CN110298178B - Trusted policy learning method and device and trusted security management platform - Google Patents
Trusted policy learning method and device and trusted security management platform Download PDFInfo
- Publication number
- CN110298178B CN110298178B CN201910605616.4A CN201910605616A CN110298178B CN 110298178 B CN110298178 B CN 110298178B CN 201910605616 A CN201910605616 A CN 201910605616A CN 110298178 B CN110298178 B CN 110298178B
- Authority
- CN
- China
- Prior art keywords
- access behavior
- behavior
- historical access
- dimensional space
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a trusted policy learning method and device and a trusted security management platform. Wherein, the method comprises the following steps: obtaining historical access behavior data of a target application program, wherein the historical access behavior data comprises: at least one historical access behavior; extracting the behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: the system comprises an operation characteristic used for indicating the operation executed by a subject on an object in the historical access behavior, a time characteristic used for indicating the occurrence time of the historical access behavior, an object characteristic used for indicating the object accessed by the subject in the historical access behavior, and a caller characteristic used for indicating that the subject in the historical access behavior is called by other application programs; respectively mapping the behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristics of one historical access behavior; and acquiring a credible strategy corresponding to the target application program based on the four-dimensional space.
Description
Technical Field
The invention relates to the technical field of trusted management, in particular to a trusted policy learning method and device and a trusted security management platform.
Background
In the related art, trusted computing needs to perform trusted measurement according to a trusted policy, currently, the trusted policy is usually manually configured by a security administrator based on self-knowledge of access behaviors of an application program, and if the trusted policy needs to be updated, the trusted policy is also manually configured by the security administrator for updating. However, the trusted policy manually configured by the security administrator has a high dependency on subjective awareness of the security administrator, and since the awareness of the security administrator on the access behavior of the application may have a problem of being monolithic, the configuration accuracy of the trusted policy is low, and the security administrator needs to spend a long time analyzing the access behavior of the application, which also results in low configuration efficiency of the trusted policy. In addition, the trusted policy update is performed manually by a security administrator, which results in inefficient trusted policy update.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a trusted policy learning method and device and a trusted security management platform, which are used for at least solving the technical problem of low configuration accuracy caused by the fact that a security administrator manually configures a trusted policy in the related technology.
According to an aspect of an embodiment of the present invention, there is provided a trusted policy learning method, including: obtaining historical access behavior data of a target application program, wherein the historical access behavior data comprises: at least one historical access behavior; extracting behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: the operation characteristic used for indicating the operation executed by the subject on the object in the historical access behavior, the time characteristic used for indicating the occurrence time of the historical access behavior, the object characteristic used for indicating the object accessed by the subject in the historical access behavior, and the caller characteristic used for indicating that the subject is called by other application programs in the historical access behavior; respectively mapping the behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristics of one historical access behavior; and acquiring a credible strategy corresponding to the target application program based on the four-dimensional space.
Optionally, after obtaining the trusted policy corresponding to the target application based on the four-dimensional space, the learning method further includes: calculating the central points and the variance values of all the points in the four-dimensional space; receiving new access behavior data, wherein the new access behavior data comprises: at least one new access behavior; mapping the new access behavior to the four-dimensional space to determine a new behavior point, and calculating a distance value between the new behavior point and the central point; if the distance value is smaller than the variance value, determining that the new access behavior is normal; and if the distance value is greater than or equal to the variance value, determining that the new access behavior is abnormal.
Optionally, after determining that the new access behavior is normal, the learning method further includes: and carrying out track convergence on the new access behavior to determine a local subspace corresponding to the normal access behavior of the target application program, wherein the local subspace is a subspace of the four-dimensional space.
Optionally, the step of obtaining the trusted policy corresponding to the target application based on the four-dimensional space includes: acquiring a strategy conversion rule; and converting each point corresponding to the four-dimensional space into the credible strategy based on the strategy conversion rule.
According to another aspect of the embodiments of the present invention, there is also provided a trusted policy learning apparatus, including: a first obtaining unit, configured to obtain historical access behavior data of a target application, where the historical access behavior data includes: at least one historical access behavior; an extracting unit, configured to extract a behavior feature of each historical access behavior, where the behavior feature includes: the operation characteristic used for indicating the operation executed by the subject on the object in the historical access behavior, the time characteristic used for indicating the occurrence time of the historical access behavior, the object characteristic used for indicating the object accessed by the subject in the historical access behavior, and the caller characteristic used for indicating that the subject is called by other application programs in the historical access behavior; the mapping unit is used for respectively mapping the behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristic of one historical access behavior; and the second acquisition unit is used for acquiring the credible strategy corresponding to the target application program based on the four-dimensional space.
Optionally, the learning apparatus further comprises: the calculation unit is used for calculating the central points and the variance values of all the points in the four-dimensional space after acquiring the credible strategy corresponding to the target application program based on the four-dimensional space; a receiving unit, configured to receive new access behavior data, where the new access behavior data includes: at least one new access behavior; a first determining unit, configured to map the new access behavior to the four-dimensional space to determine a new behavior point, and calculate a distance value between the new behavior point and the central point; a second determining unit, configured to determine that the new access behavior is normal when the distance value is smaller than the variance value; a third determining unit, configured to determine that the new access behavior is abnormal when the distance value is greater than or equal to the variance value.
Optionally, the learning apparatus further comprises: and after the new access behavior is determined to be normal, performing track convergence on the new access behavior to determine a local subspace corresponding to the normal access behavior of the target application program, wherein the local subspace is a subspace of the four-dimensional space.
Optionally, the second obtaining unit includes: the acquisition module is used for acquiring the strategy conversion rule; and the conversion module is used for converting each point corresponding to the four-dimensional space into the credible strategy based on the strategy conversion rule.
According to another aspect of the embodiments of the present invention, there is also provided a trusted security management platform, including: a memory, a processor coupled with the memory, the memory and the processor communicating over a bus system; the memory is used for storing a program, wherein the program, when executed by the processor, controls a device in which the memory is located to execute any one of the above-mentioned trust policy learning methods, and the processor is used for executing a program, wherein the program executes to execute any one of the above-mentioned trust policy learning methods.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes to perform any one of the above-mentioned trust policy learning methods.
In the embodiment of the present invention, obtaining historical access behavior data of a target application program is adopted, where the historical access behavior data includes: at least one historical access behavior, and then extracting behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: the method comprises the steps of respectively mapping behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristic of one historical access behavior, and finally obtaining a credibility policy corresponding to a target application program based on the four-dimensional space. In the embodiment, the credible strategy corresponding to the application program can be automatically learned by performing feature extraction and feature mapping on the historical access behavior data of the target application program, a security administrator does not need to manually configure the credible strategy, and the credible strategy can be obtained by learning more accurately and comprehensively through automatic learning of the credible security management platform, so that the technical problems that the credible strategy is manually configured by the security administrator and the configuration accuracy is low in the related technology are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow diagram of an alternative trusted policy learning method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an alternative trusted policy learning apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
To facilitate the understanding of the present invention, some terms or nouns related to the embodiments of the present invention are explained below:
the TCM comprises a trusted cryptographic module and a hardware module of the trusted computing platform, provides cryptographic operation function for the trusted computing platform and has protected storage space.
TPCM, a trusted platform control module, a hardware core module integrated in the trusted computing platform for establishing and guaranteeing the trusted source point, and providing functions of integrity measurement, safe storage, trusted report and cipher service for trusted computing.
TSB, trusted software base, a collection of software elements that provide support for the trustworthiness of a trusted computing platform.
The execution main body of the trusted policy learning method in each embodiment of the invention is a trusted security management platform, the trusted security management platform is used for supporting and maintaining a plurality of trusted computing platforms, each trusted computing platform comprises a computing subsystem and a protection subsystem, the computing subsystems are parallel, the computing subsystems are used for completing computing tasks, the protection subsystems are used for actively measuring the computing subsystems according to trusted policies, and the trusted computing platforms are responsible for acquiring access behavior data of application programs and reporting the access behavior data to the trusted security management platform.
The trusted computing platforms described above may include, but are not limited to: tablet, mobile terminal, PC, IPAD, server, etc. Different immune credibility strategies are required to be formulated for different business applications and user scenes, and credibility strategy learning is to automatically learn behavior tracks of users according to behavior characteristics of historical access behaviors of nodes for a period of time, intelligently convert the behavior tracks into credibility strategies described by strategy languages, and provide the credibility strategies for a system security manager to edit and maintain. After active measurement is carried out through the credible strategy, whether the security protection of the credible computing platform by the credible strategy is comprehensive and accurate is determined, so that the credible strategy conformity of each credible computing platform exceeds a preset conformity numerical value.
According to the embodiment of the invention, a trusted policy learning method is designed, after a trusted computing platform (TSB or TPCM + TSB) is deployed, the historical access behavior data can be subjected to statistical induction based on the historical access behavior data of an application program, a trusted policy corresponding to the application program is automatically learned, and the generation efficiency of the trusted policy is improved; and then, the credible strategy can be continuously updated in an iterative manner, so that the conformity of the credible strategy and the business application behavior is continuously improved, and the accuracy of the credible strategy is ensured.
In accordance with an embodiment of the present invention, there is provided a trust policy learning method embodiment, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flowchart of an alternative trusted policy learning method according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S102, obtaining historical access behavior data of the target application program, wherein the historical access behavior data comprises: at least one historical access behavior;
step S104, extracting the behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: the system comprises an operation characteristic used for indicating the operation executed by a subject on an object in the historical access behavior, a time characteristic used for indicating the occurrence time of the historical access behavior, an object characteristic used for indicating the object accessed by the subject in the historical access behavior, and a caller characteristic used for indicating that the subject in the historical access behavior is called by other application programs;
step S106, respectively mapping the behavior characteristics of each historical access behavior to a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristics of one historical access behavior;
and S108, acquiring a credible strategy corresponding to the target application program based on the four-dimensional space.
Through the above steps, obtaining historical access behavior data of the target application program may be adopted, where the historical access behavior data includes: at least one historical access behavior, and then extracting behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: the method comprises the steps of respectively mapping behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristic of one historical access behavior, and finally obtaining a credibility policy corresponding to a target application program based on the four-dimensional space. In the embodiment, the credible strategy corresponding to the application program can be automatically learned by performing feature extraction and feature mapping on the historical access behavior data of the target application program, a security administrator does not need to manually configure the credible strategy, and the credible strategy can be obtained by learning more accurately and comprehensively through automatic learning of the credible security management platform, so that the technical problems that the credible strategy is manually configured by the security administrator and the configuration accuracy is low in the related technology are solved.
The above steps will be described in detail below.
Step S102, obtaining historical access behavior data of the target application program, wherein the historical access behavior data comprises: at least one historical access behavior.
Each trusted computing platform can record access behaviors of users on each application program, one application program is selected as a target application program, and historical access behavior data of the target application program is used as data of trusted policy learning.
Such historical access behavior includes, but is not limited to: read operation behavior, write operation behavior, copy operation behavior, paste operation behavior, and name operation behavior, among others.
Step S104, extracting the behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: the system comprises an operation characteristic used for indicating the operation executed by a subject on an object in the historical access behavior, a time characteristic used for indicating the occurrence time of the historical access behavior, an object characteristic used for indicating the object accessed by the subject in the historical access behavior, and a caller characteristic used for indicating that the subject is called by other application programs in the historical access behavior.
Each historical access behavior corresponds to the four behavior characteristics, namely: the method comprises the following steps of operating the object by the subject, accessing the object, working time of the subject and the callee subject. These four behavior features will all form a corresponding feature set.
The subject may include, but is not limited to: an application program; guests include, but are not limited to: the file (including a file directory and a file text) can be a word, a PPT, an excel table and other files.
The above-described operational features include, but are not limited to: reading operation, writing operation, executing operation, copying operation and cutting operation; and temporal characteristics include, but are not limited to: a main body working interval, a main body working starting time point and a main body working finishing time point; guest characteristics include, but are not limited to: all object features that have been accessed by the subject represented by the full path.
The access space of the target application program can be constructed through the four features, and the access space can be a four-dimensional space.
And step S106, respectively mapping the behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristics of one historical access behavior.
That is, the four behavior characteristics are mapped to a four-dimensional space, where the four dimensions are operation, time, object and caller, and each access corresponds to a point in the corresponding space.
And S108, acquiring a credible strategy corresponding to the target application program based on the four-dimensional space.
Optionally, the step of obtaining a trust policy corresponding to the target application based on the four-dimensional space includes: acquiring a strategy conversion rule; and converting each point corresponding to the four-dimensional space into a credible strategy based on a strategy conversion rule.
I.e. determining a trust policy with the target application through the four-dimensional space. The policy transformation rule may be understood as a usage rule of the application program in a service scene, and the usage rule of the target application program is analyzed to obtain a standard system behavior of the application program for executing a specific service in the service scene, so as to transform the standard system behavior into a trusted policy.
As an optional embodiment of the present invention, after obtaining the trust policy corresponding to the target application based on the four-dimensional space, the learning method further includes: calculating the central points and the variance values of all the points in the four-dimensional space; receiving new access behavior data, wherein the new access behavior data comprises: at least one new access behavior; mapping the new access behavior to a four-dimensional space to determine a new behavior point, and calculating a distance value between the new behavior point and the central point; if the distance value is smaller than the variance value, determining that the new access behavior is normal; and if the distance value is larger than or equal to the variance value, determining that the new access behavior is abnormal.
By converting the behavior characteristics of historical access behaviors into points in a four-dimensional space, then calculating the center points and the variances of the points, when a new access behavior, namely a new point in the space, appears, calculating the distance between the point and the center, if the distance is smaller than the variance, the point is considered to be normal, and if the distance is not smaller than the variance, the point is considered to be abnormal.
In the embodiment of the present invention, the weight of each dimension in the four-dimensional space is set according to the importance of each behavior feature, generally, the weights of the operation feature and the object feature may be set to be higher, and the weights of the time feature and the caller feature may be set to be lower, and when calculating the central point and the variance value of all the points in the four-dimensional space and the distance value between the new behavior point and the central point, the weight of each dimension in the four-dimensional space should be considered, so as to obtain the corresponding value.
In another optional embodiment of the present invention, after determining that the new access behavior is normal, the learning method further comprises: and carrying out track convergence on the new access behaviors to determine a local subspace corresponding to the normal access behavior of the target application program, wherein the local subspace is a subspace of a four-dimensional space. The new access behavior can be subjected to track convergence to determine the local subspace corresponding to the normal access behavior of the target application program, and the local subspace corresponding to the normal access behavior can be determined through a local theorem and the like.
Through the embodiment, the historical access behavior data of the application program can be subjected to inductive analysis, the behavior characteristics of each historical access behavior are obtained through analysis, then the behavior characteristics are mapped to the four-dimensional space of the application program, the four-dimensional space can be understood as a credible strategy obtained through learning, and whether the new access behavior is abnormal or not can be judged through the four-dimensional space.
Fig. 2 is a schematic diagram of an alternative trusted policy learning apparatus according to an embodiment of the present invention, as shown in fig. 2, the learning apparatus may include: a first obtaining unit 21, an extracting unit 23, a mapping unit 25, a second obtaining unit 27, wherein,
a first obtaining unit 21, configured to obtain historical access behavior data of a target application, where the historical access behavior data includes: at least one historical access behavior;
an extracting unit 23, configured to extract a behavior feature of each historical access behavior, where the behavior feature includes: the system comprises an operation characteristic used for indicating the operation executed by a subject on an object in the historical access behavior, a time characteristic used for indicating the occurrence time of the historical access behavior, an object characteristic used for indicating the object accessed by the subject in the historical access behavior, and a caller characteristic used for indicating that the subject in the historical access behavior is called by other application programs;
a mapping unit 25, configured to map the behavior feature of each historical access behavior into a four-dimensional space, where one of the points in the four-dimensional space is used to indicate the behavior feature of one of the historical access behaviors;
and a second obtaining unit 27, configured to obtain a trust policy corresponding to the target application based on the four-dimensional space.
The above trusted policy learning apparatus may acquire, by the first acquiring unit 21, historical access behavior data of the target application, where the historical access behavior data includes: at least one historical access behavior, and then extracting behavior characteristics of each historical access behavior through the extracting unit 23, wherein the behavior characteristics include: the operation characteristics for indicating the operation performed by the subject on the object in the historical access behavior, the time characteristics for indicating the occurrence time of the historical access behavior, the object characteristics for indicating the object accessed by the subject in the historical access behavior, and the caller characteristics for indicating that the subject in the historical access behavior is called by other applications are respectively mapped into a four-dimensional space by the mapping unit 25, wherein one point in the four-dimensional space is used for indicating the behavior characteristics of one of the historical access behaviors, and finally, the trust policy corresponding to the target application can be obtained by the second obtaining unit 27 based on the four-dimensional space. In the embodiment, the credible strategy corresponding to the application program can be automatically learned by performing feature extraction and feature mapping on the historical access behavior data of the target application program, a security administrator does not need to manually configure the credible strategy, and the credible strategy can be obtained by learning more accurately and comprehensively through automatic learning of the credible security management platform, so that the technical problems that the credible strategy is manually configured by the security administrator and the configuration accuracy is low in the related technology are solved.
Another optional feature of the learning apparatus further comprises: the computing unit is used for computing the central points and the variance values of all the points in the four-dimensional space after acquiring the credible strategy corresponding to the target application program based on the four-dimensional space; a receiving unit, configured to receive new access behavior data, where the new access behavior data includes: at least one new access behavior; the first determining unit is used for mapping the new access behavior to a four-dimensional space so as to determine a new behavior point and calculating a distance value between the new behavior point and the central point; the second determining unit is used for determining that the new access behavior is normal when the distance value is smaller than the variance value; and the third determining unit is used for determining that the new access behavior is abnormal when the distance value is greater than or equal to the variance value.
In an embodiment of the present invention, the learning apparatus further includes: and the fourth determining unit is used for performing track convergence on the new access behavior after determining that the new access behavior is normal so as to determine a local subspace corresponding to the normal access behavior of the target application program, wherein the local subspace is a subspace of a four-dimensional space.
Optionally, the second obtaining unit includes: the acquisition module is used for acquiring the strategy conversion rule; and the conversion module is used for converting each point corresponding to the four-dimensional space into a credible strategy based on the strategy conversion rule.
The above-mentioned trusted learning device may further include a processor and a memory, and the above-mentioned first obtaining unit 21, the extracting unit 23, the mapping unit 25, the second obtaining unit 27, and the like are all stored in the memory as program units, and the processor executes the above-mentioned program units stored in the memory to implement the corresponding functions.
The processor comprises a kernel, and the kernel calls a corresponding program unit from the memory. The kernel can be set to be one or more, and the trusted policy corresponding to the target application program is obtained based on the four-dimensional space by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
According to another aspect of the embodiments of the present invention, there is also provided a trusted security management platform, including: a memory, a processor coupled to the memory, the memory and the processor communicating via a bus system; the memory is used for storing a program, wherein the program controls the equipment where the memory is located to execute any one of the above-mentioned credible strategy learning methods when being executed by the processor, and the processor is used for running the program, wherein the program executes the above-mentioned any one of the above-mentioned credible strategy learning methods when running.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes to perform any one of the above-mentioned trusted policy learning methods.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (8)
1. A trusted policy learning method is applied to a trusted security management platform, the trusted security management platform is used for supporting and maintaining a plurality of trusted computing platforms, each trusted computing platform comprises a computing subsystem and a protection subsystem which are parallel, the computing subsystem is used for completing computing tasks, the protection subsystem is used for performing active measurement on the computing subsystem according to a trusted policy, and the trusted computing platform is responsible for collecting access behavior data of an application program and comprises the following steps:
obtaining historical access behavior data of a target application program, wherein the historical access behavior data comprises: at least one historical access behavior;
extracting behavior characteristics of each historical access behavior, wherein the behavior characteristics comprise: an operation characteristic used for indicating the operation executed by the subject on the object in the historical access behavior, a time characteristic used for indicating the occurrence time of the historical access behavior, an object characteristic used for indicating the object accessed by the subject in the historical access behavior or a caller characteristic used for indicating that the subject is called by other application programs in the historical access behavior, wherein the subject comprises: an application program; the object includes: a file;
respectively mapping the behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristics of one historical access behavior;
obtaining a credibility policy corresponding to the target application program based on the four-dimensional space, including: acquiring a strategy conversion rule; and converting each point corresponding to the four-dimensional space into the credible strategy based on the strategy conversion rule, wherein the strategy conversion rule is a use rule of the application program in a business scene, and the use rule of the target application program is analyzed to obtain a standard system behavior of the target application program for executing specific business in the business scene, so that the standard system behavior is converted into the credible strategy.
2. The method of claim 1, wherein after obtaining the corresponding trust policy of the target application based on the four-dimensional space, the learning method further comprises:
calculating the central points and the variance values of all the points in the four-dimensional space;
receiving new access behavior data, wherein the new access behavior data comprises: at least one new access behavior;
mapping the new access behavior to the four-dimensional space to determine a new behavior point, and calculating a distance value between the new behavior point and the central point;
if the distance value is smaller than the variance value, determining that the new access behavior is normal;
and if the distance value is greater than or equal to the variance value, determining that the new access behavior is abnormal.
3. The method of claim 2, wherein after determining that the new access behavior is normal, the learning method further comprises:
and carrying out track convergence on the new access behavior to determine a local subspace corresponding to the normal access behavior of the target application program, wherein the local subspace is a subspace of the four-dimensional space.
4. A trusted policy learning device is applied to a trusted security management platform, the trusted security management platform is used for supporting and maintaining a plurality of trusted computing platforms, each trusted computing platform comprises a computing subsystem and a protection subsystem which are parallel to each other, the computing subsystem is used for completing computing tasks, the protection subsystem is used for performing active measurement on the computing subsystem according to a trusted policy, and the trusted computing platform is responsible for collecting access behavior data of an application program and comprises:
a first obtaining unit, configured to obtain historical access behavior data of a target application, where the historical access behavior data includes: at least one historical access behavior;
an extracting unit, configured to extract a behavior feature of each historical access behavior, where the behavior feature includes: an operation characteristic used for indicating the operation executed by the subject on the object in the historical access behavior, a time characteristic used for indicating the occurrence time of the historical access behavior, an object characteristic used for indicating the object accessed by the subject in the historical access behavior or a caller characteristic used for indicating that the subject is called by other application programs in the historical access behavior, wherein the subject comprises: an application program; the object includes: a file;
the mapping unit is used for respectively mapping the behavior characteristics of each historical access behavior into a four-dimensional space, wherein one point in the four-dimensional space is used for indicating the behavior characteristic of one historical access behavior; a second obtaining unit, configured to obtain a trust policy corresponding to the target application based on the four-dimensional space, where the second obtaining unit includes: the acquisition module is used for acquiring the strategy conversion rule; and the conversion module is used for converting each point corresponding to the four-dimensional space into the credible strategy based on the strategy conversion rule, wherein the strategy conversion rule is a use rule of the application program in a business scene, and the use rule of the target application program is analyzed to obtain a standard system behavior of the target application program for executing specific business in the business scene, so that the standard system behavior is converted into the credible strategy.
5. The apparatus according to claim 4, wherein the learning apparatus further comprises:
the calculation unit is used for calculating the central points and the variance values of all the points in the four-dimensional space after acquiring the credible strategy corresponding to the target application program based on the four-dimensional space;
a receiving unit, configured to receive new access behavior data, where the new access behavior data includes: at least one new access behavior;
a first determining unit, configured to map the new access behavior to the four-dimensional space to determine a new behavior point, and calculate a distance value between the new behavior point and the central point;
a second determining unit, configured to determine that the new access behavior is normal when the distance value is smaller than the variance value;
a third determining unit, configured to determine that the new access behavior is abnormal when the distance value is greater than or equal to the variance value.
6. The apparatus according to claim 5, wherein the learning apparatus further comprises:
and after the new access behavior is determined to be normal, performing track convergence on the new access behavior to determine a local subspace corresponding to the normal access behavior of the target application program, wherein the local subspace is a subspace of the four-dimensional space.
7. A trusted security management platform, comprising:
a memory, a processor coupled with the memory, the memory and the processor communicating over a bus system;
the memory is used for storing a program, wherein the program when executed by the processor controls the device in which the memory is located to execute the trusted policy learning method according to any one of claims 1 to 3,
the processor is configured to execute a program, wherein the program executes the trusted policy learning method according to any one of claims 1 to 3.
8. A processor configured to run a program, wherein the program when running performs the trusted policy learning method of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910605616.4A CN110298178B (en) | 2019-07-05 | 2019-07-05 | Trusted policy learning method and device and trusted security management platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910605616.4A CN110298178B (en) | 2019-07-05 | 2019-07-05 | Trusted policy learning method and device and trusted security management platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110298178A CN110298178A (en) | 2019-10-01 |
| CN110298178B true CN110298178B (en) | 2021-07-27 |
Family
ID=68030512
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910605616.4A Active CN110298178B (en) | 2019-07-05 | 2019-07-05 | Trusted policy learning method and device and trusted security management platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110298178B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111897768B (en) * | 2020-06-28 | 2024-02-02 | 北京可信华泰信息技术有限公司 | Configuration method and device of object access policy |
| CN111901146B (en) * | 2020-06-28 | 2023-07-18 | 北京可信华泰信息技术有限公司 | Object access control method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894239A (en) * | 2010-08-12 | 2010-11-24 | 武汉大学 | Method and system for auditing and distributing sensitive data based on evolution strategy |
| CN107657171A (en) * | 2017-09-11 | 2018-02-02 | 郑州云海信息技术有限公司 | A kind of method in SSR centralized management platform management application programs |
| CN108021823A (en) * | 2017-12-04 | 2018-05-11 | 北京元心科技有限公司 | Method, device and terminal for seamlessly running application program based on trusted execution environment |
| CN109560984A (en) * | 2018-11-13 | 2019-04-02 | 苏宁易购集团股份有限公司 | A kind of network service response time method for detecting abnormality and device |
| CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
| CN109861970A (en) * | 2018-12-18 | 2019-06-07 | 北京可信华泰信息技术有限公司 | A kind of system based on credible strategy |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297435B (en) * | 2013-06-06 | 2016-12-28 | 中国科学院信息工程研究所 | A kind of abnormal access behavioral value method and system based on WEB daily record |
| US10108791B1 (en) * | 2015-03-19 | 2018-10-23 | Amazon Technologies, Inc. | Authentication and fraud detection based on user behavior |
| CN105426760B (en) * | 2015-11-05 | 2018-04-06 | 工业和信息化部电信研究院 | A kind of detection method and device of Android malicious application |
| CN109583161B (en) * | 2018-11-27 | 2021-08-06 | 咪咕文化科技有限公司 | Information processing method and device and storage medium |
| CN109753345A (en) * | 2018-12-18 | 2019-05-14 | 北京可信华泰信息技术有限公司 | A kind of method for managing security under cloud environment |
| CN109753803A (en) * | 2018-12-18 | 2019-05-14 | 北京可信华泰信息技术有限公司 | A kind of secure virtual machine management system |
| CN109933503A (en) * | 2019-02-13 | 2019-06-25 | 平安科技(深圳)有限公司 | User's operation risk factor determines method, apparatus and storage medium, server |
-
2019
- 2019-07-05 CN CN201910605616.4A patent/CN110298178B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894239A (en) * | 2010-08-12 | 2010-11-24 | 武汉大学 | Method and system for auditing and distributing sensitive data based on evolution strategy |
| CN107657171A (en) * | 2017-09-11 | 2018-02-02 | 郑州云海信息技术有限公司 | A kind of method in SSR centralized management platform management application programs |
| CN108021823A (en) * | 2017-12-04 | 2018-05-11 | 北京元心科技有限公司 | Method, device and terminal for seamlessly running application program based on trusted execution environment |
| CN109560984A (en) * | 2018-11-13 | 2019-04-02 | 苏宁易购集团股份有限公司 | A kind of network service response time method for detecting abnormality and device |
| CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
| CN109861970A (en) * | 2018-12-18 | 2019-06-07 | 北京可信华泰信息技术有限公司 | A kind of system based on credible strategy |
Non-Patent Citations (1)
| Title |
|---|
| Trust-Based Scheduling Strategy for Workflow Applications in Cloud Environment;Yuli Yang等;《2013 Eighth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing》;20131030;第316-320页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110298178A (en) | 2019-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109344153B (en) | Service data processing method and terminal equipment | |
| US10248674B2 (en) | Method and apparatus for data quality management and control | |
| CN110737594B (en) | Database standard conformance testing method and device for automatically generating test cases | |
| CN108734304B (en) | Training method and device of data model and computer equipment | |
| CN110298178B (en) | Trusted policy learning method and device and trusted security management platform | |
| US11321318B2 (en) | Dynamic access paths | |
| CN106326082B (en) | Method and device for recording log in network system | |
| CN109271564B (en) | Policy query method and device | |
| CN109670665A (en) | Method, assessment equipment and the storage medium of identification terminal batch registration account behavior | |
| US10250550B2 (en) | Social message monitoring method and apparatus | |
| CN110516752A (en) | Clustering cluster method for evaluating quality, device, equipment and storage medium | |
| CN111427628A (en) | Software function module configuration method, device, software product and storage medium | |
| CN105117489B (en) | Database management method and device and electronic equipment | |
| CN108270753B (en) | Method and device for logging out user account | |
| CN110191097B (en) | Method, system, equipment and storage medium for detecting security of login page | |
| CN109325015B (en) | Method and device for extracting characteristic field of domain model | |
| CN114356212A (en) | Data processing method, system and computer readable storage medium | |
| CN110058995B (en) | Database testing method and system capable of avoiding interference of database types | |
| CN112307297A (en) | User identification unification method and system based on priority rule | |
| CN113676377B (en) | Online user number evaluation method, device, equipment and medium based on big data | |
| CN110059480A (en) | Attack monitoring method, device, computer equipment and storage medium | |
| CN112256552B (en) | Pressure testing method and device for map engine | |
| CN115185778A (en) | Database monitoring method and device | |
| CN113656652A (en) | Method, device and equipment for detecting medical insurance violation and storage medium | |
| CN110119337B (en) | Data analysis method and device and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |