CN111897768B - Configuration method and device of object access policy - Google Patents
Configuration method and device of object access policy Download PDFInfo
- Publication number
- CN111897768B CN111897768B CN202010600255.7A CN202010600255A CN111897768B CN 111897768 B CN111897768 B CN 111897768B CN 202010600255 A CN202010600255 A CN 202010600255A CN 111897768 B CN111897768 B CN 111897768B
- Authority
- CN
- China
- Prior art keywords
- policy
- terminal
- strategy
- access
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 168
- 230000006399 behavior Effects 0.000 claims abstract description 132
- 230000008569 process Effects 0.000 claims abstract description 113
- 238000011217 control strategy Methods 0.000 claims abstract description 102
- 238000010200 validation analysis Methods 0.000 claims abstract description 40
- 238000007726 management method Methods 0.000 claims description 67
- 238000012550 audit Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 17
- 230000000694 effects Effects 0.000 description 10
- 238000012545 processing Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/11—File system administration, e.g. details of archiving or snapshots
- G06F16/122—File system administration, e.g. details of archiving or snapshots using management policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a method and a device for configuring an object access policy, wherein the method comprises the following steps: sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, and the first policy learning process is a process of learning a first access log of the target object on the second terminal; under the condition that a strategy acquisition request sent by a first terminal is received, responding to the strategy acquisition request and sending a target control strategy to the first terminal; and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal. The method and the device solve the technical problem that the configuration efficiency of the object access strategy in the related technology is low.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a method and apparatus for configuring an object access policy.
Background
In the trusted computing field, a trusted management server configures control policies for individual terminals to control access operations of objects on the terminals. The current configuration mode is that the trusted management server selects the configured contents item by item for different terminals to configure to each terminal, and the configuration efficiency of the mode is low.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The application provides a method and a device for configuring an object access policy, which are used for at least solving the technical problem of low configuration efficiency of the object access policy in the related technology.
According to an aspect of the embodiments of the present application, there is provided a method for configuring an object access policy, including:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log comprises the control operation performed on the target access behavior of the target object;
Under the condition that a strategy acquisition request sent by the first terminal is received, responding to the strategy acquisition request and sending the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal.
Optionally, sending the policy acquisition indication to the first terminal includes:
determining one or more terminals, wherein the one or more terminals comprise the first terminal;
determining a first strategy template corresponding to the one or more terminals;
generating the target control strategy by using the first strategy template;
and sending the policy acquisition instruction to the one or more terminals, wherein the policy acquisition instruction is used for instructing the one or more terminals to acquire the target control policy from the trusted management server.
Optionally, the target control strategy includes: the system comprises a policy template belonging to a first type and a control policy belonging to a second type, wherein the control policy belonging to the first type is used for indicating an access terminal with access privileges to a target object, and the control policy belonging to the second type is used for preventing tampering to the target object.
Optionally, after sending the policy acquisition indication to the first terminal, the method further comprises:
sending a start instruction to the first terminal, wherein the start instruction is used for instructing the first terminal to start a second strategy learning process;
acquiring a second access log reported by the first terminal in the second strategy learning process, wherein the second access log is generated by matching target access behaviors executed on the first terminal by using the target control strategy;
sending a closing instruction to the first terminal, wherein the closing instruction is used for indicating to close the second strategy learning process;
and under the condition that the first terminal is confirmed to close the second strategy learning process, generating a second strategy template according to the second access log, wherein the second strategy template is used for generating a control strategy.
Optionally, generating a second policy template according to the second access log includes:
generating an object control strategy corresponding to the second access log;
acquiring a strategy template identifier, wherein the strategy template identifier is used for uniquely identifying the second strategy template;
generating the second policy template with the policy template identification and the object control policy.
Optionally, generating the second policy template with the policy template identification and the object control policy includes:
determining whether the strategy template identification is repeated with identifications stored in a database and whether the strategy template identification is empty;
determining whether the object control strategy is repeated with the control strategy stored in the database under the condition that the strategy template identification is not repeated with the identification stored in the database and the strategy template identification is not empty;
in the event that it is determined that the object control policy does not overlap with the control policies stored in the database, the second policy template is generated with the policy template identification and the object control policy.
Optionally, after receiving policy validation information sent by the first terminal, the method further includes:
obtaining an audit log reported by the first terminal, wherein the audit log is generated by controlling a target access behavior executed on the first terminal by using the target control strategy;
and storing the audit log.
According to another aspect of the embodiment of the present application, there is also provided a configuration apparatus for an object access policy, including:
A first sending module, configured to send a policy acquisition instruction to a first terminal, where the policy acquisition instruction is configured to instruct the first terminal to acquire a target control policy from a trusted management server, where the target control policy is used to instruct a control operation performed on a behavior of accessing a target object, the target control policy is generated by a first policy learning process performed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes a control operation performed on the access behavior of the target object;
the second sending module is used for responding to the strategy acquisition request and sending the target control strategy to the first terminal under the condition of receiving the strategy acquisition request sent by the first terminal;
the first receiving module is used for receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that when executed performs the above-described method.
According to another aspect of the embodiments of the present application, there is also provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the method described above by the computer program.
In the embodiment of the application, a policy acquisition instruction is sent to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log comprises the control operation performed on the access behavior of the target object; under the condition that a strategy acquisition request sent by a first terminal is received, responding to the strategy acquisition request and sending a target control strategy to the first terminal; and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating a mode that a target control policy is validated on the first terminal, generating the target control policy through a first policy learning process which is executed on the second terminal and is used for learning the control policy of the target object on the second terminal, configuring the target control policy to the first terminal except the second terminal, so that the first terminal can control the behavior of accessing the target object by executing the target control policy after the target control policy is validated on the first terminal, repeated operation when the control policy is selected is avoided, the purpose of rapidly configuring the control policy of the object access is achieved, the technical effect of improving the configuration efficiency of the object access policy is achieved, and the technical problem that the configuration efficiency of the object access policy in the related technology is lower is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic diagram of a hardware environment of a method of configuring an object access policy according to an embodiment of the present application;
FIG. 2 is a flow chart of an alternative method of configuration of an object access policy according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a configuration process of a policy template according to an alternative embodiment of the present application;
FIG. 4 is a schematic diagram of a backup process for access logs according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a configuration process of another policy template according to an alternative embodiment of the present application;
FIG. 6 is a flow chart of an alternative method of controlling object access according to an embodiment of the present application;
FIG. 7 is a schematic illustration of a control strategy validation process according to an alternative embodiment of the present application;
FIG. 8 is a schematic diagram of a strategy learning process according to an alternative embodiment of the present application;
FIG. 9 is a schematic diagram of a process of accessing behavior according to an alternative embodiment of the present application;
FIG. 10 is a schematic diagram of an alternative configuration arrangement of object access policies according to an embodiment of the application;
fig. 11 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Alternatively, in the present embodiment, fig. 1 is a schematic diagram of a hardware environment of a configuration method of an object access policy according to an embodiment of the present application, and the configuration method of an object access policy described above may be applied to the hardware environment constituted by the terminal 101 and the server 103 as shown in fig. 1. As shown in fig. 1, the server 103 is connected to the terminal 101 through a network, which may be used to provide services (such as game services, application services, etc.) to the terminal or clients installed on the terminal, and a database may be provided on the server or independent of the server, for providing data storage services to the server 103, where the network includes, but is not limited to: the server 103 may be, but not limited to, a wide area network, a metropolitan area network, or a local area network as a management center for managing object access control policies on the terminal 101, including: configuration, pruning, startup, shutdown, etc., the terminal 101 is not limited to a PC, cell phone, tablet, etc. The method for configuring the object access policy in the embodiment of the present application may be performed by the server 103, may be performed by the terminal 101, or may be performed by both the server 103 and the terminal 101. The configuration method of the terminal 101 to execute the object access policy according to the embodiment of the present application may also be executed by the client installed thereon.
According to an aspect of the embodiments of the present application, a method embodiment of configuration of an object access policy is provided. FIG. 2 is a flow chart of another alternative method of configuration of object access policies according to an embodiment of the application, as shown in FIG. 2, the method may include the steps of:
step S202, a policy acquisition instruction is sent to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on the behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log comprises the control operation performed on the access behavior of the target object;
step S204, under the condition that a strategy acquisition request sent by the first terminal is received, responding to the strategy acquisition request and sending the target control strategy to the first terminal;
step S206, strategy validation information sent by the first terminal is received, wherein the strategy validation information is used for indicating the target control strategy to confirm validation on the first terminal.
Through the steps S202 to S206, the target control policy is generated through the first policy learning process executed on the second terminal and used for learning the control policy of the target object on the second terminal, and the target control policy is configured to the first terminal except the second terminal, so that after the target control policy takes effect on the first terminal, the first terminal can control the behavior of accessing the target object through executing the target control policy, thereby avoiding the repeated operation when selecting the control policy, achieving the purpose of quickly configuring the control policy of object access, thereby realizing the technical effect of improving the configuration efficiency of the object access policy, and further solving the technical problem of lower configuration efficiency of the object access policy in the related art.
Alternatively, in the present embodiment, the method of configuring the above-described object access policy may be, but is not limited to, performed by the above-described server 103.
In the technical solution provided in step S202, the target object may include, but is not limited to: files, folders, packets (e.g., network packets, local packets), applications, applets, etc.
Optionally, in this embodiment, the target control policy is used to control the operation of accessing the target object, and the behavior of accessing the target object may include, but is not limited to: read-write behavior (operations such as reading, writing, etc.), hacking behavior (operations such as deleting, modifying, etc.), query behavior, etc.
Optionally, in this embodiment, the target control policy is generated by a first policy learning process executed on the second terminal, where the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes control operations performed on access behaviors of the target object. When the first strategy learning process is executed on the second terminal to learn the first access log of the target object on the second terminal, a target control strategy corresponding to the first strategy learning process can be generated. The generated target control policy can be configured to other terminals than the second terminal, such as the first terminal, so that the first terminal can control the operation of accessing the target object.
Alternatively, in the present embodiment, the trusted management server may notify the first terminal of the acquisition target control policy by means of, but not limited to, heartbeat.
In the technical solution provided in step S204, after the first terminal receives the policy obtaining indication and knows that the target control policy needs to be obtained, the trusted management server may provide the target control policy for the first terminal in a manner of, but not limited to, receiving the request sent by the first terminal. Such as: the first terminal sends a policy acquisition request to the trusted management server to request a target control policy from the trusted management server, the trusted management server provides the target control policy to the first terminal in response to the policy acquisition request of the first terminal, and the first terminal acquires the target control policy.
In the technical solution provided in step S206, the trusted management server confirms that the target control policy is validated at the first terminal by receiving policy validation information sent by the first terminal.
Optionally, in this embodiment, after the target control policy takes effect on the first terminal, the trusted management server may also collect a second access log and an audit log uploaded by the first terminal, and so on.
As an alternative embodiment, sending the policy acquisition indication to the first terminal comprises:
s11, determining one or more terminals, wherein the one or more terminals comprise the first terminal;
s12, determining a first strategy template corresponding to the one or more terminals;
s13, generating the target control strategy by using the first strategy template;
and S14, sending the policy acquisition instruction to the one or more terminals, wherein the policy acquisition instruction is used for instructing the one or more terminals to acquire the target control policy from the trusted management server.
Alternatively, in this embodiment, the terminal and the policy template for configuring the control policy may be selected more each time, for example: the target control policy is configured to a plurality of terminals, a plurality of policy templates is configured to one terminal, or a plurality of policy templates is configured to a plurality of terminals, and so on.
Optionally, in this embodiment, the target control policy includes: the control strategy belonging to the first type is used for indicating an access terminal with access privileges to a target object, and the control strategy belonging to the second type is used for preventing tampering to the target object.
Optionally, in this embodiment, the target object may, but is not limited to, include a target file, that is, a target control policy is used to control an operation of the target file, and a manner of controlling may, but is not limited to, include: a control policy of a first type for indicating an access terminal having access privileges to a target file is set as an access white list, and a control policy of a second type for preventing tampering with the target file is set.
Optionally, in this embodiment, the control policy belonging to the second type is included in the target control policy, so as to protect the target object, and the control policy belonging to the first type may be used as an option, and the control policy belonging to the first type may or may not be included in the target control policy.
As an alternative embodiment, after sending the policy acquisition indication to the first terminal, the method further includes:
s21, sending a starting instruction to the first terminal, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
s22, acquiring a second access log reported by the first terminal in the second strategy learning process, wherein the second access log is generated by matching target access behaviors executed on the first terminal by using the target control strategy;
s23, sending a closing instruction to the first terminal, wherein the closing instruction is used for indicating to close the second strategy learning process;
s24, under the condition that the first terminal is confirmed to close the second strategy learning process, a second strategy template is generated according to the second access log, wherein the second strategy template is used for generating a control strategy.
Alternatively, in this embodiment, the trusted management server may generate the second policy template by controlling the first terminal to perform the second policy learning process, and the second policy template may be, but is not limited to, used to generate the control policy.
Optionally, in this embodiment, the trusted management server may instruct the first terminal to start or close the second policy learning process by sending the instruction information, and the trusted management server may collect a second access log generated by the first terminal during the second policy learning process performed by the first terminal, so as to generate the second policy template on the trusted management server. The first terminal is in a policy learning mode when the first terminal performs a second policy learning process.
In an alternative embodiment, a configuration process of a policy template is provided, fig. 3 is a schematic diagram of a configuration process of a policy template according to an alternative embodiment of the present application, as shown in fig. 3, a terminal (optional) is selected on a trusted management server, the policy template (optional) is selected, the trusted management server generates a control policy and creates a policy acquisition instruction by using the selected policy template, the terminal is notified to acquire the control policy through a heartbeat, a policy acquisition request sent by the terminal provides the control policy for the terminal, and after the policy on the terminal is validated, an access log reported by the terminal is received. The selected policy template and the access log reported by the terminal can be written into the database.
Optionally, in this embodiment, the trusted management server may backup the obtained second access log reported by the first terminal. Fig. 4 is a schematic diagram of a backup process of access log according to an embodiment of the present application, as shown in fig. 4, reading a configuration file to obtain a number of days for retaining log files, backing up the log every early morning in a retention period, determining whether a memory space is sufficient, and if so, backing up the log to a local sql file. If the memory space is insufficient, detecting the disk space regularly, initiating a space warning to prompt an administrator, and manually processing the space by the administrator.
As an alternative embodiment, generating a second policy template from the second access log comprises:
s31, generating an object control strategy corresponding to the second access log;
s32, acquiring a strategy template identifier, wherein the strategy template identifier is used for uniquely identifying the second strategy template;
s33, generating the second strategy template with the strategy template identification and the object control strategy.
Alternatively, in this embodiment, the policy template identifier is used to uniquely identify the second policy template, and may be in the form of a template name, a template number, or the like.
Alternatively, in the present embodiment, the object control policy may include, but is not limited to, protecting a directory or a file.
As an alternative embodiment, generating the second policy template with the policy template identification and the object control policy comprises:
s41, determining whether the strategy template identification is repeated with the identifications stored in the database and whether the strategy template identification is empty;
s42, determining whether the object control strategy is repeated with the control strategy stored in the database or not under the condition that the strategy template identification is not repeated with the identification stored in the database and the strategy template identification is not empty;
S43, generating the second strategy template with the strategy template identification and the object control strategy under the condition that the object control strategy is determined not to be repeated with the control strategy stored in the database.
Optionally, in this embodiment, the template identifier configured for the policy template is not repeated and is not null to implement a unique identifier for the policy template.
Optionally, in this embodiment, the object control policy corresponding to the generated second access log is not repeated.
In an alternative embodiment, another policy template configuration process is provided, fig. 5 is a schematic diagram of another policy template configuration process according to an alternative embodiment of the present application, where, as shown in fig. 5, a protection directory or a file is input on a trusted management server, and a policy template name is input, to determine whether the policy template name is null or duplicate, and if null or duplicate, a failure is prompted, where the failure reason is called null or duplicate. If the protection target is not empty and is not repeated, judging whether the protection target is repeated, if so, prompting failure, wherein the failure reason is that the protection directory is repeated. If the protection directory is not duplicated, a file access control policy template is created and policy information is written into the database.
As an optional embodiment, after receiving policy validation information sent by the first terminal, the method further includes:
s51, obtaining an audit log reported by the first terminal, wherein the audit log is generated by controlling target access behaviors executed on the first terminal by using the target control strategy;
s52, storing the audit log.
Optionally, in this embodiment, the trusted management server may further obtain an audit log reported by the first terminal for storing, where the audit log may be, but is not limited to, used to generate the policy template. The audit log is generated using a target control policy to control target access actions performed on the first terminal.
According to an aspect of the embodiments of the present application, a method embodiment of controlling access to an object is provided. FIG. 6 is a flowchart of an alternative method of controlling object access, as shown in FIG. 6, according to an embodiment of the present application, the method may include the steps of:
step S602, receiving a policy acquisition instruction, wherein the policy acquisition instruction is used for instructing a first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on the behavior of an access target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log comprises the control operation performed on the access behavior of the target object;
Step S604, acquiring the target control policy from the trusted management server in response to the policy acquisition indication;
step S606, strategy validation information is sent to the trusted management server, wherein the strategy validation information is used for indicating the target control strategy to confirm validation on the first terminal;
step S608, executing the target control policy controls the behavior of accessing the target object on the first terminal.
Through the steps S602 to S608, the target control policy is generated through the first policy learning process executed on the second terminal and used for learning the control policy of the target object on the second terminal, and the target control policy is configured to the first terminal except the second terminal, so that after the target control policy takes effect on the first terminal, the first terminal can control the behavior of accessing the target object through executing the target control policy, thereby avoiding the repeated operation when selecting the control policy, achieving the purpose of quickly configuring the control policy of object access, thereby realizing the technical effect of improving the configuration efficiency of the object access policy, and further solving the technical problem of lower configuration efficiency of the object access policy in the related art.
Alternatively, in the present embodiment, the method of controlling the access of the object may be performed by the terminal 101, but is not limited to. For the terminal 101, the server 103 may serve as a management center for providing management services of the object access control policy, and the terminal 101 may serve as a server for providing services for other terminals, such as: multimedia playing services, multimedia production services, live services, gaming services, shopping services, financial and financial services, and the like. Terminal 101 may also include, but is not limited to, a cell phone, tablet, smart wearable device, smart home device, PC, and the like.
In the technical solution provided in step S602, the target object may include, but is not limited to: files, folders, packets (e.g., network packets, local packets), applications, applets, etc.
Optionally, in this embodiment, the target control policy is generated by a first policy learning process executed on the second terminal, where the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes control operations performed on access behaviors of the target object. When the first policy learning process is executed on the second terminal to learn the first access log of the target object on the second terminal, a policy template corresponding to the first policy learning process can be generated at the trusted management server, and the trusted management server can use the policy template to configure corresponding target control policies for other terminals. The generated target control policy can be configured to other terminals than the second terminal, such as the first terminal, so that the first terminal can control the operation of accessing the target object.
Alternatively, in this embodiment, the first terminal may be, but not limited to, notified of the policy acquisition indication by means of heartbeat.
In the technical solution provided in step S604, after receiving the policy obtaining indication, the first terminal obtains the target control policy that needs to be obtained, the first terminal may, but is not limited to, obtain the target control policy from the trusted management server in a manner of sending a request. Such as: the first terminal sends a request to the trusted management server to request the target control policy from the trusted management server, the trusted management server provides the target control policy to the first terminal in response to the request of the first terminal, and the first terminal acquires the target control policy.
In the technical solution provided in step S606, after the first terminal obtains the target control policy from the trusted management server, the first terminal sends policy validation information for indicating that the target control policy is validated on the first terminal to the trusted management server, so that the trusted management server knows the target control policy to be validated on the first terminal.
Optionally, in this embodiment, after the target control policy on the first terminal takes effect, the second access log may also be uploaded to the trusted management server.
In the technical solution provided in step S608, the first terminal may control the behavior of accessing the target object by executing the target control policy, where the behavior of accessing the target object may include, but is not limited to: read-write behavior (operations such as reading, writing, etc.), hacking behavior (operations such as deleting, modifying, etc.), query behavior, etc.
In an alternative embodiment, a manner in which the control policy is validated on the terminal is provided, fig. 7 is a schematic diagram of a control policy validation process according to an alternative embodiment of the present application, as shown in fig. 7, a management center (corresponding to the trusted management server described above) issues the control policy to a proxy program installed on the terminal, the proxy program is responsible for storing and restarting the policy, and at the same time, the proxy program also processes the policy from the terminal management interface, and then sends the received control policy and the like to an Xbase service program, and the Xbase program parses the policy format and finally configures the policy to the kernel to execute the policy.
As an alternative embodiment, executing the target control policy to control the behavior of accessing the target object on the first terminal includes:
s61, intercepting a target access behavior executed on the first terminal;
S62, determining whether the first terminal is in a strategy learning mode;
s63, under the condition that the first terminal is determined to be in a strategy learning mode, matching the target access behavior with the target control strategy to obtain a first matching result;
s64, generating a second access log according to the first matching result;
s65, reporting the second access log and releasing the target access behavior.
Optionally, in this embodiment, different operations are performed on the intercepted target access behavior when the first terminal is in a different mode, if the first terminal is in the policy learning mode, the target access behavior is matched with the target control policy to obtain a first matching result, and a second access log is generated and reported, but the first terminal does not perform operation control on the intercepted target access behavior according to the first matching result, but performs a release operation.
Alternatively, in this embodiment, the policy learning mode may be, but not limited to, an access control learning mode of a file, and the learning mode executed on the terminal may further include: full-disc learning mode, network-controlled learning mode, whitelist learning mode, and so forth. And only if the first terminal is determined to be in the access control learning mode of the file, performing matching operation on the target access behavior and the target control strategy, and generating and reporting a second access log. The first terminal may, but is not limited to, perform respective corresponding operations in other learning modes, such as: and the first terminal directly executes release operation on the target access behavior in the full-disc learning mode, and generates and reports a log of the full-disc learning mode.
As an alternative embodiment, determining whether the first terminal is in a policy learning mode comprises:
s71, receiving a starting instruction, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process of a second object;
s72, responding to the starting instruction to start the second strategy learning process, and determining that the first terminal is in the strategy learning mode;
and S73, closing the second strategy learning process and determining that the first terminal is not in the strategy learning mode under the condition that a closing instruction is received.
Alternatively, in this embodiment, the first terminal performs the second policy learning procedure equivalent to the first terminal being in the policy learning mode.
Optionally, in this embodiment, the first terminal may start or close the second policy learning process according to the instruction of the trusted management server, and the second access log generated in the second policy learning process may be uploaded to the trusted management server by the first terminal, and the trusted management server may generate the policy template using these second access logs for configuring the control policy for other terminals.
Optionally, in this embodiment, the second policy learning process may be, but is not limited to, a process of learning the target control policy, where the first terminal is in a learning state of access control in the second policy learning process, and in the learning state of access control, the first terminal may perform a release operation on all intercepted target access behaviors, and select whether to report the second access log according to different first matching results. Such as: and if the first matching result indicates that the target access behavior is matched with the target control strategy, releasing the target access behavior and generating a second access log for reporting, and if the first matching result indicates that the target access behavior is not matched with the target control strategy, releasing the target access behavior and not generating the second access log.
As an optional embodiment, after determining whether the first terminal is in the policy learning mode, further comprising:
s81, under the condition that the first terminal is not in the strategy learning mode, matching the target access behavior with the target control strategy to obtain a second matching result;
s82, controlling the target access behavior according to the second matching result.
Optionally, in this embodiment, after the target control policy takes effect, the first terminal may use the target control policy to control the target access behavior executed on the first terminal, match the target access behavior intercepted from the first terminal with the target control policy, and process the target access behavior according to the current mode of the first terminal and the obtained matching result, so as to control the target access behavior. If the first terminal is not in the policy learning mode, the target access behavior is matched with the target control policy to obtain a second matching result, and the target access behavior is controlled according to the second matching result, wherein the control mode can include, but is not limited to, releasing or intercepting the target access behavior.
Optionally, in this embodiment, one or more processes are running in the first terminal, where the processes may be classified into a super process and an ordinary process, the super process may be a process implementing a control function of the object access, different operations may be performed on target access behaviors intercepted from different types of processes, and before the target access behaviors are matched with the target control policy to obtain a second matching result, it may also be determined whether the target access behaviors are from the super process, and for the target access behaviors from the super process, the matching of the target control policy is performed on the target access behaviors from the ordinary process, where the target access behaviors from the super process are directly released.
As an alternative embodiment, controlling the target access behavior according to the second matching result includes:
s91, releasing the target access behavior when the target access behavior is matched with the control strategy belonging to the first type or the target access behavior is not matched with the control strategy belonging to the second type, wherein the control strategy belonging to the first type is used for indicating an access terminal with access privileges to a target object, and the control strategy belonging to the second type is used for preventing tampering to the target object;
S92, intercepting the target access behavior under the condition that the target access behavior is matched with the control strategy belonging to the second type;
s93, generating an audit log, wherein the audit log is used for recording a control strategy matched with the target access behavior and an operation executed on the target access behavior;
and S94, reporting the audit log to the trusted management server.
Optionally, in this embodiment, matching the target access behavior with the control policy belonging to the first type may consider that the target access behavior has access privileges to the target object, or that not matching the target access behavior with the control policy belonging to the second type may consider that it is not necessary to prevent the target access behavior from tampering with the target object, and release processing may be performed on the target access behavior in the above case.
Optionally, in this embodiment, if the target access behavior matches the control policy belonging to the second type, it may be considered that it is necessary to prevent the target access behavior from tampering with the target object, the target access behavior is intercepted, and the target object is prevented from being operated by the target access behavior.
Optionally, in this embodiment, an audit log may be generated for the target access behavior matched to the target control policy to record the control policy matched to the target access behavior and the operation performed on the target access behavior, and the audit log is reported to the trusted management server, and the trusted management server may continue to configure the control policy for the first terminal or other terminals according to the audit log.
In an alternative embodiment, a policy learning process is provided, fig. 8 is a schematic diagram of a policy learning process according to an alternative embodiment of the present application, where, as shown in fig. 8, a terminal is selected on a trusted management server, and a directory or a file to be protected is input, the trusted management server determines whether the terminal is in a learning state, if the terminal is not in the learning state, a start learning policy (corresponding to the start instruction) is created and the terminal is notified to obtain the policy, the terminal starts a learning mode and sends a start confirmation to the trusted management server, and during the learning process, the terminal reports a log generated during the learning process, and the trusted management server collects a second access log reported by the terminal. After the learning time is over, the trusted management server selects the terminal and judges whether the terminal is in a learning state, if so, the trusted management server creates a closing learning strategy (corresponding to the closing instruction) and informs the terminal to acquire the strategy, and if the terminal acquires the closing learning strategy, the trusted management server closes the learning mode and confirms the closing of the trusted management server. After the learning mode is closed, a strategy template can be generated, and the generated strategy template allows editing, modification and other operations.
Optionally, in this optional embodiment, the policy generated by the trusted management server, the on state and the off state of the learning mode that the terminal reports the acknowledgement, the log reported by the terminal, and the generated policy template may all be written into the database for storage.
Optionally, in this optional embodiment, the terminal needs to be in an online state in the learning mode, and does not perform other learning tasks, and if other learning tasks are being performed, an abnormality is prompted.
Alternatively, in this alternative embodiment, the terminal may be informed of the learning mode policy by, but not limited to, heartbeat. After the terminal starts the learning mode, the log sent to the trusted management server may mark the log state as the learning mode state.
Alternatively, in this alternative embodiment, the off button, which is set to the learning mode in the learning mode, of the current terminal may be clicked. After the terminal confirms to close the learning mode, the terminal can generate a strategy template through clicking for multiple times. And the generated policy templates can be edited and modified online.
As an optional embodiment, matching the target access behavior with the target control policy, and obtaining the second matching result includes:
S101, matching the target control strategy with a strategy stored in a strategy cache library, wherein the strategy cache library is used for recording a history control strategy with a corresponding relation and an execution result, and the history control strategy is a control strategy executed on the first terminal;
s102, under the condition that the target historical control strategy is matched, processing the target access behavior according to an execution result corresponding to the target historical control strategy;
and S103, under the condition that the target historical control strategy is not matched, matching the target access behavior with the target control strategy to obtain the second matching result.
Alternatively, in this embodiment, a policy repository may be established to record a history control policy and an execution result that have a correspondence relationship, where the history control policy is a control policy that has been executed on the first terminal. When the first terminal uses the control strategy to control the read-write operation each time, the matched control strategy and execution result can be recorded in the strategy cache library, before the target control strategy is used for controlling the target access behavior, whether the corresponding relation between the corresponding control strategy and the execution result is recorded in the strategy cache library can be checked first, if so, the target access behavior is controlled directly according to the record in the strategy cache library, otherwise, the target control strategy is matched. Therefore, the purposes of saving operation time and improving control efficiency can be achieved.
As an alternative embodiment, matching the target access behavior with the target control policy comprises:
s111, matching the target access behavior with the control policy belonging to the first type, wherein the control policy belonging to the first type is used for indicating an access terminal with access privileges to a target object;
and S112, matching the target access behavior with a control strategy belonging to a second type, wherein the control strategy belonging to the second type is used for preventing tampering of the target object under the condition that the target access behavior is not matched with the control strategy belonging to the first type or the target control strategy does not comprise the control strategy belonging to the first type.
Optionally, in this embodiment, the target control policies may be classified into a control policy belonging to a first type and a control policy belonging to a second type, where the control policy belonging to the first type is used to indicate an access terminal having access privileges to the second object, and the control policy belonging to the second type is used to prevent tampering with the second object. In the matching process, the control strategies belonging to the first type are matched preferentially, and the control strategies belonging to the second type are matched secondarily.
Optionally, in this embodiment, the target object may, but is not limited to, include a target file, that is, a target control policy is used to control an operation of the target file, and a manner of controlling may, but is not limited to, include: a control policy of a first type for indicating an access terminal having access privileges to a target file is set as an access white list, and a control policy of a second type for preventing tampering with the target file is set.
Optionally, in this embodiment, the control policy belonging to the second type may be a control policy that is included in the target control policy and is used to protect the target object, and the control policy belonging to the first type may be used as an option, and the control policy belonging to the first type may be included in the target control policy or may not be included in the target control policy.
Optionally, in this embodiment, if the target control policy includes a control policy belonging to the first type, the control policy belonging to the first type is preferentially matched, and a matching result is obtained. If the target control strategy does not comprise the control strategy belonging to the first type, or the target access behavior is not matched with the control strategy belonging to the first type, continuing to match the control strategy belonging to the second type, and obtaining a matching result.
In an alternative embodiment, a processing procedure of the terminal on the access behavior is provided, the control policy configured on the terminal may be executed by, but not limited to, a kernel, where the control policy is stored by maintaining an access control policy repository, and the kernel may update the access control policy repository after receiving the policy, and may empty the cache repository if the policy is deleted. Fig. 9 is a schematic diagram of a processing procedure of an access behavior according to an alternative embodiment of the present application, where, as shown in fig. 9, a kernel intercepts the access behavior on a terminal, and determines whether the terminal is in a learning mode.
If the terminal is not in the learning mode currently, the kernel can also determine whether the current access behavior is that of a super process (such as a product itself process), and if so, directly releasing the audit not to be generated. The terminal can store the control strategy which is executed in the buffer memory so as to quickly obtain the strategy matching result. If the current access behavior is not the access behavior of the super process, judging whether the current access behavior is in the cache, if so, deciding whether the current access behavior is release or interception according to the result in the cache, and finally generating audit. If not found in the cache, the privilege policy is preferentially matched, and if so, the cache library is updated, the current access behavior is released, and an audit is generated. If the privilege policies are not matched, matching the tamper-resistant policies, if the privilege policies are matched, updating the cache library, intercepting the current access behavior and generating an audit. If none of the access behaviors are matched, the current access behavior is released and no audit is generated.
If the terminal is in the learning mode currently, judging whether the terminal is in the full-disk learning state or the access control learning state, and if the terminal is in the full-disk learning state, directly releasing the current access behavior and generating auditing. If the access control learning state is the access control learning state, preferentially matching the privilege strategy, then matching the tamper-proof strategy, matching the access control learning state to any one strategy, releasing the current access behavior and generating audit; and if the access behavior is not matched, the current access behavior is released but no audit is generated.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present application.
According to another aspect of the embodiments of the present application, there is also provided a configuration apparatus for an object access policy for implementing the above configuration method for an object access policy. Fig. 10 is a schematic diagram of an alternative configuration apparatus for an object access policy according to an embodiment of the present application, as shown in fig. 10, the apparatus may include:
a first sending module 102, configured to send a policy acquisition instruction to a first terminal, where the policy acquisition instruction is configured to instruct the first terminal to acquire a target control policy from a trusted management server, where the target control policy is used to instruct a control operation performed on a behavior of accessing a target object, and the target control policy is generated by a first policy learning process performed on a second terminal, where the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log includes a control operation performed on the access behavior of the target object;
a second sending module 104, configured to send, in response to a policy acquisition request sent by the first terminal, the target control policy to the first terminal when the policy acquisition request is received;
And the first receiving module 106 is configured to receive policy validation information sent by the first terminal, where the policy validation information is used to instruct the target control policy to confirm validation on the first terminal.
It should be noted that, the first transmitting module 102 in this embodiment may be used to perform step S202 in the embodiment of the present application, the second transmitting module 104 in this embodiment may be used to perform step S204 in the embodiment of the present application, and the first receiving module 106 in this embodiment may be used to perform step S206 in the embodiment of the present application.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that the above modules may be implemented in software or hardware as a part of the apparatus in the hardware environment shown in fig. 1.
Through the module, the target control strategy is generated through the first strategy learning process which is executed on the second terminal and is used for learning the control strategy of the target object on the second terminal, the target control strategy is configured to the first terminal except the second terminal, so that after the target control strategy is effective on the first terminal, the first terminal can control the behavior of accessing the target object through executing the target control strategy, repeated operation when the control strategy is selected is avoided, the purpose of rapidly configuring the control strategy of object access is achieved, the technical effect of improving the configuration efficiency of the object access strategy is achieved, and the technical problem that the configuration efficiency of the object access strategy in the related technology is lower is solved.
As an alternative embodiment, the first transmitting module includes:
a first determining unit configured to determine one or more terminals, where the one or more terminals include the first terminal;
the second determining unit is used for determining first strategy templates corresponding to the one or more terminals;
a first generation unit, configured to generate the target control policy using the first policy template;
and the sending unit is used for sending the policy acquisition instruction to the one or more terminals, wherein the policy acquisition instruction is used for instructing the one or more terminals to acquire the target control policy from the trusted management server.
As an alternative embodiment, the target control strategy includes: the control strategy belonging to the first type is used for indicating an access terminal with access privileges to a target object, and the control strategy belonging to the second type is used for preventing tampering to the target object.
As an alternative embodiment, the apparatus further comprises:
the third sending module is used for sending a starting instruction to the first terminal after sending a strategy acquisition instruction to the first terminal, wherein the starting instruction is used for instructing the first terminal to start a second strategy learning process;
The first acquisition module is used for acquiring a second access log reported by the first terminal in the second strategy learning process, wherein the second access log is generated by matching target access behaviors executed on the first terminal by using the target control strategy;
a fourth sending module, configured to send a shutdown instruction to the first terminal, where the shutdown instruction is used to instruct to shutdown the second policy learning process;
the generation module is used for generating a second strategy template according to the second access log under the condition that the first terminal is confirmed to close the second strategy learning process, wherein the second strategy template is used for generating a control strategy.
As an alternative embodiment, the generating module includes:
the second generation unit is used for generating an object control strategy corresponding to the second access log;
the acquisition unit is used for acquiring a strategy template identifier, wherein the strategy template identifier is used for uniquely identifying the second strategy template;
and a third generating unit, configured to generate the second policy template with the policy template identifier and the object control policy.
As an alternative embodiment, the third generating unit is configured to:
Determining whether the strategy template identification is repeated with identifications stored in a database and whether the strategy template identification is empty;
determining whether the object control strategy is repeated with the control strategy stored in the database under the condition that the strategy template identification is not repeated with the identification stored in the database and the strategy template identification is not empty;
in the event that it is determined that the object control policy does not overlap with the control policies stored in the database, the second policy template is generated with the policy template identification and the object control policy.
As an alternative embodiment, the apparatus further comprises:
the second acquisition module is used for acquiring an audit log uploaded by the first terminal after receiving the policy validation information sent by the first terminal, wherein the audit log is generated by controlling a target access behavior executed on the first terminal by using the target control policy;
and the storage module is used for storing the audit log.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that the above modules may be implemented in software or in hardware as part of the apparatus shown in fig. 1, where the hardware environment includes a network environment.
According to another aspect of the embodiments of the present application, there is also provided a server or a terminal for implementing the configuration method of the object access policy described above.
Fig. 11 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 11, the terminal may include: one or more (only one is shown in the figure) processors 1101, memory 1103, and transmission means 1105, as shown in fig. 11, the terminal may further comprise an input output device 1107.
The memory 1103 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for configuring an object access policy in the embodiments of the present application, and the processor 1101 executes the software programs and modules stored in the memory 1103, thereby executing various functional applications and data processing, that is, implementing the method for configuring an object access policy described above. The memory 1103 can include high speed random access memory, and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory 1103 may further include memory located remotely from the processor 1101, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 1105 is used to receive or transmit data via a network, and may also be used for data transmission between the processor and the memory. Specific examples of the network described above may include wired networks and wireless networks. In one example, the transmission device 1105 includes a network adapter (Network Interface Controller, NIC) that may be connected to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, the transmission device 1105 is a Radio Frequency (RF) module for communicating with the internet wirelessly.
In particular, the memory 1103 is used to store applications.
The processor 1101 may call an application program stored in the memory 1103 by the transferring device 1105 to perform the steps of:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log comprises the control operation performed on the access behavior of the target object;
Under the condition that a strategy acquisition request sent by the first terminal is received, responding to the strategy acquisition request and sending the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal.
By adopting the embodiment of the application, a scheme for configuring the object access strategy is provided. The target control strategy is generated through a first strategy learning process which is executed on the second terminal and is used for learning the control strategy of the target object on the second terminal, the target control strategy is configured to the first terminal except the second terminal, so that after the target control strategy is effective on the first terminal, the first terminal can control the behavior of accessing the target object through executing the target control strategy, repeated operation when the control strategy is selected is avoided, the purpose of rapidly configuring the control strategy of object access is achieved, the technical effect of improving the configuration efficiency of the object access strategy is achieved, and the technical problem that the configuration efficiency of the object access strategy is lower in the related art is solved.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the structure shown in fig. 11 is only illustrative, and the terminal may be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 11 is not limited to the structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 11, or have a different configuration than shown in fig. 11.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Embodiments of the present application also provide a storage medium. Alternatively, in the present embodiment, the above-described storage medium may be used for program code for executing the configuration method of the object access policy.
Alternatively, in this embodiment, the storage medium may be located on at least one network device of the plurality of network devices in the network shown in the above embodiment.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on a behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, and the first access log comprises the control operation performed on the access behavior of the target object;
under the condition that a strategy acquisition request sent by the first terminal is received, responding to the strategy acquisition request and sending the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the methods described in the various embodiments of the present application.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method for configuring an object access policy, comprising:
sending a policy acquisition instruction to a first terminal, wherein the policy acquisition instruction is used for instructing the first terminal to acquire a target control policy from a trusted management server, the target control policy is used for indicating a control operation performed on the behavior of accessing a target object, the target control policy is generated through a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, the first access log comprises the control operation performed on the access behavior of the target object, when the first policy learning process is executed on the second terminal to learn the first access log of the target object on the second terminal, a policy template corresponding to the first policy learning process is generated on the trusted management server, the trusted management server configures the corresponding target control policy for other terminals by using the policy template, and the control operation performed on the behavior of accessing the target object comprises: if the first terminal is in the strategy learning mode currently, judging whether the first terminal is in a full-disk learning state or an access control learning state, and if the first terminal is in the full-disk learning state, directly releasing the current access behavior and generating auditing; if the access control learning state is the access control learning state, the privilege strategy is preferentially matched, then the tamper-proof strategy is matched, and when any strategy is matched, the current access behavior is released and the audit is generated; if the access behavior is not matched, releasing the current access behavior but generating no audit;
Under the condition that a strategy acquisition request sent by the first terminal is received, responding to the strategy acquisition request and sending the target control strategy to the first terminal;
and receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal.
2. The method of claim 1, wherein transmitting the policy acquisition indication to the first terminal comprises:
determining one or more terminals, wherein the one or more terminals comprise the first terminal;
determining a first strategy template corresponding to the one or more terminals;
generating the target control strategy by using the first strategy template;
and sending the policy acquisition instruction to the one or more terminals, wherein the policy acquisition instruction is used for instructing the one or more terminals to acquire the target control policy from the trusted management server.
3. The method of claim 1, wherein the target control strategy comprises: the control strategy belonging to the first type is used for indicating an access terminal with access privileges to a target object, and the control strategy belonging to the second type is used for preventing tampering to the target object.
4. The method of claim 1, wherein after sending the policy acquisition indication to the first terminal, the method further comprises:
sending a start instruction to the first terminal, wherein the start instruction is used for instructing the first terminal to start a second strategy learning process;
acquiring a second access log reported by the first terminal in the second strategy learning process, wherein the second access log is generated by matching target access behaviors executed on the first terminal by using the target control strategy;
sending a closing instruction to the first terminal, wherein the closing instruction is used for indicating to close the second strategy learning process;
and under the condition that the first terminal is confirmed to close the second strategy learning process, generating a second strategy template according to the second access log, wherein the second strategy template is used for generating a control strategy.
5. The method of claim 4, wherein generating a second policy template from the second access log comprises:
generating an object control strategy corresponding to the second access log;
acquiring a strategy template identifier, wherein the strategy template identifier is used for uniquely identifying the second strategy template;
Generating the second policy template with the policy template identification and the object control policy.
6. The method of claim 5, wherein generating the second policy template with the policy template identification and the object control policy comprises:
determining whether the strategy template identification is repeated with identifications stored in a database and whether the strategy template identification is empty;
determining whether the object control strategy is repeated with the control strategy stored in the database under the condition that the strategy template identification is not repeated with the identification stored in the database and the strategy template identification is not empty;
in the event that it is determined that the object control policy does not overlap with the control policies stored in the database, the second policy template is generated with the policy template identification and the object control policy.
7. The method of claim 1, wherein after receiving policy validation information sent by the first terminal, the method further comprises:
obtaining an audit log reported by the first terminal, wherein the audit log is generated by controlling a target access behavior executed on the first terminal by using the target control strategy;
And storing the audit log.
8. An apparatus for configuring an object access policy, comprising:
a first sending module, configured to send a policy obtaining instruction to a first terminal, where the policy obtaining instruction is configured to instruct the first terminal to obtain a target control policy from a trusted management server, where the target control policy is used to instruct a control operation performed on a behavior accessing a target object, the target control policy is generated by a first policy learning process executed on a second terminal, the first policy learning process is a process of learning a first access log of the target object on the second terminal, the first access log includes a control operation performed on the access behavior of the target object, and when a first policy learning process is executed on the second terminal to learn the first access log of the target object on the second terminal, a policy template corresponding to the first policy learning process is generated at the trusted management server, and the trusted management server configures, for other terminals, a corresponding target control policy using the policy template, the control operation performed on the behavior accessing the target object includes: if the first terminal is in the strategy learning mode currently, judging whether the first terminal is in a full-disk learning state or an access control learning state, and if the first terminal is in the full-disk learning state, directly releasing the current access behavior and generating auditing; if the access control learning state is the access control learning state, the privilege strategy is preferentially matched, then the tamper-proof strategy is matched, and when any strategy is matched, the current access behavior is released and the audit is generated; if the access behavior is not matched, releasing the current access behavior but generating no audit;
The second sending module is used for responding to the strategy acquisition request and sending the target control strategy to the first terminal under the condition of receiving the strategy acquisition request sent by the first terminal;
the first receiving module is used for receiving policy validation information sent by the first terminal, wherein the policy validation information is used for indicating the target control policy to confirm validation on the first terminal.
9. A storage medium comprising a stored program, wherein the program when run performs the method of any one of the preceding claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method of any of the preceding claims 1 to 7 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010600255.7A CN111897768B (en) | 2020-06-28 | 2020-06-28 | Configuration method and device of object access policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010600255.7A CN111897768B (en) | 2020-06-28 | 2020-06-28 | Configuration method and device of object access policy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111897768A CN111897768A (en) | 2020-11-06 |
| CN111897768B true CN111897768B (en) | 2024-02-02 |
Family
ID=73207217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010600255.7A Active CN111897768B (en) | 2020-06-28 | 2020-06-28 | Configuration method and device of object access policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111897768B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904939B (en) * | 2021-10-27 | 2023-07-28 | 中国联合网络通信集团有限公司 | Method, device and storage medium for managing target terminal |
| CN116132198B (en) * | 2023-04-07 | 2023-07-25 | 杭州海康威视数字技术股份有限公司 | Internet of things privacy behavior sensing method and device based on lightweight context semantics |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011076377A (en) * | 2009-09-30 | 2011-04-14 | Hitachi Solutions Ltd | Terminal device and access control policy obtaining method in the terminal device |
| CN102904889A (en) * | 2012-10-12 | 2013-01-30 | 北京可信华泰信息技术有限公司 | Cross-platform-unified-management-supported mandatory access controlling system and method |
| CN105653725A (en) * | 2016-01-22 | 2016-06-08 | 湖南大学 | MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields |
| CN106330984A (en) * | 2016-11-29 | 2017-01-11 | 北京元心科技有限公司 | Dynamic updating method and device of access control strategy |
| CN108702360A (en) * | 2016-02-15 | 2018-10-23 | 思科技术公司 | Use the digital asset Preservation tactics of dynamic network attribute |
| CN109510842A (en) * | 2018-12-29 | 2019-03-22 | 北京威努特技术有限公司 | A kind of method and device of industry control network file Mandatory Access Control configuration |
| KR101992963B1 (en) * | 2018-11-20 | 2019-06-26 | 주식회사 넷앤드 | An automatic generation system for the whitelist command policy using machine learning |
| CN110298178A (en) * | 2019-07-05 | 2019-10-01 | 北京可信华泰信息技术有限公司 | Credible policy learning method and device, credible and secure management platform |
| CN110363007A (en) * | 2019-07-05 | 2019-10-22 | 北京可信华泰信息技术有限公司 | The update method and device of credible strategy |
| CN111159713A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | SELinux-based self-learning credible strategy construction method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103716354B (en) * | 2012-10-09 | 2017-02-08 | 慧盾信息安全科技(苏州)股份有限公司 | Security protection system and method for information system |
-
2020
- 2020-06-28 CN CN202010600255.7A patent/CN111897768B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011076377A (en) * | 2009-09-30 | 2011-04-14 | Hitachi Solutions Ltd | Terminal device and access control policy obtaining method in the terminal device |
| CN102904889A (en) * | 2012-10-12 | 2013-01-30 | 北京可信华泰信息技术有限公司 | Cross-platform-unified-management-supported mandatory access controlling system and method |
| CN105653725A (en) * | 2016-01-22 | 2016-06-08 | 湖南大学 | MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields |
| CN108702360A (en) * | 2016-02-15 | 2018-10-23 | 思科技术公司 | Use the digital asset Preservation tactics of dynamic network attribute |
| CN106330984A (en) * | 2016-11-29 | 2017-01-11 | 北京元心科技有限公司 | Dynamic updating method and device of access control strategy |
| KR101992963B1 (en) * | 2018-11-20 | 2019-06-26 | 주식회사 넷앤드 | An automatic generation system for the whitelist command policy using machine learning |
| CN109510842A (en) * | 2018-12-29 | 2019-03-22 | 北京威努特技术有限公司 | A kind of method and device of industry control network file Mandatory Access Control configuration |
| CN110298178A (en) * | 2019-07-05 | 2019-10-01 | 北京可信华泰信息技术有限公司 | Credible policy learning method and device, credible and secure management platform |
| CN110363007A (en) * | 2019-07-05 | 2019-10-22 | 北京可信华泰信息技术有限公司 | The update method and device of credible strategy |
| CN111159713A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | SELinux-based self-learning credible strategy construction method and system |
Non-Patent Citations (2)
| Title |
|---|
| 一种基于信任值的雾计算动态访问控制方法;杜义峰 等;信息网络安全;全文 * |
| 基于行为分析的改进型可信网络连接研究;张佳乐;信息科技辑;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111897768A (en) | 2020-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7199775B2 (en) | Data processing method, data processing device, node device, and computer program based on smart contract | |
| CN100417081C (en) | Method, system for checking and repairing a network configuration | |
| JP2015092374A5 (en) | ||
| JP2015092374A (en) | Apparatus and methods for managing firmware verification on wireless device | |
| CN111897768B (en) | Configuration method and device of object access policy | |
| US9003389B2 (en) | Generating an encoded package profile based on executing host processes | |
| CN102332072A (en) | The system and method that is used for detection of malicious software and management Malware relevant information | |
| US11876829B2 (en) | Method for emulating a known attack on a target computer network | |
| KR100496056B1 (en) | Restoring service system and a method thereof for internet-based remote data and file | |
| CN111930443B (en) | Operation and maintenance method, system, computer equipment and storage medium based on block chain | |
| CN112075062A (en) | Automated commit transaction management in blockchain networks | |
| CN111460404A (en) | Double-recording data processing method and device, computer equipment and storage medium | |
| CN111901147B (en) | Network access control method and device | |
| MX2008012020A (en) | Method for determining identification of an electronic device. | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| WO2017124736A1 (en) | Method, device and system for transmitting upgrade abnormality information | |
| CN113256296A (en) | Intelligent contract execution method, system, device and storage medium | |
| CN111901146B (en) | Object access control method and device | |
| CN112559124A (en) | Model management system and target operation instruction processing method and device | |
| CN112130889A (en) | Resource management method and device, storage medium and electronic device | |
| CN116560691A (en) | Data processing method, device, computer equipment and readable storage medium | |
| CN115514470A (en) | Storage method and system for community correction data security | |
| CN110677483B (en) | Information processing system and trusted security management system | |
| CN113010266A (en) | Cloud service restarting method and device | |
| CN101163063B (en) | Method of real-time display controlled server alarm message on browser |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |