CN110427759B - Network resource browsing control method and system supporting service security mark - Google Patents

Network resource browsing control method and system supporting service security mark Download PDF

Info

Publication number
CN110427759B
CN110427759B CN201910536550.8A CN201910536550A CN110427759B CN 110427759 B CN110427759 B CN 110427759B CN 201910536550 A CN201910536550 A CN 201910536550A CN 110427759 B CN110427759 B CN 110427759B
Authority
CN
China
Prior art keywords
browser
mark
service
network resource
service security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910536550.8A
Other languages
Chinese (zh)
Other versions
CN110427759A (en
Inventor
于海波
臧文羽
刘坤颖
祁峰
孙永
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910536550.8A priority Critical patent/CN110427759B/en
Publication of CN110427759A publication Critical patent/CN110427759A/en
Application granted granted Critical
Publication of CN110427759B publication Critical patent/CN110427759B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a network resource browsing control method and a system supporting a service security label. The method comprises the following steps: 1) configuring a business safety mark of a browser and marking the business safety attribute of the browser; the business safety mark of the browser comprises the safety level and the business category of the browser; 2) for a resource request message sent by a browser, converting a service security mark of the browser into a service security mark of the resource request message, adding the service security mark into a corresponding application layer protocol, and marking a service security attribute of a resource request main body; 3) after receiving the network resource responding to the resource request message, the browser identifies the service safety mark of the network resource; the service safety mark of the network resource comprises the safety level and the service type of the network resource; and then matching and checking the service security marks of the browser and the service security marks of the network resources, if the check is passed, allowing the browser to execute browsing operation on the network resources, and otherwise, refusing to execute the browsing operation.

Description

Network resource browsing control method and system supporting service security mark
Technical Field
The invention relates to a network resource browsing control method and system supporting a service security label, which support the network resource browsing control based on the service security label and belong to the field of computer information security.
Background
The browser is used as a basic core component for network resource access, and has an important influence on the security of network resources and service systems shared by network users. The current browser does not support efficient access control on the requested network resources according to the safety requirements of the service, can not prevent a user from browsing the network resources outside the service authorization range beyond the authority of the user, and does not support limitation of related operations of the user in the browser according to the operation control requirements of the network resources. Aiming at the problem of network resource management and control, the invention provides a network resource browsing control method and system supporting a service security marker, so that a browser can manage and control network resource access and operation according to service security requirements, and the security of network resource and service sharing is improved.
Disclosure of Invention
The invention aims to provide a network resource browsing control method supporting a service security mark, aiming at solving the problems that the current browser can not configure the service security attribute of the browser and carries out network resource browsing and operation control according to the service security attribute, so that the browser can configure the service security mark of the browser, add the service security mark to a resource request message, identify the service security mark of the network resource and judge whether to allow the resource to be browsed or execute related operations by matching and checking the service security mark of the browser and the service security mark of the related resource.
In order to achieve the above object, the present invention provides a network resource browsing control method supporting a service security label, which comprises the following steps:
step 1: and configuring the browser service security mark. A service security mark configuration management module is added on the existing browser and used for configuring the service security mark of the browser and indicating the security level, the service category and other service security attributes of the browser. The service security mark can be configured by management personnel, or can be automatically configured after the configuration management module acquires the service security mark of the computing environment.
Step 2: and generating a service safety mark of the resource request message. A mark generation module is added on the existing browser, for a resource request message sent by the browser, a service safety mark of the browser is converted into a service safety mark of the resource request message, and the mark is added into a corresponding application layer protocol to indicate service safety attributes such as the safety level, the service category and the like of a resource request main body.
And step 3: a traffic security label for a network resource is identified. A resource mark identification module is added on the existing browser, and after the browser receives the requested network resource, a service safety mark of the network resource is identified, wherein the service safety mark indicates service safety attributes such as the safety level, the service category and the like of the network resource.
And 4, step 4: and browsing and operation control are carried out based on the service safety mark. And adding a browsing control module on the existing browser, performing matching check on the browser service security mark and the network resource service security mark, if the check is passed, allowing the browser to execute operations such as browsing and the like on the network resource, and if not, refusing to execute any operation.
Preset information 1: the accessed information objects such as remote network resources, local attachments to be uploaded and the like have service safety marks, which indicate the service safety attributes such as the safety level, the service type, the environmental requirement, the operation control requirement and the like of the information objects.
Preset information 2: the system objects such as the operating system, the process and the like have service safety marks which indicate the safety level, the service class and other service safety attributes of the system objects.
The browser mainly comprises 4 modules: the system comprises a mark configuration management module, a mark generation module, a mark identification module and a browsing control module.
A mark configuration management module: and the service safety mark is used for configuring the browser. The business safety mark of the environment (such as an operating system or an operating process) can be read as the business safety mark of the browser, and the business safety mark of the browser can be configured by management personnel.
A tag generation module: for generating a service security label for the resource request message. For example, the service security label of the browser can be used as the service security label of the resource request and added in the request message.
A mark identification module: a traffic security label for identifying a network resource. For example, a traffic security label identifying the network resource is read from a network resource application layer protocol header.
A browsing control module: and checking the service security marks of the browser and the related resources by matching, performing browsing control on the network resources, and determining whether to display and use (such as downloading, printing and the like) the network resources or whether to allow uploading of the related files and the like. For example, if the browser service security label matches the network resource service security label, the browser may receive and expose the network resource, otherwise, the browser will refuse to receive the network resource. If the browser can receive a certain network resource, but the service security mark of the network resource indicates that the printing or downloading operation is forbidden, the browser refuses the user to perform the printing or downloading operation.
Compared with the prior art, the invention has the following positive effects:
the invention makes the browser have business safety mark support capability and network resource control capability from the aspects of network resource sharing and service safety. By identifying the service security label of the network resource, the access control of the received network resource is efficiently realized, the user is prevented from browsing the network resource outside the service authorization range beyond the self authority, the user is limited to execute related operations on the network resource according to the operation control requirement in the service security label of the network resource, and the security of sharing the network resource and the service is greatly improved.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, and it should be understood that the embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention.
The method of the invention has the flow shown in figure 1, and comprises the following steps:
1. business security label configuration
The service security mark M is a multi-tuple containing a plurality of service security attributes, wherein M is equal to<C,G,F>. Wherein C is a security level; g is multiple service security attributes GiG ═ G1,g2,…gn},giThe service safety attributes can be service types, work groups, roles, environmental requirements and the like; f is an operation control attribute FjF ═ F1,f2,…fm},fjThe operation attributes can be download control, printing control, burning control, copy control and the like.
The service security label of information object (resource) such as data is recorded as M (r) ═ r<Cr,Gr,Fr>Applications, services and processesThe business security label of the system object (main body) is recorded as M (o) ═ m<Co,Go>. There are two relationships between the subject mark m (o) and the resource mark m (r): dominant versus incomparable. Marker M (o) dominating marker M (r) when Co≥CrAnd is
Figure BDA0002101324920000032
We note M (o) ≧ M (r), meaning the subject can command the guest. If there is no dominance relationship between M (o) and M (r), they are not comparable, and the subject has no weight to dominate the object. If it is not
Figure BDA0002101324920000033
The subject should control attribute f according to the particular operation that the tag containsjAnd limiting the corresponding operation on the resource.
According to the abstract definition, the service security mark set for the browser as the system object is recorded as M (w) ═ m<Cw,Gw>The service security label indicates the security level of the browser, the service class and other service security attributes. The browser can read the service security label of the environment (for example, an operating system or an operating process) as the own service security label, and can also directly configure the own service security label.
2. Generating service safety marks of messages such as resource requests: when the browser initiates a network resource request, a business security mark M (w) of the browser is converted into a business security mark of a network resource request message, which is marked as M (req), the business security attributes such as the security level, the business category and the like of a resource request main body are indicated, and the M (req) is added into a sent application layer protocol message.
3. Identifying a business security label for a network resource: and when the browser receives the network resource response message, identifying the service safety mark M (r) of the response message. For example, the traffic security label m (r) is read and identified from the network resource application layer protocol.
4. Browsing and operation control based on the service security label: the browser performs matching check on M (w) and M (r), and if the matching is successful, the browser receives the network resource and conductsBrowsing network resources; if the matching fails, the network resource is refused to be accepted and corresponding processing is carried out. If the number of the first and second antennas is greater than the predetermined number,
Figure BDA0002101324920000031
the browser should control the attribute f according to the specific operation in M (r)jAnd limiting the corresponding operation on the network resources.
The matching rule is as follows: if M (w) is more than or equal to M (r), the matching is successful, otherwise, the matching is unsuccessful.
5. Generating a security label of the resource service to be uploaded: when a user uploads resources such as files through a browser, the browser identifies the service security marks M (f) of the resources, and performs matching check on M (w) and M (f), if the matching is successful, the browser allows to execute uploading operation, and if not, the browser refuses to execute the operation.
The matching rule is as follows: if M (w) is more than or equal to M (f), the matching is successful, otherwise, the matching is unsuccessful.
6. And (3) behavior audit based on the service security mark: the request response and the related operation behavior of the browser are audited, and the actions of browser resource request, network resource operation and the like are audited. For example, if the business security label of the browser is not comparable to the business security label of the network resource, an alert should be generated.
Although specific details of the invention, algorithms and figures are disclosed for illustrative purposes, these are intended to aid in the understanding of the contents of the invention and the implementation in accordance therewith, as will be appreciated by those skilled in the art: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. The invention should not be limited to the preferred embodiments and drawings disclosed herein, but rather should be defined only by the scope of the appended claims.

Claims (9)

1. A network resource browsing control method supporting service security mark includes the following steps:
1) configuring a business safety mark of a browser and marking the business safety attribute of the browser; the business safety mark of the browser comprises the safety level and the business category of the browser;
2) for a resource request message sent by a browser, converting a service security mark of the browser into a service security mark of the resource request message, adding the service security mark into a corresponding application layer protocol, and marking a service security attribute of a resource request main body;
3) after receiving the network resource responding to the resource request message, the browser identifies the service safety mark of the network resource; the service safety mark of the network resource comprises the safety grade, the service category and the operation control of the network resource; and then matching and checking the service security mark of the browser and the service security mark of the network resource, if the check is passed, allowing the browser to execute browsing operation on the network resource, and otherwise refusing the browser to operate the network resource.
2. The method of claim 1, wherein the service security tag of the browser is configured by a manager, or is automatically configured after acquiring service security attribute information of a computing environment where the browser is located by a tag configuration management module.
3. The method of claim 1, wherein the operation of the browser on receiving the network resource is constrained by an operation control attribute of a network resource service security label; the operation control includes download control, print control, recording control or copy control.
4. The method of claim 1, wherein the browser's request response and associated operational behavior is audited.
5. The method of claim 1, wherein when the browser uploads the resource, the service security label of the resource to be uploaded is identified, then matching check is performed on the service security label of the browser and the service security label of the resource to be uploaded, and if the check is passed, the resource is allowed to be uploaded through the browser.
6. A network resource browsing control system supporting service security marks is characterized by comprising a mark configuration management module, a mark generation module, a mark identification module and a browsing control module; wherein the content of the first and second substances,
the mark configuration management module is used for configuring a business safety mark of the browser and marking the business safety attribute of the browser; the business safety mark of the browser comprises the safety level and the business category of the browser;
the mark generation module is used for converting the service safety mark of the browser into a service safety mark of the resource request message, adding the service safety mark into a corresponding application layer protocol and marking the service safety attribute of the resource request main body;
the mark identification module is used for identifying the service safety mark of the network resource; the service safety mark of the network resource comprises the safety grade, the service category and the operation control of the network resource;
and the browsing control module is used for matching and checking the service security mark of the browser and the service security mark of the network resource, if the check is passed, the browser is allowed to execute browsing operation on the network resource, and otherwise, the browser is refused to operate the network resource.
7. The system of claim 6, wherein the operational control comprises download control, print control, burn control, or copy control.
8. The system of claim 6, wherein the browsing control module performs operation control on the network resource by matching and checking the service security label of the browser and the related resource to determine whether to operate the network resource.
9. The system of claim 6, wherein the tag configuration management module configures the service security tag of the browser according to the service security tag of the environment where the browser is located or directly configures the service security tag of the browser.
CN201910536550.8A 2019-06-20 2019-06-20 Network resource browsing control method and system supporting service security mark Active CN110427759B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910536550.8A CN110427759B (en) 2019-06-20 2019-06-20 Network resource browsing control method and system supporting service security mark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910536550.8A CN110427759B (en) 2019-06-20 2019-06-20 Network resource browsing control method and system supporting service security mark

Publications (2)

Publication Number Publication Date
CN110427759A CN110427759A (en) 2019-11-08
CN110427759B true CN110427759B (en) 2021-04-20

Family

ID=68408799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910536550.8A Active CN110427759B (en) 2019-06-20 2019-06-20 Network resource browsing control method and system supporting service security mark

Country Status (1)

Country Link
CN (1) CN110427759B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110933048B (en) * 2019-11-14 2022-03-22 北京卓讯科信技术有限公司 Method and equipment for identifying abnormal application operation based on message
CN113128944B (en) * 2019-12-31 2023-10-17 成都鼎桥通信技术有限公司 Multi-system-based security service management method, device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103647772A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out trusted access controlling on network data package
CN104394227A (en) * 2014-12-05 2015-03-04 北京奇虎科技有限公司 Method and system for transmitting user data of browser and browser
CN104836796A (en) * 2015-04-14 2015-08-12 百度在线网络技术(北京)有限公司 Method and apparatus for acquiring network content information
CN105357201A (en) * 2015-11-12 2016-02-24 中国科学院信息工程研究所 Access control method and system for object cloud storage
US10115141B1 (en) * 2014-09-24 2018-10-30 Amazon Technologies, Inc. Secure proxy service
CN109150796A (en) * 2017-06-15 2019-01-04 广州阿里巴巴文学信息技术有限公司 Data access method and device
CN109756454A (en) * 2017-11-03 2019-05-14 阿里巴巴集团控股有限公司 The methods, devices and systems of data interaction

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104052722A (en) * 2013-03-15 2014-09-17 腾讯科技(深圳)有限公司 Web address security detection method, apparatus and system
CN108183915B (en) * 2018-01-15 2020-02-11 中国科学院信息工程研究所 Security label implementation system for high security level service and application requirements
CN109246138A (en) * 2018-10-23 2019-01-18 深信服科技股份有限公司 Resource access method and device, VPN terminal and medium based on Virtual Private Network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103647772A (en) * 2013-12-12 2014-03-19 浪潮电子信息产业股份有限公司 Method for carrying out trusted access controlling on network data package
US10115141B1 (en) * 2014-09-24 2018-10-30 Amazon Technologies, Inc. Secure proxy service
CN104394227A (en) * 2014-12-05 2015-03-04 北京奇虎科技有限公司 Method and system for transmitting user data of browser and browser
CN104836796A (en) * 2015-04-14 2015-08-12 百度在线网络技术(北京)有限公司 Method and apparatus for acquiring network content information
CN105357201A (en) * 2015-11-12 2016-02-24 中国科学院信息工程研究所 Access control method and system for object cloud storage
CN109150796A (en) * 2017-06-15 2019-01-04 广州阿里巴巴文学信息技术有限公司 Data access method and device
CN109756454A (en) * 2017-11-03 2019-05-14 阿里巴巴集团控股有限公司 The methods, devices and systems of data interaction

Also Published As

Publication number Publication date
CN110427759A (en) 2019-11-08

Similar Documents

Publication Publication Date Title
US10216946B2 (en) Cloud-based secure printing system and method of processing same
US10764139B2 (en) Information processing system and report creation method
AU2019222900B2 (en) Document management system and management apparatus
EP2552079B1 (en) Server apparatus, information processing method, program, and storage medium
US8661502B2 (en) Determining a sensitivity label of document information in real time
US11042658B2 (en) Document management system and processing apparatus
CN109587233B (en) Multi-cloud container management method, device and computer-readable storage medium
CN103399909A (en) Method and apparatus for assigning access control level in providing access to networked content file
US8341733B2 (en) Creating secured file views in a software partition
CN104254844A (en) Exposing network printers to wi-fi clients
WO2010138910A1 (en) Secure collaborative environment
CN109522751B (en) Access right control method and device, electronic equipment and computer readable medium
CN105531977A (en) Mobile device connection control for synchronization and remote data access
CN107786551B (en) Method for accessing intranet server and device for controlling access to intranet server
AU2019261686B2 (en) Management apparatus and document management system
CN112468482B (en) Data transmission method, device, server, storage medium and system
CN110427759B (en) Network resource browsing control method and system supporting service security mark
JP2007188239A (en) Document management system
US11418484B2 (en) Document management system
CN112084021A (en) Interface configuration method, device and equipment of education system and readable storage medium
JP2012182737A (en) Secret data leakage preventing system, determining apparatus, secret data leakage preventing method and program
CN109683942B (en) Script management method, script management device, script management medium and electronic equipment
CN112579694A (en) Digital resource processing method, device, storage medium and equipment
US9667815B2 (en) Information processing system, information processing device, and information processing method
US11481166B2 (en) Information processing system, information processing apparatus for controlling access to resources and functions for managing users allowed to access the resources

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant