2020-11-03 西安电子科技大学 Computer network communication system
CN111885191B (en) * 2020-07-30 2021-08-17 西安电子科技大学 Computer network communication system
CN112199127A (en) * 2020-10-10 2021-01-08 Oppo(重庆)智能科技有限公司 Image data processing method and device, mobile terminal and storage medium
CN114157572A (en) * 2021-11-29 2022-03-08 中国光大银行股份有限公司 Security configuration checking system and method

Also Published As

Publication number Publication date
WO2019075795A1 (en) 2019-04-25
CN107733895B (en) 2020-09-29

Similar Documents

Publication Publication Date Title
CN107733895A (en) A kind of method for quantitatively evaluating of cloud computing platform safety
CN113641658B (en) Forest and grass comprehensive monitoring and evaluation pattern spot monitoring and updating method and system and cloud platform
US8032557B1 (en) Model driven compliance management system and method
Leibold et al. Coherence, species turnover, and boundary clumping: elements of meta‐community structure
US7949628B1 (en) Information technology configuration management
CN106534362B (en) Software resource sharing method and device based on cloud platform
EP2407917B1 (en) Method and system for evaluating events
CN109446817A (en) A kind of detection of big data and auditing system
US20080275714A1 (en) Computerized requirement management system
US8676962B2 (en) Methods, systems, and computer program products for implementing data asset management activities
CN105978894A (en) Network security monitoring management system based on security vulnerability scanning cloud platform
CN108171050A (en) The fine granularity sandbox strategy method for digging of linux container
CN105867951A (en) Data processing method and device as well as screen designer
Mostafavi et al. Assessment of the productivity of nighttime asphalt paving operations
Schwertner et al. Digital technologies of industry 4.0 in management of natural disasters
Schanz et al. Object oriented design pattern decay: a taxonomy
Kreibich et al. HOWAS21, the German flood damage database
CN110490722A (en) A kind of tax risk monitoring method and system based on big data
CN110287551A (en) A kind of agriculture Internet of Things entity description model modelling approach based on ontology
Flood et al. The performance of approximations of farm contiguity compared to contiguity defined using detailed geographical information in two sample areas in Scotland: implications for foot-and-mouth disease modelling
Koç A study on some parameters which can affect project irrigation efficiency in irrigation networks
Phelps et al. The Alberta Wildland Fuels Inventory Program (AWFIP): data description and reference tables
Lee et al. Streamlining urban forest monitoring based on a large-scale tree survey: a case study of highway vegetation in Hong Kong
CN107885655A (en) A kind of running software effectiveness synthesis analyzing detecting method
CN106504080A (en) A kind of preferential monitoring method of small-sized slight diarrhea enterprise tax and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 523808 19th floor, Cloud Computing Center, Chinese Academy of Sciences, No.1 Kehui Road, Songshanhu high tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee after: G-CLOUD TECHNOLOGY Co.,Ltd.

Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province

Patentee before: G-CLOUD TECHNOLOGY Co.,Ltd.