CN113055393B

CN113055393B - Security service method, device and equipment

Info

Publication number: CN113055393B
Application number: CN202110325307.9A
Authority: CN
Inventors: 张亚东
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2021-03-26
Filing date: 2021-03-26
Publication date: 2022-08-26
Anticipated expiration: 2041-03-26
Also published as: CN113055393A

Abstract

The embodiment of the specification discloses a security service method, a security service device and security service equipment. The scheme comprises the following steps: acquiring integrated result metadata corresponding to safety services at the downstream of a business, and performing persistence processing in a service warehouse, wherein the integrated result metadata is obtained by performing semantic conversion on original service description data; loading integrated result metadata and waiting for a request through service warehousing; if request data aiming at the safety service of the business downstream is received, determining the corresponding relation between the incoming parameters in the request data and the loaded at least partial integrated result metadata; determining generalization parameters according to the corresponding relation; and according to the generalization parameters, carrying out generalization call on the safety service at the downstream of the business through the generalization service.

Description

Security service method, device and equipment

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for secure servization.

Background

With the rise of mobile internet, a great number of applications are emerging to bring convenience to the working life of users. Meanwhile, security risks are brought, and defense needs to be carried out through corresponding security services.

For some large-volume applications, along with the international business development of the applications, the demand for security services is stronger, at present, the security services are scattered and distributed at the downstream of the business, the demand party for the security services is often located at the upstream of the business, and when the applications need to be used, the applications are adaptively butted with the security service platform according to the requirements of the specific security service platform at the downstream of the business, so that the security services provided by the security service platform are obtained.

Based on this, a more efficient scheme for using security services is needed.

Disclosure of Invention

One or more embodiments of the present disclosure provide a security service method, apparatus, device, and storage medium, so as to solve the following technical problems: there is a need for a more efficient scheme for using security services.

To solve the above technical problem, one or more embodiments of the present specification are implemented as follows:

one or more embodiments of the present specification provide a security service method, including:

acquiring integrated result metadata corresponding to business downstream security services, and performing persistence processing in a service warehouse, wherein the integrated result metadata is obtained by performing semantic conversion on original service description data;

loading the integrated result metadata and waiting for a request through the servitization warehouse;

if request data aiming at safety service of business downstream is received, determining the corresponding relation between the incoming parameters in the request data and at least part of the loaded integration result metadata;

determining generalization parameters according to the corresponding relation;

and according to the generalization parameters, carrying out generalization call on the safety service at the downstream of the business through the generalization service.

One or more embodiments of the present specification provide a security service apparatus, including:

the system comprises a security service integration module, a data processing module and a data processing module, wherein the security service integration module is used for acquiring integration result metadata corresponding to security services at the downstream of a business and performing persistence processing in a service warehouse, and the integration result metadata is obtained by performing semantic conversion on original service description data;

the metadata loading module loads the integrated result metadata through the service storage and waits for a request;

the request data processing module is used for determining the corresponding relation between the incoming parameters in the request data and at least part of the loaded integration result metadata if receiving the request data aiming at the safety service of the downstream of the business;

the generalization parameter determining module is used for determining a generalization parameter according to the corresponding relation;

and the generalization service processing module is used for carrying out generalization call on the safety service of the business downstream through the generalization service according to the generalization parameters.

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,

the memory stores instructions executable by the at least one processor to enable the at least one processor to:

determining generalization parameters according to the corresponding relation;

and according to the generalization parameters, carrying out generalization call on the safety service of the downstream of the business through the generalization service.

One or more embodiments of the present specification provide a non-transitory computer storage medium storing computer-executable instructions configured to:

determining generalization parameters according to the corresponding relation;

At least one technical scheme adopted by one or more embodiments of the specification can achieve the following beneficial effects: the method is beneficial to relieving the integration dependence of the security service, opens a multi-protocol and semantic security service portal, and can meet the requirements of security service products, quick access and the like of the downstream of the unified binding-off service in a light weight manner, thereby helping users to use the security service more efficiently and conveniently.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments described in the present specification, and for those skilled in the art, other drawings may be obtained according to these drawings without creative efforts.

FIG. 1 is a schematic flow diagram of a security service method provided in one or more embodiments of the present disclosure;

fig. 2 is a schematic diagram of a system architecture corresponding to fig. 1 in an application scenario according to one or more embodiments of the present disclosure;

FIG. 3 is a schematic diagram of an embodiment of the method of FIG. 1 in an application scenario provided by one or more embodiments of the present disclosure;

fig. 4 is a schematic structural diagram of a security service apparatus according to one or more embodiments of the present disclosure;

fig. 5 is a schematic structural diagram of a security service apparatus according to one or more embodiments of the present disclosure.

Detailed Description

The embodiment of the specification provides a security service method, a security service device, a security service equipment and a storage medium.

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any inventive step based on the embodiments of the present disclosure, shall fall within the scope of protection of the present application.

In one or more embodiments of the present specification, a security service one-stop platform scheme is provided to standardize a downstream security service capability, complete the closing of the wind control system to the downstream service, reduce the access cost of the upstream service, and improve the access efficiency. Specifically, by providing a uniform service processor standard, a downstream injects a specific service into a processor in an injection extension point (provided by a corresponding technology stack, for example, a SOFA technology stack, etc.) manner, so as to form an abstract capability of a security service, which is used as an external output of a standardized security component, a standardized product defines a data field object in advance, and the downstream converts a field object required by the downstream according to its own needs. It should be noted that there are still some problems in this solution. For example, intruding into downstream services: downstream abstraction is required to be a standardized component, secondary development adaptation is required in the technical level, and access is not friendly; business side component dependencies: a new security service needs to be accessed, and besides secondary development of a downstream business party, a security service product also needs to be upgraded; service information is not perceived: the standard service facade does not sense service information, including service entrance participation, service exit participation and service parameter validity verification, and directly returns an original response when the participation appears, wherein the original response contains a large number of Map structure texts with escape characters, and the intelligibility is poor; and so on. Aiming at the problems, a security service scheme more suitable for international business development is further provided, the security service scheme can be mainly realized as a lightweight non-invasive security service gateway based on a generalization calling technology, users needing to use security services uniformly obtain corresponding services through the gateway, and the gateway also provides a corresponding security service portal for facilitating access.

The general idea of the further provided scheme can be summarized as semantic, non-intrusive and lightweight.

Semantization: a set of unified standards is defined through a standard service facade, services are accessed according to the standards, services are output according to the standards, and the service data with the attributes provide a clear access specification for clients in a semantic mode.

Non-invasive: the method can continuously access new downstream services, access is achieved in a service information warehousing configuration mode, secondary development of the downstream services is not needed, and issuing or restarting of a service system in operation is not needed.

Light weight: the method has the advantages that the fast enabling and flexible output are realized through the open source technology stack (such as the SOFA technology stack), the jar packet access and the secondary development are avoided through the generalization calling technology in the aspect of service integrated access, and the lightweight is kept through the technology selection.

The following is a detailed description based on such a concept.

Fig. 1 is a schematic flowchart of a security service method according to one or more embodiments of the present disclosure. The process may be executed by a server, for example, a wind control server of the payment platform, and the gateway is implemented on the wind control server. It should be noted that the gateway herein is actually a set of service system, and may include a plurality of processing subsystems following some specific actions, and for convenience of visually representing that the service system is logically as an intermediate party, and is located between a business party and a service party, it is called as "gateway", and in actual application, the service system has various component division ways as long as it can execute the steps in the scheme.

The process in fig. 1 may include the following steps:

s102: acquiring integrated result metadata corresponding to the safety service of business downstream, and performing persistence processing in the service warehouse, wherein the integrated result metadata is obtained by performing semantic conversion on original service description data.

In one or more embodiments of the present description, security services downstream from a business are semantically integrated in the form of metadata. The semantization processing mode makes the integrated security service more standard and easier to understand, and the usability and the interpretability of the corresponding obtained metadata are enhanced. The metadata is described in a standardized way according to the essential contents of the corresponding security service and the using mode thereof, so as to match the request data which is possibly not standard enough for the security service by the business policy.

The semantization process, for example, includes adding more tags to reconstruct the original service description data (usually provided by the service provider of the security service), so that the semantics (e.g., including business meaning, extended interpretation, escape character translation content, etc.) of the content such as numbers, codes, logic, etc. are more definite.

S104: and loading the integrated result metadata and waiting for a request through the service warehouse.

In one or more embodiments of the present description, the integrated result metadata is stored in a warehoused form for ease of management and maintenance. The method comprises the steps of constructing a servitization warehouse in advance, semantically integrating safety services to be uniformly closed to the upstream to generate corresponding integrated result metadata, and making the corresponding integrated result metadata persistent in the servitization warehouse to support generalized calling of the safety services. And if a new security service to be accessed is subsequently provided, adopting a similar processing scheme to generate integrated result metadata for the new security service to be accessed, and persisting the integrated result metadata in the service storage. After the gateway is started, the integration result metadata pre-persisted therein may be retrieved from the servitization repository and loaded to await use in response to the secure service request.

Compared with the common database, the data warehouse is used for the servitization storage, the data warehouse realizes more intelligent processing on the integrated result metadata, can realize intelligent re-integration, such as service cross integration of different service providers, and automatically assembles new service after splitting the integrated result metadata, wherein the new service provides a part of service logic by a plurality of corresponding service providers respectively, and the service providers are unaware of each other, so that the method more fully utilizes the capability of each service provider; the intelligent matching of various services to a requester can be realized, for example, homogeneous services used by competitors are automatically avoided; the data leakage accident scene on the external network can be monitored, if the accident happens, the safety service is dynamically adjusted in time, particularly the matching relation between the safety service and the requester can be adjusted, so that the requester is helped to strengthen the defense effect; and so on.

S106: if request data for a security service downstream of a business is received, determining a corresponding relationship between incoming parameters in the request data and at least part of the loaded integration result metadata.

In one or more embodiments of the present description, the requested data is from a user (referred to as a business party for convenience of description) at the business upstream or current link of the business, as compared to the business downstream of the business for the requested security services. Security services include, for example: device fingerprinting, human-machine identification, trusted execution environment, data obfuscation, etc., the same security service may be embodied differently by different facilitators, not necessarily following a uniform standard.

The request data of the business side is not directly sent to the business downstream, but sent to the gateway for processing, and the gateway can shield some specific processing details for the business side, so that the business side can not even sense the business downstream server side, and finally, the business side can conveniently and standardize obtain the safety service. For the business side, the gateway is trusted, and the specific trusted relationship establishment mode is not limited herein, for example, the gateway is established by means of certificate, government endorsement, and the like. After the service party trusts the gateway, the service party is also trusting for the default of the security service obtained by the generalized calling of the gateway.

The above-described concept is also applicable to services other than security services, but there is a demand for security services in particular. The reason is that: many security services are located at positions opposite to the downstream end and in a centralized and distributed state, and in order to provide security of the whole service chain, upstream is required to close up unified management; the security service directly relates to the privacy data of the user, and the user himself or herself is difficult to ensure the validity of the security service (for example, face recognition may be performed in governments, shops, cells, etc., and according to the face recognition result, an entrance guard is opened or other services are triggered to continue to be handled, but the user does not know which face recognition is necessary for compliance, which are unnecessary or even malicious for collecting the user privacy, and the adopted security standard is uncertain, and the user is in a state where it is difficult to listen to the day and the life of the user), and for the illegal security service, the user privacy is revealed, and the user benefits are seriously damaged.

In one or more embodiments of the present specification, the request data indicates the type of security service to be requested, but of course, if the business side needs it, other information such as a specific service side may be indicated. The service party can initiate a request according to a proper calling protocol, and the gateway performs adaptation processing so as to reduce the burden of the service party and provide the experience of the service party. The calling protocol includes, for example, REST, Bolt, TR, and the like.

In one or more embodiments of the present specification, the gateway loads the integration result metadata, and then obtains a corresponding security service for the business party through the loaded integration result metadata. In this case, the metadata of the integration result corresponding to each security service can be stored and maintained in a unified manner, if a new security service exists, the metadata is added to the storage, and if the existing security service fails, the source data is removed from the storage, thereby facilitating efficient maintenance of the available security service.

In one or more embodiments of the present specification, for a business party, it often knows its specific requirements for security services downstream of the business, for example, selection of a specific service application object, selection of a service provider, selection of a security service policy, upper and lower limit requirements on a security service index, and the like, and therefore, some specific incoming parameters may be given and carried in request data. The incoming parameters may be suitable for direct interfacing with a specific service provider, and may even allow the service provider to be more non-standardized and personalized, and for the gateway, by adaptively supporting such incoming parameters, the experience of the service provider can be improved, which helps the service provider to more flexibly and accurately obtain the security service really suitable for the service provider.

In one or more embodiments of the present specification, the integration result metadata includes service metadata for describing the security service itself, and call metadata for describing a call operation to the security service, and the like. Service metadata specifies, for example, the version, basic functions, capabilities, service provider, etc. of the security service, and call metadata specifies, for example, the interfaces, input parameters, format of returned results, etc. involved in the security service. The integration result metadata can also comprise adaptation metadata for describing information of other security services adapted to the integration result metadata, and in this case, the integration result metadata of different security services have more associations, which is beneficial for collocation cooperation to meet more business scenarios.

In one or more embodiments of the present specification, as a platform for providing security services, not only convenience of itself and its user (i.e., a requester corresponding to request data) is considered, but also potential risks that a user of its user (in this case, the user itself is also a service provider, such as a payment platform or a game platform) may encounter are considered, because the requester itself may do harm or the requester itself may be attacked to bring risks to the user.

Based on this, the platform does not want what the requester wants to give to it (this is the idea of standing at the requester), but determines the original correspondence between the incoming parameters in the request data and the loaded metadata of at least part of the integrated results (this represents the direct desire of the requester), analyzes the business characteristics of the requester itself, and based on the analysis results, may redirect the original correspondence to obtain a redirected correspondence (which is already deviated from the direct desire of the requester) for determining the generalized parameters, which is the idea of standing at the requester's user, which are greatly different because there may be a conflict of interest between the requester and its users, in which case the platform needs to decide whether it should be biased towards the requester's user rather than towards the requester without mind.

For example, the requesting party is a face refreshing service for requesting to acquire a full face image, and according to the service characteristics of the requesting party, if the cell security service is used for cell entry and exit, it is conceivable that the security requirement is low, and the security company itself may misuse the face image of the user. Based on the above, the face refreshing service for collecting partial regions of the human face (for example, only collecting half face or eye regions) can be redirected through the redirection correspondence, and the collected data can be prohibited from being locally persisted, so that the privacy safety of users in the cell is guaranteed although the identification accuracy rate is possibly reduced.

For another example, the requesting party requests a one-key synchronization service for the third-party account, and according to the service characteristics of the requesting party, if the service of the requesting party is mainly a micro application integrated in a parent application, although the requesting party has an independent application, the flow mainly depends on the micro application, in this case, the micro application has a risk of being involved by the parent application, for example, if a parent application password library is leaked, the micro application is basically and comprehensively leaked. For the problem, the third-party account synchronization service based on the forced password modification can be redirected through the redirection corresponding relation, that is, although the user can log in by using the third-party account, the precondition is that an independent password is required to be modified and only used for the micro application, so that the safety risk of the user on the micro application is reduced.

S108: and determining generalization parameters according to the corresponding relation.

In order to implement the above-described adaptation support, the gateway may pre-construct a correspondence between various incoming parameters and a part of the integration result metadata in the existing integration result metadata, and the integration result metadata is used according to the correspondence after being loaded. For a portion of incoming parameters that are out of consideration, integrated result metadata that matches semantic approximations more ambiguously is allowed, making the coverage of such correspondences more comprehensive. According to the corresponding relation, the gateway can convert the safety service requirement of the business side into a more standard form, and the safety service requirement is expressed through corresponding generalization parameters to prepare for generalized invoking of the safety service. The generalized Call is a way of calling a Remote service, for example, it is implemented based on a Remote Procedure Call Protocol (RPC) part in the SOFA technology stack, and when the RPC is called, the application does not need to rely on a jar packet of two or three parties, and can Call the RPC service only by knowing an interface name and a method name of the service, which is the generalized Call.

S110: and according to the generalization parameters, carrying out generalization call on the safety service of the downstream of the business through the generalization service.

In one or more embodiments of the present specification, a generalization call middle layer is constructed between a generalization service and a security service downstream of a business, interactive data between the two parties is exchanged through the generalization call middle layer, the generalization service is converted into a more generalized result, and the security service downstream of the business is converted into a more specific result.

The method of FIG. 1 is helpful for removing the integrated dependence of security services, opens a multi-protocol and semantic security service portal, and can meet the requirements of security service products, quick access and the like in the downstream of the unified binding-in service in a light weight manner, thereby helping users to use the security services more efficiently and conveniently. For the safety service provider at the downstream of the service, the secondary development for accessing the service upstream is avoided, the burden is reduced, and the access efficiency is improved.

Based on the process of fig. 1, some specific embodiments and embodiments of the process are also provided in the present specification, and the description is continued below.

In one or more embodiments of the present specification, the re-integration of security services based on data mining has been mentioned, specifically, for example, by performing semantic integration on other security services downstream of the business to generate incremental integration result metadata, mining a relationship between existing integration result metadata of the servitization warehouse and the incremental integration result metadata through a data mining service provided by the servitization warehouse, extracting business features according to the relationship obtained by mining (for example, a relationship between a competitor, a relationship between a parent company and a subsidiary company, and a relationship between a national enterprise and an external enterprise), and re-integrating the existing integration result metadata and the incremental integration result metadata according to the business features. Taking the competitor relationship as an example, a service provider may make some exclusive (mainly excluding other service providers) business logic in the security service (for example, selectively shielding some competitor websites in the firewall service, etc.), which may cause inconvenience for the requester, and through the above re-integration, the unreasonable business logic may be cleaned, thereby giving more fair and convenient security service to the user.

For the warehousing integrated result metadata, new safety service requirements and implementation elements meeting the requirements can be mined through technologies such as data mining and the like, and further, business downstream can be reversely guided to provide new safety services. The scattered security services can be automatically adapted to the overall requirements of the business side, and a more comprehensive security service overall solution is automatically generated, wherein the overall solution comprises services provided by a plurality of different security service providers at the downstream of the business. Therefore, the burden of selecting and matching the security service by the business party is reduced, and the business party can be more concentrated on the own main business.

In one or more embodiments of the present description, to facilitate business-side requests, a pre-built security-services portal receives request data for security services downstream from the business through the security-services portal. The security service portal can sense the service information, and not only transmit the request data to the back, specifically, the security service portal can check the incoming parameters of the request data (for example, format, non-empty, overflow, lack of parameters, etc.), and when a response is returned to the service party, the security service portal can also perform personalized processing on the original response transmitted to the back according to the request data, so that the response to the service party is more in line with the habit of the service party, and does not necessarily need to perform standardized response.

In one or more embodiments of the present disclosure, after receiving request data of a service party, a serviced request body is generated by performing a normalization process on the request data (e.g., filling up missing parameters with default parameters, truncating overflow data from an upper limit, converting integer data into floating-point data, etc.), so as to facilitate a subsequent process, and then a corresponding serviced context is generated according to the serviced request body. If the request data itself is standardized, the servitization context can be generated directly from it.

Further, a processor factory is constructed in advance, and the processor factory generates corresponding instances of the service processors (for example, different instances are applicable to different calling protocols, etc.) according to the service contexts, and is used for processing the service contexts. Therefore, the service party is flexible and free in the calling and selecting of the protocol, and the applicability to different service parties is improved.

In one or more embodiments of the present specification, to improve transmission efficiency and facilitate a generalized call of intermediate layer conversion processing, call related data is serialized through a generalized service according to a generalized parameter, a service call request is initiated to a provider of a security service downstream of a service according to a result of the serialization processing, and a generalized call result obtained by performing anti-serialization processing on a service call result returned by the provider is received. Taking the Java development environment as an example, the serialization process includes converting Java objects into byte sequences, and the deserialization process includes restoring byte sequences into Java objects.

Similar to the processor factory, a converter factory can be pre-built, through which the converter is generated, and used in the middle layer of the generalized calls to parse and convert the interaction results.

According to the above description, one or more embodiments of the present disclosure provide a system architecture diagram corresponding to fig. 1 in an application scenario, as shown in fig. 2.

In the application scenario, the above scheme is implemented by combining a corresponding application with a corresponding configuration file, in the application, a service party can access a security gateway portal of an appearance layer, the security gateway portal is used as the above security servitization portal, and the service party implements a servitization request for security services and obtains a servitization response through the security gateway portal. The pre-built warehousing service realizes the integration of the security service based on the persistent metadata in the warehousing. The method is characterized in that the calling of the security service is realized at a core layer behind an appearance layer, the gateway mainly comprises a security gateway engine of the core layer, a warehousing service and the support of a processor factory, the request of a business party is processed through a service processor, and further the real security service is called to a corresponding server through a generalization service calling device according to a standardized intermediate processing result.

The working principle of the system architecture is described with reference to fig. 3, and fig. 3 is a schematic diagram of a specific implementation of the method in fig. 1 in an application scenario provided by one or more embodiments of the present disclosure.

The scheme in fig. 3 comprises the following steps:

a service integration step performed in advance:

and managing service integration metadata, evaluating the requirements of the safety service products, and generating corresponding service metadata and calling metadata.

And the generated service metadata and the calling metadata are persisted to a service warehouse constructed in advance through a REST interface accessed by the service, and the metadata are automatically loaded by a system during service operation.

Service semantic parsing and routing:

for the accessed security service, the business party can access the security service portal according to the calling protocol required by the business party.

After intercepting the request data of the business party, the security service portal carries out non-null check on the request data.

And carrying out standardized processing on the checked admitted request data to generate a service request body.

And assembling to obtain a service context according to the service request body, and delivering the service context to a service processor for processing.

Corresponding processor instances, such as Bolt protocol processors, TR protocol processors, etc., are produced by the processor factory in accordance with the servicing context.

The servitization processor begins processing the requested resource: loading a corresponding relation from a service warehouse, specifically a corresponding relation between actual incoming parameters of a business party and metadata; starting to assemble the generalization parameters of the service call according to the corresponding relation; and initializing the generalization service according to the calling configuration information carried by the service context to obtain a generalization service instance.

A converter for parsing the conversion interaction result (e.g., the generalized service invocation result, etc.) is produced from the converter factory and initialized.

A service generalization calling step:

the calling method is started to be executed by the generalization service.

According to the calling method, after calling related data are serialized in a generalization calling middle layer by a generalization calling filter, a request is sent to a downstream real service party through a corresponding protocol, and a result is deserialized and then returned to a generalization service instance by the generalization calling middle layer; and returning a result obtained by processing the real service call to the generalization call intermediate layer.

By the scheme, the downstream service can not be invaded, secondary development on the downstream service is not needed, and when the downstream security service needs to be accessed, the downstream security service only needs to be persisted to the servitization storage through the corresponding integration result metadata. The service operation system can automatically load the metadata and output the safety service according to the standard, and the business data of the attribute provides a clear access specification for the client in a semantic mode.

Standardization is better achieved in several aspects, including:

and a standard service portal defines a set of unified standards, services are accessed according to the standards, services are output according to the standards, and the service data with the attributes provide a clear access specification for clients in a semantic mode.

And standard service configuration, namely, the serving gateway can continuously access new downstream services and access the new downstream services in a service information configuration mode without secondary development.

And standard service routing, namely, configuring the service according to the access requirement of the service during calling, routing the service to a corresponding service processor, pulling a downstream service interface in the warehouse according to routing information synthesized in the standard request, and executing service calling after the safety service gateway is assembled with generalization parameters.

And standard service monitoring, wherein the service gateway can control a service link, a perception scene, a calling magnitude, a calling link and the like.

Based on the same idea, one or more embodiments of the present specification further provide apparatuses and devices corresponding to the above-described method, as shown in fig. 4 and 5.

Fig. 4 is a schematic structural diagram of a security service apparatus provided in one or more embodiments of the present disclosure, where a dashed box represents an optional module, and the apparatus includes:

a security service integration module 402, configured to obtain integration result metadata corresponding to a security service of a business downstream, and perform persistence processing in a servitization repository, where the integration result metadata is obtained by performing semantic conversion on original service description data;

a metadata loading module 404, configured to load the metadata of the integration result through the servitization repository and wait for a request;

a request data processing module 406, configured to, if request data for a security service downstream of a service is received, determine a correspondence between an incoming parameter in the request data and at least part of the loaded integration result metadata;

a generalization parameter determining module 408 for determining a generalization parameter according to the corresponding relationship;

and the generalization service processing module 410 performs generalization call on the security service of the business downstream through the generalization service according to the generalization parameter.

Optionally, the apparatus further comprises:

the service reintegration module 412 generates incremental integration result metadata by semantically integrating other safety services at the downstream of the service;

mining the relationship between the existing integrated result metadata of the servitization warehouse and the integrated result metadata of the increment through a data mining service provided by the servitization warehouse;

and extracting service features according to the relation obtained by mining, and accordingly re-integrating the existing integration result metadata and the incremental integration result metadata.

Optionally, the integration result metadata includes service metadata describing the security service itself, and call metadata describing a call operation to the security service.

Optionally, the request data processing module 406 determines a pre-constructed security servization portal;

receiving, by the security services portal, request data for a security service downstream of a transaction and verifying incoming parameters of the request data.

Optionally, the request data processing module 406 generates a corresponding service context according to the request data;

generating a corresponding service processor according to the service context and the processor factory;

determining, by the servization processor, a correspondence between incoming parameters in the request data and at least a portion of the integration result metadata that has been loaded.

Optionally, the request data processing module 406 generates a service request body by performing standardized processing on the request data;

and generating a corresponding service context according to the service request body.

Optionally, the request data processing module 406 determines an original correspondence between the incoming parameters in the request data and the loaded at least part of the integration result metadata;

and redirecting the original corresponding relation according to the service characteristics of the request party corresponding to the request data to obtain a redirected corresponding relation for determining the generalization parameters.

Optionally, the generalization service processing module 408 performs serialization processing on the call related data through the generalization service according to the generalization parameter;

according to the result of the serialization processing, a service calling request is sent to a provider of the safety service of the downstream of the business;

and receiving a generalized calling result obtained by performing anti-sequence processing on the service calling result returned by the provider.

Fig. 5 is a schematic structural diagram of a security service apparatus according to one or more embodiments of the present specification, where the apparatus includes:

at least one processor; and the number of the first and second groups,

determining generalization parameters according to the corresponding relation;

The processor and the memory may communicate via a bus, and the device may further include an input/output interface for communicating with other devices.

Based on the same idea, one or more embodiments of the present specification provide a non-volatile computer storage medium storing computer-executable instructions configured to:

determining generalization parameters according to the corresponding relation;

In the 90's of the 20 th century, improvements to a technology could clearly distinguish between improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements to process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry for implementing the logical method flows can be readily obtained by a mere need to program the method flows with some of the hardware description languages described above and into an integrated circuit.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.

As will be appreciated by one skilled in the art, the present specification embodiments may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.

The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the device, and the nonvolatile computer storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and for the relevant points, reference may be made to the partial description of the embodiments of the method.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The above description is merely one or more embodiments of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments of the present description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of the claims of the present specification.

Claims

1. A method of secure servitization, comprising:

determining a generalization parameter according to the corresponding relation, specifically comprising: determining an original corresponding relation between an incoming parameter in the request data and at least part of the loaded integrated result metadata, and redirecting the original corresponding relation according to the service characteristics of a requester corresponding to the request data to obtain a redirected corresponding relation for determining the generalization parameter; or, directly determining the generalization parameters according to the corresponding relation;

2. The method of claim 1, further comprising:

semantically integrating other safety services at the downstream of the business to generate incremental integration result metadata;

3. The method of claim 1 or 2, the integration result metadata comprising service metadata describing the security service itself, and call metadata describing call operations to the security service.

4. The method according to claim 1, wherein the receiving request data for security services downstream of the service specifically comprises:

determining a pre-constructed security servization portal;

receiving, by the security services portal, request data for a security service downstream of a transaction and checking incoming parameters of the request data.

5. The method of claim 1, wherein determining a correspondence between incoming parameters in the request data and at least a portion of the integration result metadata that has been loaded, comprises:

generating a corresponding service context according to the request data;

6. The method according to claim 5, wherein generating the corresponding service context according to the request data specifically includes:

generating a service request body by standardizing the request data;

7. The method of claim 1, wherein determining a correspondence between incoming parameters in the request data and at least a portion of the integration result metadata that has been loaded, comprises:

determining an original correspondence between incoming parameters in the request data and at least part of the integration result metadata that has been loaded;

8. The method according to claim 1, wherein the generalized invoking of the security service downstream of the service by the generalized service according to the generalized parameter specifically comprises:

according to the generalization parameters, sequencing the call related data through the generalization service;

9. A security servization apparatus comprising:

the request data processing module is used for determining the corresponding relation between the incoming parameters in the request data and at least part of the loaded integration result metadata if the request data aiming at the safety service of the business downstream is received;

a generalization parameter determination module, which determines a generalization parameter according to the corresponding relationship, specifically comprising: determining an original corresponding relation between an incoming parameter in the request data and at least part of the loaded integrated result metadata, and redirecting the original corresponding relation according to the service characteristics of a requester corresponding to the request data to obtain a redirected corresponding relation for determining the generalization parameter; or, directly determining the generalization parameters according to the corresponding relation;

10. The apparatus of claim 9, further comprising:

the service re-integration module generates incremental integration result metadata by semantically integrating other safety services at the downstream of the service;

and extracting service features according to the relation obtained by mining, and re-integrating the existing integration result metadata and the incremental integration result metadata according to the service features.

11. The apparatus of claim 9 or 10, the integration result metadata comprising service metadata describing the security service itself, and call metadata describing a call operation to the security service.

12. The apparatus of claim 9, the request data processing module to determine a pre-built security-services portal;

13. The apparatus of claim 9, the request data processing module to generate a corresponding service context according to the request data;

14. The apparatus of claim 13, wherein the request data processing module generates a servitization request body by standardizing the request data;

15. The apparatus of claim 9, the request data processing module to determine an original correspondence between incoming parameters in the request data and at least a portion of the integration result metadata that has been loaded;

16. The apparatus according to claim 9, wherein the generalization service processing module serializes the call related data through the generalization service according to the generalization parameters;

17. A security servization device, comprising:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to cause the at least one processor to: