CN113918985B - Security management policy generation method and device - Google Patents

Security management policy generation method and device Download PDF

Info

Publication number
CN113918985B
CN113918985B CN202111059906.7A CN202111059906A CN113918985B CN 113918985 B CN113918985 B CN 113918985B CN 202111059906 A CN202111059906 A CN 202111059906A CN 113918985 B CN113918985 B CN 113918985B
Authority
CN
China
Prior art keywords
service
log
item
interaction item
service interaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111059906.7A
Other languages
Chinese (zh)
Other versions
CN113918985A (en
Inventor
李继庚
洪蒙纳
蔡杰焕
严斌
占小平
胡鹏洋
翟俊杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Poi Intelligent Information Technology Co ltd
Original Assignee
Guangzhou Poi Intelligent Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Poi Intelligent Information Technology Co ltd filed Critical Guangzhou Poi Intelligent Information Technology Co ltd
Priority to CN202111059906.7A priority Critical patent/CN113918985B/en
Publication of CN113918985A publication Critical patent/CN113918985A/en
Application granted granted Critical
Publication of CN113918985B publication Critical patent/CN113918985B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Data Mining & Analysis (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

According to the security management policy generation method and device, the target service operation log corresponding to the service operation log to be subjected to security management is generated through the reference service operation log and the service operation log to be subjected to security management, the security risk index of each first service interaction item in the target service operation log indicates whether the score of threat exists in the second service interaction item in the corresponding state in the service operation log to be subjected to security management, and then the security management policy of the service operation log to be subjected to security management is determined according to the target service operation log, so that the generation precision and pertinence of the security management policy can be ensured.

Description

Security management policy generation method and device
Technical Field
The invention relates to the technical field of data security processing, in particular to a security management policy generation method and device.
Background
With the rapid development of internet technology, the functions of various business service platforms are continuously perfected and optimized, and a series of service interaction requirements of modern users can be met. In the internet age, the security of data information is the focus of attention of all parties, especially for some large service platforms, the user information carried by such service platforms is huge, once data risks or threats occur, irreparable loss may be caused, and therefore, the security processing of data information for such service platforms is very necessary.
Disclosure of Invention
In view of the above, the invention provides a security management policy generation method and device.
In a first aspect, an embodiment of the present invention provides a method for generating a security management policy, including: obtaining a reference service running log and a service running log to be subjected to security management; determining a target service running log corresponding to the service running log to be subjected to security management according to the reference service running log and the service running log to be subjected to security management; the security risk index of each first service interaction item in the target service operation log represents the score of threat of the second service interaction item; the second service interaction item is a service interaction item with a corresponding relation between the state in the service operation log to be subjected to security management and the first service interaction item; and generating a security management policy of the service operation log to be subjected to security management according to the target service operation log.
In this way, the target service running log corresponding to the service running log to be subjected to security management is generated through the reference service running log and the service running log to be subjected to security management, the security risk index of each first service interaction item in the target service running log indicates whether the second service interaction item in the corresponding state in the service running log to be subjected to security management has a threat score, and then the security management policy of the service running log to be subjected to security management is determined according to the target service running log, so that the generation precision and pertinence of the security management policy can be ensured.
For some technical solutions that may be implemented independently, the determining, according to the reference service running log and the service running log to be securely managed, a target service running log corresponding to the service running log to be securely managed includes: determining a first service running log based on the service running log to be subjected to security management, and determining a second service running log based on the reference service running log; for each third service interaction item in the first service operation log, determining a plurality of target service interaction items corresponding to the third service interaction item from the second service operation log; the quantitative difference between the target service interaction items and a target fourth service interaction item in the second service running log is smaller than a first quantitative difference judgment value, wherein the target fourth service interaction item is a fourth service interaction item with a corresponding relation between a state in the second service running log and the third service interaction item; for each third service interaction item, determining a score of the third service interaction item according to the degree of commonality between the target service interaction items and the third service interaction item respectively; and determining the score of the second service interaction item corresponding to the third service interaction item in the service operation log to be subjected to the security management based on the score of the third service interaction item.
In this way, the scores of the corresponding third service interaction items are determined based on the commonalities between the corresponding third service interaction items and the corresponding third service interaction items respectively by determining the target service interaction items corresponding to the third service interaction items in the first service operation log from the second service operation log, and then the scores of the second service interaction items corresponding to the third service interaction items are obtained, so that the scores of the second service interaction items are interfered by the plurality of service interaction items in the reference service operation log, the interference of security management strategies of the second service interaction items in the service operation log to be subjected to security management such as various error effects is reduced, and the threat analysis accuracy of the service operation log to be processed is improved.
For some solutions that may be implemented independently, the determining a first service log based on the service log to be securely managed and determining a second service log based on the reference service log includes: taking the service running log to be subjected to security management as the first service running log and taking the reference service running log as the second service running log; or, the determining the first service running log based on the service running log to be subjected to security management and the determining the second service running log based on the reference service running log include: obtaining a first visual saliency description of the service running log to be subjected to security management, and taking the first visual saliency description as the first service running log; a second visual saliency description of the reference service log is obtained and is taken as the second service log.
In this way, the service running log to be subjected to security management is used as a first service running log, the reference service running log is used as a second service running log, namely, the target service running log of the service running log to be subjected to security management is obtained directly based on the service running log to be subjected to security management and the reference service running log, and the score of threat of each second service interaction item in the service running log to be subjected to security management, which is represented by the target service running log, is more accurate; the first visual saliency description of the service running log to be subjected to security management is used as the first service running log, the second visual saliency description of the reference service running log is used as the second service running log, namely, the target service running log of the service running log to be subjected to security management is obtained based on the first visual saliency description and the second visual saliency description, so that resource expenditure required by generating the target service running log is reduced, and the timeliness of the security management strategy is improved.
For some solutions that may be implemented independently, for each of the third service interactions, determining a score of the third service interaction according to a degree of commonality between the plurality of target service interactions and the third service interaction, respectively, includes: determining a maximum degree of commonality among the degrees of commonality between the plurality of target service interactions respectively and the third service interaction; and determining the score of the third service interaction item according to the maximum commonality degree.
In this way, the score of the third service interaction item is determined based on the maximum degree of commonality among the degrees of commonality between the plurality of target service interaction items and the third service interaction item, respectively, so that the reliability of whether the second service interaction items represented by the target service operation log have threats can be improved.
For some solutions that may be implemented independently, for each third service interaction item in the first service running log, determining, from the second service running log, a plurality of target service interaction items corresponding to the third service interaction item includes: for each third service interaction item in the first service running log, determining a target fourth service interaction item with a corresponding relation with the third service interaction item state from a plurality of fourth service interaction items in the second service running log; and determining a plurality of fourth service interactions which have a quantitative difference smaller than a first quantitative difference judgment value from the target fourth service interactions from the plurality of fourth service interactions of the second service operation log, and taking the determined fourth service interactions as the target service interactions.
In this way, through the setting of the first quantitative difference determination value, the target service interaction matters are determined, so that the target service operation log is determined based on the difference condition between each target service interaction matters and the corresponding third service interaction matters, and interference caused by threat analysis of the service operation log to be processed due to various noises and the like is further weakened.
For some solutions that can be implemented independently, for each of the third service interactions, the following steps are used to determine the degree of commonality between each target service interaction and the third service interaction: based on the state of the third service interaction item in the first service operation log and a second quantitative difference judgment value set in advance, obtaining a first local item characteristic corresponding to the third service interaction item; and obtaining a second local item feature corresponding to each target service interaction item according to the state of each target service interaction item in the second service operation log and the second quantitative difference judgment value; and determining the degree of commonality between each target service interaction item and the third service interaction item according to the first local item characteristic and the second local item characteristic.
In this way, the degree of commonality between the third service interaction item and the target service interaction item is determined by the associated item of the third service interaction item and the associated item of the target service interaction item, so that interference generated by threat analysis of the service log to be processed due to various noises and the like can be reduced.
For some solutions that may be implemented independently, the obtaining the first local item feature corresponding to the third service interaction item based on the state of the third service interaction item in the first service operation log and a second quantitative difference determination value set in advance includes: determining a first interaction item set taking the third service interaction item as a reference and taking the second quantitative difference judging value as a limiting condition in the first service operation log, and obtaining the first local item characteristic according to the third service interaction item in the first service operation log, wherein the third service interaction item is positioned in the first interaction item set; the obtaining a second local item feature corresponding to each target service interaction item according to the state of each target service interaction item in the second service running log and the second quantitative difference determination value includes: and determining a second interaction item set taking each target service interaction item as a reference and taking the second quantitative difference judging value as a limiting condition in the second service operation log, and obtaining the second local item characteristics according to a fourth service interaction item in the second service operation log, wherein the fourth service interaction item is positioned in the second interaction item set.
For some solutions that may be implemented independently, the obtaining the first local item feature corresponding to the third service interaction item based on the state of the third service interaction item in the first service operation log and a second quantitative difference determination value set in advance includes: determining a target constraint according to the second quantized difference determination value; determining a first associated item set taking the third service interaction item as a standard and taking the determined target constraint as a constraint in the first service operation log, and obtaining the first local item characteristic according to the third service interaction item in the first service operation log, wherein the third service interaction item is positioned in the first associated item set; the obtaining a second local item feature corresponding to each target service interaction item according to the state of each target service interaction item in the second service running log and the second quantitative difference determination value includes: determining a second association item set taking each target service interaction item as a standard and taking the determined target constraint as a constraint in the second service operation log; and obtaining the second local item characteristic according to a fourth service interaction item in the second service operation log, wherein the fourth service interaction item is positioned in the second association item set.
For some technical solutions that may be implemented independently, for a case that the first service running log is the service running log to be managed safely and the second service running log is the reference service running log, determining the score of the second service interaction item corresponding to the third service interaction item in the service running log to be managed safely based on the score of the third service interaction item includes: and taking the score of each third service interaction item in the first service running log as the score of the second service interaction item with the corresponding relation between the state in the service running log to be subjected to security management and the third service interaction item.
For some solutions that may be implemented independently, for a case where the first service running log is the first visual saliency description and the second service running log is the second visual saliency description, determining the score of the second service interaction item corresponding to the third service interaction item in the service running log to be securely managed based on the score of the third service interaction item includes: and determining the score corresponding to each second service interaction item based on the migration transformation instruction between each third service interaction item in the first local item feature and each second service interaction item in the service operation log to be subjected to security management and the score of each third service interaction item in the first local item feature.
In a second aspect, there is provided a security management policy generation apparatus including:
the system comprises a log acquisition module, a control module and a control module, wherein the log acquisition module is used for acquiring a reference service running log and a service running log to be subjected to security management;
the log determining module is used for determining a target service running log corresponding to the service running log to be subjected to the security management according to the reference service running log and the service running log to be subjected to the security management; the security risk index of each first service interaction item in the target service operation log represents the score of threat of the second service interaction item; the second service interaction item is a service interaction item with a corresponding relation between the state in the service operation log to be subjected to security management and the first service interaction item;
and the strategy generation module is used for generating a security management strategy of the service operation log to be subjected to security management according to the target service operation log.
According to the security management policy generation method and device provided by the embodiment of the invention, the target service operation log corresponding to the service operation log to be subjected to security management is generated through the reference service operation log and the service operation log to be subjected to security management, the security risk index of each first service interaction item in the target service operation log indicates whether the second service interaction item in the corresponding state in the service operation log to be subjected to security management has a threat score, and then the security management policy of the service operation log to be subjected to security management is determined according to the target service operation log, so that the generation precision and pertinence of the security management policy can be ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a security management policy generation method according to an embodiment of the present invention.
Fig. 2 is a block diagram of a security management policy generating device according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a security management policy generation system according to an embodiment of the present invention.
Detailed Description
In order to better understand the above technical solutions, the following detailed description of the technical solutions of the present invention is made by using the accompanying drawings and specific embodiments, and it should be understood that the specific features of the embodiments and the embodiments of the present invention are detailed descriptions of the technical solutions of the present invention, and not limiting the technical solutions of the present invention, and the technical features of the embodiments and the embodiments of the present invention may be combined with each other without conflict.
Referring to fig. 1, a method for generating a security management policy is shown, which may include the following steps 101 to 103.
Step 101: obtaining a reference service running log and a service running log to be subjected to security management.
Step 102: and determining a target service running log corresponding to the service running log to be subjected to the security management according to the reference service running log and the service running log to be subjected to the security management.
In the embodiment of the invention, the security risk index of each first service interaction item in the target service operation log represents the score of threat of the second service interaction item; and the second service interaction item is a service interaction item with a corresponding relation between the state in the service operation log to be subjected to security management and the first service interaction item.
Step 103: and generating a security management policy of the service operation log to be subjected to security management according to the target service operation log.
Further, the above steps 101 to 103 are exemplarily described below.
In the above step 101, the reference type service log refers to a service log captured for online business service items without risk, which is used in threat analysis for online business service items. The service running log to be subjected to security management is a service running log obtained by an online business service project to be subjected to security management. The online business service item may be a payment service, an office service, a game service, or the like.
When threat analysis is performed on an online business service item to be subjected to security management, for example, the type or the label of the online business service item to be subjected to security management can be obtained; then, according to the type or the label of the online business service item, obtaining a reference type service operation log corresponding to the online business service item to be safely managed from a reference type service operation log library which is deployed in advance; for another example, when there is no reference service running log of online service items to be securely managed in the reference service running log library, for example, a reference online service item that is not threatening may be first determined from a plurality of online service items to be securely managed, and then a service running log of the reference online service item may be obtained to obtain the reference service running log.
The service running log to be subjected to security management can be obtained through a service running log acquisition thread arranged on the threat analysis node, and the service running log to be subjected to security management transmitted by other ports can also be received.
In step 102, in order to reduce interference caused by various error effects and the like to a threat analysis process, when determining a target service operation log corresponding to a service operation log to be safely managed, the embodiment of the invention enables the security risk index of any first service interaction item in the target service operation log to be influenced by the security risk indexes of a plurality of service interaction items in a reference service operation log, thereby enabling each first service interaction item in the target service operation log to be more accurately represented as a score of threat of a second service interaction item with a corresponding relation in the service operation log to be safely managed, and further obtaining a security management policy with higher service operation log to be safely managed.
The following provides a further implementation manner of determining a target service running log corresponding to a service running log to be subjected to security management based on a reference service running log and the service running log to be subjected to security management.
Step 201: and determining a first service running log based on the service running log to be subjected to security management, and determining a second service running log based on the reference service running log.
In the embodiment of the present invention, for some technical solutions that can be implemented independently, the service running log to be managed safely may be used as a first service running log, and the reference service running log may be used as a second service running log.
On the basis of the above, the process of determining the target service log corresponding to the service log to be securely managed based on the first service log and the second service log may be understood as the process of implementing steps 202 to 203 directly based on the service log to be securely managed and the reference service log to obtain the target service log of the service log to be securely managed.
For some technical solutions that can be implemented independently, a first visual saliency description of a service running log to be subjected to security management can be obtained, and the first visual saliency description is used as the first service running log; a second visual saliency description of the reference service log is obtained and is taken as a second service log.
It may be understood that the process of determining the target service log corresponding to the service log to be securely managed based on the first service log and the second service log refers to performing the process as in steps 202-204 described below for obtaining the target service log of the service log to be securely managed based on the first visual saliency description of the service log to be securely managed and the second visual saliency description of the reference service log.
In other examples, in some possible embodiments, the description mining process may be performed on the service log to be securely managed and the reference service log, respectively, using an AI intelligent model, to obtain a first visual saliency description of the service log to be securely managed and a second visual saliency description of the reference service log, for example.
In still other examples, when threat analysis processing is performed on a plurality of service logs to be subjected to security management of a plurality of online business service items of the same type, all the reference service logs adopted are the same, so that only one second visual saliency description can be extracted for the reference service logs, and the second visual saliency description thereof can be reserved; when threat analysis is performed on each group of service operation logs to be subjected to security management in the plurality of service operation logs to be subjected to security management, on the premise that second visual saliency description of the reference service operation log already exists, the second visual saliency description is required to be called from a database for retaining the second visual saliency description, and description mining is performed on the service operation logs to be processed by using a description mining network, so that first visual saliency description of each group of service operation logs to be processed is obtained.
Step 202: for each third service interaction item in the first service operation log, determining a plurality of target service interaction items corresponding to the third service interaction item from the second service operation log; the quantitative difference between the target service interaction items and a target fourth service interaction item in the second service running log is smaller than a first quantitative difference determination value, and the target fourth service interaction item is a fourth service interaction item with a corresponding relation between the state in the second service running log and the third service interaction item.
In the embodiment of the invention, the first service running log is composed of a plurality of third service interaction matters; if the first service running log is a service running log to be subjected to security management, each third service interaction item in the first service running log has a one-to-one relationship with each second service interaction item in the service running log to be subjected to security management; if the first service running log is the first visual saliency description of the service running log to be subjected to security management, each third service interaction item in the first service running log has a one-to-one relation with each description content in the first visual saliency description.
Based on similar thought, the second service running log is composed of a plurality of fourth service interaction matters; if the second service running log is the reference service running log, each fourth service interaction item in the second service running log has a one-to-one relationship with each service interaction item in the reference service running log; if the second service running log is the second visual saliency description of the reference service running log, each fourth service interaction item in the second service running log has a one-to-one relation with each description content in the second visual saliency description.
Further, an embodiment of the present invention provides an exemplary implementation of determining, for each third service interaction item, a plurality of target service interaction items corresponding to the third service interaction item from the second service running log, including: for each third service interaction item in the first service running log, determining a target fourth service interaction item with a corresponding relation with the third service interaction item state from a plurality of fourth service interaction items in the second service running log; and determining a plurality of fourth service interactions which have a quantitative difference smaller than a first quantitative difference judgment value from the target fourth service interactions from the plurality of fourth service interactions of the second service operation log, and taking the determined fourth service interactions as the target service interactions. Illustratively, the quantified differences between the fourth service interaction and the target fourth service interaction include, for example: cosine distance, euclidean distance, and the like.
When a plurality of target service interactions are determined for each third service interaction, all fourth service interactions with a quantized difference from the target fourth service interaction less than the first quantized difference determination value may be regarded as target service interactions; all fourth service interactions with the quantized difference smaller than the first quantized difference determination value with the target fourth service interactions may be regarded as pending service interactions, and then a plurality of target service interactions may be determined from a plurality of pending service interactions according to different sampling policies.
Step 203: and for each third service interaction item, determining the score of the third service interaction item according to the commonality degree between the target service interaction items and the third service interaction item.
In actual practice, an exemplary implementation of determining the degree of commonality between each target service interaction and the third service interaction may include the following.
Step 301: based on the state of the third service interaction item in the first service operation log and a second quantitative difference judgment value set in advance, obtaining a first local item characteristic corresponding to the third service interaction item; and obtaining a second local item characteristic corresponding to each target service interaction item according to the state of each target service interaction item in the second service operation log and the second quantitative difference judgment value.
In the embodiment of the present invention, for example, the following steps may be adopted to obtain the first local item feature corresponding to the third service interaction item: determining a first interaction item set taking the third service interaction item as a reference and taking the second quantitative difference judging value as a limiting condition in the first service operation log, and obtaining the first local item characteristic according to the third service interaction item in the first service operation log, wherein the third service interaction item is positioned in the first interaction item set; the second local item feature corresponding to each target service interaction item is obtained by the following steps: and determining a second interaction item set taking each target service interaction item as a reference and taking the second quantitative difference judging value as a limiting condition in the second service operation log, and obtaining the second local item characteristics according to a fourth service interaction item in the second service operation log, wherein the fourth service interaction item is positioned in the second interaction item set.
Illustratively, the dimensions of the first local event feature and the second local event feature are the same; and may construct a first local event feature based on all third service interactions within the first set of interactions and a second local event feature based on all fourth service interactions within the second set of interactions.
Further, the first local event feature may also be formed based on a portion of the third service interaction event that is located within the first set of interaction events and the second local event feature may be formed based on a portion of the fourth service interaction event that is located within the second set of interaction events. In this case, the status of each third service interaction item in the first local item feature in the first service run log has a one-to-one pairing relationship with the status of each fourth service interaction item in the second local item feature in the second service run log.
In some possible embodiments, in other technical solutions that may be implemented independently, for example, the following steps may be further adopted to obtain the first local item feature corresponding to the third service interaction item: determining a target constraint according to the second quantized difference determination value; determining a first associated item set taking the third service interaction item as a standard and taking the determined target constraint as a constraint in the first service operation log, and obtaining the first local item characteristic according to the third service interaction item in the first service operation log, wherein the third service interaction item is positioned in the first associated item set; the second local item feature corresponding to each target service interaction item is obtained by the following steps: determining a second association item set taking each target service interaction item as a standard and taking the determined target constraint as a constraint in the second service operation log; and obtaining the second local item characteristic according to a fourth service interaction item in the second service operation log, wherein the fourth service interaction item is positioned in the second association item set.
Based on similar ideas, the first local item feature may be composed based on all third service interactions within the first set of associated items, or the second local item feature may be composed based on all fourth service interactions within the second set of associated items.
Further, the first local item feature may be configured based on a portion of the third service interaction item located in the first related item set, or the second local item feature may be configured based on a portion of the fourth service interaction item located in the second related item set. In this case, the status of each third service interaction item in the first local item feature in the first service run log has a one-to-one pairing relationship with the status of each fourth service interaction item in the second local item feature in the second service run log.
Step 302: and determining the degree of commonality between each target service interaction item and the third service interaction item according to the first local item characteristic and the second local item characteristic.
After determining the degree of commonality (such as similarity) between the plurality of target service interactions of each third service interaction and the third service interaction, for example, a maximum degree of commonality between the plurality of target service interactions and the third service interaction may be determined; and determining the score of the third service interaction item according to the maximum commonality degree.
For another example, a commonality average may be determined according to a commonality between the plurality of target service interactions and the third service interaction, respectively, and a score for the third service interaction may be determined based on the commonality average.
On the basis of the step 203, the method for determining the target service running log corresponding to the service running log to be securely managed according to the embodiment of the present invention further includes the following.
Step 204: and determining the score of the second service interaction item corresponding to the third service interaction item in the service operation log to be subjected to the security management based on the score of the third service interaction item.
In practical implementation, for the case that the service running log to be subjected to security management is used as the first service running log, and the reference service running log is used as the second service running log, because in this case, a one-to-one relationship exists between the third service interaction items in the first service running log and the second service interaction items in the service running log to be processed, the score of each third service interaction item in the first service running log can be used as the score of the second service interaction item with the corresponding relationship between the state in the service running log to be subjected to security management and the third service interaction items.
For the case that the first visual saliency description of the service running log to be safely managed is used as the first service running log, and the second visual saliency description of the reference service running log is used as the second service running log, because in this case, there is a one-to-one relationship between the third service interaction items of the first service running log and the descriptive contents in the first visual saliency description, and the descriptive contents in the first visual saliency description and the second descriptive contents in the service running log to be processed have certain migration transformation instructions, each third service interaction item in the first local item feature and each second service interaction item in the service running log to be safely managed also have the same migration transformation instruction, and therefore, the score corresponding to each second service interaction item can be determined based on the migration transformation instruction between each third service interaction item in the first local item feature and each second service interaction item in the service running log to be safely managed, and the score of each third service interaction item in the first local item feature.
In step 103, generating the security management policy of the service operation log to be securely managed according to the target service operation log, for example, the reference service operation log and the service operation log to be securely managed may be used to determine the transitional security management policy of the service operation log to be securely managed; the transitional security management policy includes a first possibility that each second service interaction item in the service operation log to be subjected to security management has a threat. Then, a feature list is formed by utilizing the transitional security management strategy, and the dimension of the feature list is consistent with the dimension of the service operation log to be subjected to security management; the quantized feature value of any member in the feature list is the possibility that the threat exists for the second service interaction item corresponding to the member, and the larger the quantized feature value is, the greater the possibility that the threat exists for the corresponding second service interaction item is; in the target service operation log, the security risk index of each first service interaction item represents the score of threat of the second service interaction item with the corresponding relation with the first service interaction item in the service operation log to be subjected to security management; the greater the score, the greater the likelihood that the second service interaction is threatening; and then weighting the feature list and the target service running log to obtain the security management strategy of the service running log to be subjected to security management. In the security management policy, a second possibility that each second service interaction item in the service running log to be security managed is threatened is included.
On the premise that deviation exists in the transitional security management policy, for example, the transitional security management policy indicates that a certain second service interaction item has a greater possibility of being threatened, but the target service operation log indicates that the second service interaction item has no possibility of being threatened, a certain change of the obtained second possibility of the second service interaction item occurs, and the change of the amplitude indicates that the possibility of the second service interaction item having threat is reduced. For another example, the transitional security management policy indicates that there is a greater likelihood that a threat exists for a certain second service interaction item, but the target service log indicates that there is a greater likelihood that a threat exists for the second service interaction item, and the obtained change in magnitude of the second likelihood of the second service interaction item indicates that there is an increased likelihood that a threat exists for the second service interaction item. For another example, the transitional security management policy indicates that a threat exists in a certain second service interaction item, the target service running log indicates that the threat exists in the second service interaction item is greater, and the obtained change of the magnitude of the second possibility of the second service interaction item indicates that the threat exists in the second service interaction item is further increased. For another example, the transitional security management policy indicates that a second service interaction item is more likely to be not threatened, the target service log indicates that the second service interaction item is more likely to be threatened, and the obtained change in the magnitude of the second likelihood of the second service interaction item indicates that the second service interaction item is more likely to be threatened. And the security management strategy of the service operation log to be subjected to security management is obtained through the target service operation log, so that the generation precision and pertinence of the security management strategy can be ensured.
According to the embodiment of the invention, the target service running log corresponding to the service running log to be subjected to safety management is generated through the reference service running log and the service running log to be subjected to safety management, the safety risk index of each first service interaction item in the target service running log indicates whether the second service interaction item in the corresponding state in the service running log to be subjected to safety management has a threat score, then the safety management strategy of the service running log to be subjected to safety management is determined according to the target service running log, and the generation precision and pertinence of the safety management strategy can be ensured.
On the basis of the above, please refer to fig. 2 in combination, there is provided a security management policy generating device 200, which is applied to a security management policy generating system, the device includes:
the log obtaining module 210 is configured to obtain a reference service running log and a service running log to be securely managed;
the log determining module 220 is configured to determine a target service running log corresponding to the service running log to be securely managed according to the reference service running log and the service running log to be securely managed; the security risk index of each first service interaction item in the target service operation log represents the score of threat of the second service interaction item; the second service interaction item is a service interaction item with a corresponding relation between the state in the service operation log to be subjected to security management and the first service interaction item;
The policy generation module 230 is configured to generate, according to the target service running log, a security management policy of the service running log to be securely managed.
On the basis of the above, referring to fig. 3 in combination, there is shown a security management policy generation system 300, comprising a processor 310 and a memory 320 in communication with each other, the processor 310 being configured to read a computer program from the memory 320 and execute the computer program to implement the method described above.
On the basis of the above, there is also provided a computer readable storage medium on which a computer program stored which, when run, implements the above method.
In summary, based on the above scheme, through the reference service running log and the service running log to be safely managed, a target service running log corresponding to the service running log to be safely managed is generated, and the security risk index of each first service interaction item in the target service running log indicates whether a score of threat exists in the second service interaction item in a corresponding state in the service running log to be safely managed, and then, according to the target service running log, the security management policy of the service running log to be safely managed is determined, so that the generation precision and pertinence of the security management policy can be ensured.
It should be appreciated that the systems and modules thereof shown above may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may then be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or special purpose design hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such as provided on a carrier medium such as a magnetic disk, CD or DVD-ROM, a programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system of the present invention and its modules may be implemented not only with hardware circuitry such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also with software executed by various types of processors, for example, and with a combination of the above hardware circuitry and software (e.g., firmware).
It should be noted that, the advantages that may be generated by different embodiments may be different, and in different embodiments, the advantages that may be generated may be any one or a combination of several of the above, or any other possible advantages that may be obtained.
While the basic concepts have been described above, it will be apparent to those skilled in the art that the foregoing detailed disclosure is by way of example only and is not intended to be limiting. Although not explicitly described herein, various modifications, improvements and adaptations of the invention may occur to one skilled in the art. Such modifications, improvements, and modifications are intended to be suggested within the present disclosure, and therefore, such modifications, improvements, and adaptations are intended to be within the spirit and scope of the exemplary embodiments of the present disclosure.
Meanwhile, the present invention uses specific words to describe embodiments of the present invention. Reference to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic is associated with at least one embodiment of the invention. Thus, it should be emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various positions in this specification are not necessarily referring to the same embodiment. Furthermore, certain features, structures, or characteristics of one or more embodiments of the invention may be combined as suitable.
Furthermore, those skilled in the art will appreciate that the various aspects of the invention are illustrated and described in the context of a number of patentable categories or circumstances, including any novel and useful procedures, machines, products, or materials, or any novel and useful modifications thereof. Accordingly, aspects of the invention may be performed entirely by hardware, entirely by software (including firmware, resident software, micro-code, etc.) or by a combination of hardware and software. The above hardware or software may be referred to as a "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the invention may take the form of a computer product, comprising computer-readable program code, embodied in one or more computer-readable media.
The computer storage medium may contain a propagated data signal with the computer program code embodied therein, for example, on a baseband or as part of a carrier wave. The propagated signal may take on a variety of forms, including electro-magnetic, optical, etc., or any suitable combination thereof. A computer storage medium may be any computer readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated through any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or a combination of any of the foregoing.
The computer program code necessary for operation of portions of the present invention may be written in any one or more programming languages, including an object oriented programming language such as Java, scala, smalltalk, eiffel, JADE, emerald, C ++, c#, vb net, python, etc., a conventional programming language such as C language, visual Basic, fortran 2003, perl, COBOL 2002, PHP, ABAP, dynamic programming languages such as Python, ruby and Groovy, or other programming languages, etc. The program code may execute entirely on the user's computer or as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any form of network, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or the use of services such as software as a service (SaaS) in a cloud computing environment.
Furthermore, the order in which the elements and sequences are presented, the use of numerical letters, or other designations are used in the invention is not intended to limit the sequence of the processes and methods unless specifically recited in the claims. While certain presently useful inventive embodiments have been discussed in the foregoing disclosure, by way of example, it is to be understood that such details are merely illustrative and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements included within the spirit and scope of the embodiments of the invention. For example, while the system components described above may be implemented by hardware devices, they may also be implemented solely by software solutions, such as installing the described system on an existing server or mobile device.
Similarly, it should be noted that in order to simplify the description of the present disclosure and thereby aid in understanding one or more inventive embodiments, various features are sometimes grouped together in a single embodiment, figure, or description thereof. This method of disclosure, however, is not intended to imply that more features than are required by the subject invention. Indeed, less than all of the features of a single embodiment disclosed above.
In some embodiments, numbers describing the components, number of attributes are used, it being understood that such numbers being used in the description of embodiments are modified in some examples by the modifier "about," approximately, "or" substantially. Unless otherwise indicated, "about," "approximately," or "substantially" indicate that the numbers allow for adaptive variation. Accordingly, in some embodiments, numerical parameters set forth in the specification and claims are approximations that may vary depending upon the desired properties sought to be obtained by the individual embodiments. In some embodiments, the numerical parameters should take into account the specified significant digits and employ a method for preserving the general number of digits. Although the numerical ranges and parameters set forth herein are approximations in some embodiments for use in determining the breadth of the range, in particular embodiments, the numerical values set forth herein are as precisely as possible.
Each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., cited herein is hereby incorporated by reference in its entirety. Except for the application history file that is inconsistent or conflicting with this disclosure, the file (currently or later attached to this disclosure) that limits the broadest scope of the claims of this disclosure is also excluded. It is noted that the description, definition, and/or use of the term in the appended claims controls the description, definition, and/or use of the term in this invention if there is a discrepancy or conflict between the description, definition, and/or use of the term in the appended claims.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present invention. Other variations are also possible within the scope of the invention. Thus, by way of example, and not limitation, alternative configurations of embodiments of the invention may be considered in keeping with the teachings of the invention. Accordingly, the embodiments of the present invention are not limited to the embodiments explicitly described and depicted herein.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are to be included in the scope of the claims of the present invention.

Claims (9)

1. A security management policy generation method, comprising:
obtaining a reference service running log and a service running log to be subjected to security management;
determining a target service running log corresponding to the service running log to be subjected to security management according to the reference service running log and the service running log to be subjected to security management; the security risk index of each first service interaction item in the target service operation log represents the score of threat of the second service interaction item; the second service interaction item is a service interaction item with a corresponding relation between the state in the service operation log to be subjected to security management and the first service interaction item;
generating a security management policy of the service operation log to be subjected to security management according to the target service operation log;
the determining, according to the reference service running log and the service running log to be securely managed, a target service running log corresponding to the service running log to be securely managed includes:
determining a first service running log based on the service running log to be subjected to security management, and determining a second service running log based on the reference service running log;
For each third service interaction item in the first service operation log, determining a plurality of target service interaction items corresponding to the third service interaction item from the second service operation log; the quantitative difference between the target service interaction items and a target fourth service interaction item in the second service running log is smaller than a first quantitative difference judgment value, wherein the target fourth service interaction item is a fourth service interaction item with a corresponding relation between a state in the second service running log and the third service interaction item;
for each third service interaction item, determining a score of the third service interaction item according to the degree of commonality between the target service interaction items and the third service interaction item respectively;
and determining the score of the second service interaction item corresponding to the third service interaction item in the service operation log to be subjected to the security management based on the score of the third service interaction item.
2. The method of claim 1, wherein,
the determining a first service running log based on the service running log to be subjected to security management and determining a second service running log based on the reference service running log comprises: taking the service running log to be subjected to security management as the first service running log and taking the reference service running log as the second service running log;
Or alternatively, the process may be performed,
the determining a first service running log based on the service running log to be subjected to security management and determining a second service running log based on the reference service running log comprises: obtaining a first visual saliency description of the service running log to be subjected to security management, and taking the first visual saliency description as the first service running log; a second visual saliency description of the reference service log is obtained and is taken as the second service log.
3. The method of claim 2, wherein for each of the third service interactions, determining a score for the third service interaction based on a degree of commonality between the plurality of target service interactions and the third service interaction, respectively, comprises:
determining a maximum degree of commonality among the degrees of commonality between the plurality of target service interactions respectively and the third service interaction; and determining the score of the third service interaction item according to the maximum commonality degree.
4. The method of claim 3, wherein for each third service interaction in the first service execution log, determining a plurality of target service interactions corresponding to the third service interaction from the second service execution log comprises:
For each third service interaction item in the first service running log, determining a target fourth service interaction item with a corresponding relation with the third service interaction item state from a plurality of fourth service interaction items in the second service running log;
and determining a plurality of fourth service interactions which have a quantitative difference smaller than a first quantitative difference judgment value from the target fourth service interactions from the plurality of fourth service interactions of the second service operation log, and taking the determined fourth service interactions as the target service interactions.
5. The method of claim 4, wherein for each of the third service interactions, determining a degree of commonality between each of the target service interactions and the third service interaction is performed by:
based on the state of the third service interaction item in the first service operation log and a second quantitative difference judgment value set in advance, obtaining a first local item characteristic corresponding to the third service interaction item;
obtaining a second local item feature corresponding to each target service interaction item according to the state of each target service interaction item in the second service operation log and the second quantitative difference judgment value;
And determining the degree of commonality between each target service interaction item and the third service interaction item according to the first local item characteristic and the second local item characteristic.
6. The method of claim 5, wherein the obtaining the first local event feature corresponding to the third service interaction event based on the status of the third service interaction event in the first service operation log and a second quantitative difference determination value set in advance includes: determining a first interaction item set taking the third service interaction item as a reference and taking the second quantitative difference judging value as a limiting condition in the first service operation log, and obtaining the first local item characteristic according to the third service interaction item in the first service operation log, wherein the third service interaction item is positioned in the first interaction item set;
the obtaining a second local item feature corresponding to each target service interaction item according to the state of each target service interaction item in the second service running log and the second quantitative difference determination value includes: and determining a second interaction item set taking each target service interaction item as a reference and taking the second quantitative difference judging value as a limiting condition in the second service operation log, and obtaining the second local item characteristics according to a fourth service interaction item in the second service operation log, wherein the fourth service interaction item is positioned in the second interaction item set.
7. The method of claim 5, wherein the obtaining the first local event feature corresponding to the third service interaction event based on the status of the third service interaction event in the first service operation log and a second quantitative difference determination value set in advance includes: determining a target constraint according to the second quantized difference determination value; determining a first associated item set taking the third service interaction item as a standard and taking the determined target constraint as a constraint in the first service operation log, and obtaining the first local item characteristic according to the third service interaction item in the first service operation log, wherein the third service interaction item is positioned in the first associated item set;
the obtaining a second local item feature corresponding to each target service interaction item according to the state of each target service interaction item in the second service running log and the second quantitative difference determination value includes: determining a second association item set taking each target service interaction item as a standard and taking the determined target constraint as a constraint in the second service operation log; and obtaining the second local item characteristic according to a fourth service interaction item in the second service operation log, wherein the fourth service interaction item is positioned in the second association item set.
8. The method of claim 2, wherein for the case that the first service log is the service log to be securely managed and the second service log is the reference service log, the determining the score of the second service interaction item corresponding to the third service interaction item in the service log to be securely managed based on the score of the third service interaction item comprises:
the scoring of each third service interaction item in the first service running log is used as the scoring of the second service interaction item with the corresponding relation between the state in the service running log to be subjected to the security management and the third service interaction item;
wherein, for the case that the first service running log is the first visual saliency description and the second service running log is the second visual saliency description, the determining the score of the second service interaction item corresponding to the third service interaction item in the service running log to be safely managed based on the score of the third service interaction item includes:
and determining the score corresponding to each second service interaction item based on migration transformation instructions between each third service interaction item in the first local item feature and each second service interaction item in the service operation log to be subjected to security management and the score of each third service interaction item in the first local item feature.
9. A security management policy generation apparatus, comprising:
the system comprises a log acquisition module, a control module and a control module, wherein the log acquisition module is used for acquiring a reference service running log and a service running log to be subjected to security management;
the log determining module is used for determining a target service running log corresponding to the service running log to be subjected to the security management according to the reference service running log and the service running log to be subjected to the security management; the security risk index of each first service interaction item in the target service operation log represents the score of threat of the second service interaction item; the second service interaction item is a service interaction item with a corresponding relation between the state in the service operation log to be subjected to security management and the first service interaction item;
the policy generation module is used for generating a security management policy of the service operation log to be subjected to security management according to the target service operation log;
the determining, according to the reference service running log and the service running log to be securely managed, a target service running log corresponding to the service running log to be securely managed includes:
Determining a first service running log based on the service running log to be subjected to security management, and determining a second service running log based on the reference service running log;
for each third service interaction item in the first service operation log, determining a plurality of target service interaction items corresponding to the third service interaction item from the second service operation log; the quantitative difference between the target service interaction items and a target fourth service interaction item in the second service running log is smaller than a first quantitative difference judgment value, wherein the target fourth service interaction item is a fourth service interaction item with a corresponding relation between a state in the second service running log and the third service interaction item;
for each third service interaction item, determining a score of the third service interaction item according to the degree of commonality between the target service interaction items and the third service interaction item respectively;
and determining the score of the second service interaction item corresponding to the third service interaction item in the service operation log to be subjected to the security management based on the score of the third service interaction item.
CN202111059906.7A 2021-09-10 2021-09-10 Security management policy generation method and device Active CN113918985B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111059906.7A CN113918985B (en) 2021-09-10 2021-09-10 Security management policy generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111059906.7A CN113918985B (en) 2021-09-10 2021-09-10 Security management policy generation method and device

Publications (2)

Publication Number Publication Date
CN113918985A CN113918985A (en) 2022-01-11
CN113918985B true CN113918985B (en) 2023-07-18

Family

ID=79234449

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111059906.7A Active CN113918985B (en) 2021-09-10 2021-09-10 Security management policy generation method and device

Country Status (1)

Country Link
CN (1) CN113918985B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178782A (en) * 2020-01-03 2020-05-19 广州博依特智能信息科技有限公司 Micro-service architecture of process industrial data operation platform
CN112860675A (en) * 2021-02-06 2021-05-28 高云 Big data processing method under online cloud service environment and cloud computing server

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9525697B2 (en) * 2015-04-02 2016-12-20 Varmour Networks, Inc. Delivering security functions to distributed networks
CN106357689B (en) * 2016-11-07 2019-07-09 北京奇虎科技有限公司 The processing method and system of threat data
CN112231359A (en) * 2020-10-28 2021-01-15 苏州知瑞光电材料科技有限公司 Method and device for detecting working condition of cast iron equipment
CN113055362B (en) * 2021-03-01 2023-03-21 深信服科技股份有限公司 Method, device, equipment and storage medium for preventing abnormal behaviors
CN113051543B (en) * 2021-04-01 2021-11-23 湖南云畅网络科技有限公司 Cloud service security verification method and cloud service system in big data environment
CN113332729A (en) * 2021-07-08 2021-09-03 创联无忧(广州)信息科技有限公司 Cloud game vulnerability detection method based on deep learning and artificial intelligence server

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178782A (en) * 2020-01-03 2020-05-19 广州博依特智能信息科技有限公司 Micro-service architecture of process industrial data operation platform
CN112860675A (en) * 2021-02-06 2021-05-28 高云 Big data processing method under online cloud service environment and cloud computing server

Also Published As

Publication number Publication date
CN113918985A (en) 2022-01-11

Similar Documents

Publication Publication Date Title
US11847578B2 (en) Chatbot for defining a machine learning (ML) solution
US20180025286A1 (en) Detecting trends in evolving analytics models
US10459982B2 (en) Generating derived links
CN113918937B (en) Illegal event identification method and system based on big data
CN114218568B (en) Big data attack processing method and system applied to cloud service
CN116112746B (en) Online education live video compression method and system
Nagasundari et al. SQL injection attack detection using ResNet
CN113918985B (en) Security management policy generation method and device
CN115373688B (en) Optimization method and system of software development thread and cloud platform
CN115481197B (en) Distributed data processing method, system and cloud platform
CN115514570B (en) Network diagnosis processing method, system and cloud platform
CN115640602A (en) Private data processing method and system based on big data protection
CN114329116B (en) Artificial intelligence-based intelligent park resource matching degree analysis method and system
CN113641903A (en) Service matching method based on artificial intelligence and server
CN113613252B (en) 5G-based network security analysis method and system
CN114611478B (en) Information processing method and system based on artificial intelligence and cloud platform
CN115514564B (en) Data security processing method and system based on data sharing
CN115409510B (en) Online transaction security system and method
CN115357924A (en) Data encryption method and system based on dynamic adjustment and cloud platform
CN114691830B (en) Network security analysis method and system based on big data
CN113918963B (en) Authority authorization processing method and system based on business requirements
US20230359822A1 (en) Method and system to extract data dependencies for machine learning models
CN114863585B (en) Intelligent vehicle testing and monitoring system and method and cloud platform
CN113626559B (en) Semantic-based intelligent network document retrieval method and system
CN115563153B (en) Task batch processing method, system and server based on artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant