CN116506157A

CN116506157A - Security protection method and system for micro-application architecture

Info

Publication number: CN116506157A
Application number: CN202310286839.5A
Authority: CN
Inventors: 王利斌; 宋洁; 尹琴; 赵新建; 张颂; 陈石; 徐晨维; 袁国泉; 刘晓蕾; 李宁; 冯磊; 林寅伟
Original assignee: State Grid Siji Network Security Beijing Co ltd; State Grid Corp of China SGCC; State Grid Information and Telecommunication Co Ltd; State Grid Jiangsu Electric Power Co Ltd; Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Current assignee: State Grid Siji Network Security Beijing Co ltd; State Grid Corp of China SGCC; State Grid Information and Telecommunication Co Ltd; State Grid Jiangsu Electric Power Co Ltd; Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Priority date: 2023-03-22
Filing date: 2023-03-22
Publication date: 2023-07-28

Abstract

The application provides a security protection method and system for a micro-application architecture, which are used for obtaining message data and trust evaluation index values through access attribute data obtained by analyzing tokens of access requests according to information of the access requests of clients. And then analyzing the message data to obtain the message security state. And then, obtaining the user trust according to the trust evaluation index value and the message security state so as to determine whether to grant the access authority of the client according to the user trust. And finally, determining whether the access request meets the risk early warning condition according to the message security state and the user trust degree so as to finish security protection in the access process of the client and reduce the security risk problem.

Description

Security protection method and system for micro-application architecture

Technical Field

The application relates to the technical field of network security, in particular to a security protection method and system for a micro-application architecture.

Background

With the increasing demands of power business for flexible and fast operation and maintenance, micro-application architecture has become an important bearing way for company mobile business. The service design of the micro-application architecture is refined, more independent micro-service processes are generated, so that micro-application calling requests need authentication each time, different micro-service applications have different access authority levels, and identity authentication is needed for a user before the user accesses the service to ensure the security of the system, and the user can be authorized to access the service after the authentication is passed.

The micro-application access process may involve multiple service nodes, which increases the difficulty of micro-application access management compared to traditional power mobile applications. Thus, the power mobile micro-application is faced with a series of security problems such as override, injection, hijacking, etc., which also is very prone to sensitive data and user personal privacy leakage. Existing interaction layer intrusion detection systems (Intrusion Detection System, IDS) and intrusion prevention systems (Intrusion Prevention System, IPS) are also capable of monitoring network behavior and raising alarms and early warnings when suspicious transmissions are found. However, since it belongs to an external development third party platform, there are problems of compatibility with the original system and security risks.

Disclosure of Invention

In view of the foregoing, the present application is directed to a security protection method and system for a micro-application architecture.

Based on the above objects, the first aspect of the present application provides a security protection method for a micro-application architecture, which includes:

receiving an access request sent by a client, and analyzing a token of the access request to obtain access attribute data;

obtaining message data and trust evaluation index value according to the information of the access request and the access attribute data;

Obtaining a message security state according to the message data;

obtaining user trust according to the trust evaluation index value and the message security state, and determining whether to grant the access right to the client according to the user trust;

determining whether the access request meets a risk early warning condition according to the message security state and the user trust level;

and responding to the access permission granted to the client and the access request not meeting the risk early warning condition, and returning a response request corresponding to the access request to the client.

In a second aspect of the present application, a security protection system facing to a micro-application architecture is provided, including a server, a gateway module, a message parsing module, an authorization authentication module and a risk early warning module;

the gateway module is configured to receive an access request sent by a client and analyze a token of the access request to obtain access attribute data;

the gateway module is configured to obtain message data and trust evaluation index value according to the information of the access request and the access attribute data;

the gateway module is configured to send the message data to the message analysis module so that the message analysis module obtains a message security state according to the message data;

The gateway module is configured to send the trust evaluation index value and the message security state to the authorization authentication module, so that the authorization authentication module obtains user trust according to the trust evaluation index value and the message security state, and determines whether to grant the access right to the client according to the user trust;

the gateway module is configured to send the message security state and the user trust level to the risk early-warning module, so that the risk early-warning module determines whether the access request meets a risk early-warning condition according to the message security state and the user trust level;

the gateway module is configured to send the access request to the server in response to the grant of the access right to the client and the access request not meeting a risk early warning condition, so that the server returns a response request corresponding to the access request to the client.

From the above, it can be seen that the security protection method and system for micro-application architecture provided by the present application obtain the message data and the trust evaluation index value according to the information of the client access request and the access attribute data obtained by analyzing the token of the access request. And then analyzing the message data to obtain the message security state. And then, obtaining the user trust according to the trust evaluation index value and the message security state so as to determine whether to grant the access authority of the client according to the user trust. And finally, determining whether the access request meets the risk early warning condition according to the message security state and the user trust degree so as to finish security protection in the access process of the client and reduce the security risk problem.

Drawings

In order to more clearly illustrate the technical solutions of the present application or related art, the drawings that are required to be used in the description of the embodiments or related art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.

Fig. 1 shows a schematic diagram of an architecture of an exemplary micro-application architecture oriented security protection system 100 in accordance with an embodiment of the present application.

Fig. 2 illustrates a flow chart of an authentication process of an exemplary micro-application architecture oriented security protection method according to an embodiment of the present application.

Fig. 3 illustrates a flow chart of an exemplary micro-application architecture oriented security protection method 300 in accordance with an embodiment of the present application.

Fig. 4 shows a more specific hardware structure of the electronic device according to the present embodiment.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings.

It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.

As described in the background, existing IDS and IPS systems can monitor network behavior and issue alarms and early warnings when suspicious transmissions are discovered, but because they belong to an externally developed third party platform, there are problems with compatibility with the original system and security risks. In addition, the complexity, the operation difficulty and the transmission delay of the system are increased, and the flexible characteristic and the rapid development and operation characteristic of the micro-application are weakened.

In view of this, the embodiments of the present application provide a security protection method and system for a micro-application architecture. According to the method, message data and trust evaluation index values are obtained through access attribute data obtained through analyzing the access request token according to the information of the client access request. And then analyzing the message data to obtain the message security state. And then, obtaining the user trust according to the trust evaluation index value and the message security state so as to determine whether to grant the access authority of the client according to the user trust. And finally, determining whether the access request meets the risk early warning condition according to the message security state and the user trust degree so as to finish security protection in the access process of the client and reduce the security risk problem.

The micro-application architecture oriented security protection system 100 may include a server for providing corresponding services. The server may further include a micro-service cluster (e.g., server), an API (Application Programming Interface, application program interface) gateway module, a message parsing module, an authorization authentication module, and an early warning module.

Wherein, API gateway module: the method is a unified access point exposed by the background application, all API calls are accessed to an API gateway layer in a unified way, and the APIs are accessed and output in a unified way by the gateway. In some embodiments, the API gateway performs secondary development based on the open source project (Spring Cloud Gateway), and implements functions such as authentication, authorization, logging (journaling), etc. by expanding corresponding services. The flow control and forwarding refers to the flow control and request forwarding functions of the API gateway, and belongs to the basic functions of the API gateway. Request forwarding is embodied in that requests and responses may be communicated in various modules; flow control refers to limiting incoming requests when access is overload by too many users.

And a message analysis module: the method comprises a feature extraction function, a training model function and a behavior judgment function. Under the power mobile micro-application scene, a large number of service API interfaces are exposed in a network, a large number of terminal devices access the interfaces through public or private protocols, and an effective safety sensing means is lacked to monitor the access of the interfaces. In the process of exchanging API-level data information, in some embodiments, protocol data is analyzed, a neural network model for analysis is established, feature extraction is performed on message segments, anomaly judgment is performed on the accessed message, corresponding results are given, and the method is used in the analysis of a follow-up authorization authentication and early warning module.

And an authorization and authentication module: including an attribute extraction function, a trust calculation function, and a role authority function. Under the power mobile micro application scene in the micro service architecture, when the environment where a user is located continuously changes, the safety of power system resources is difficult to ensure. In some embodiments, continuous monitoring of environment resources and mobile micro-application host-client behaviors by the terminal side and the service side is required, and dynamic continuous evaluation of the user and adjustment of the corresponding authority of the user are required. A trust-based mobile micro-application dynamic multi-level access control model is provided, and the trust degree is used as a dynamic attribute to realize dynamic trust perception and dynamic authority adjustment based on a role and attribute access control model.

Risk early warning module: the risk early warning system comprises a risk decision function and a risk early warning function. In some embodiments, aiming at the safety risk early warning requirement of the power mobile interconnection service interface, by setting a risk threshold value in combination with a risk analysis result, the multi-layer warning of the interface access risk is realized. In combination with the power mobile micro-application background, mobile micro-application risks facing interface level access are evaluated in a semi-quantitative way. In the risk evaluation, the severity (S) of the risk event result is relatively and qualitatively divided into a plurality of stages, the probability (L) of the occurrence of the risk event is also relatively and qualitatively divided into a plurality of stages, the event severity is taken as a column or a row, the probability is taken as a row or a column, and the risk is judged in a matrix mode. The risk level R=L×S, and different early warning modes are set according to the risk level, so that corresponding control measures are adopted for different actual risk conditions.

In the micro-application architecture oriented security protection system 100, an API gateway module may be used to implement the following steps:

As shown in fig. 1, each module in the security protection system 100 facing the micro-application architecture is used to implement the security protection method facing the micro-application architecture according to the embodiment of the present application, and the steps are as follows:

s1, a user (namely a client) of the power mobile micro-application inputs a user name and a password to the system for identity authentication, and the user with successful authentication receives a service access Token (Token) returned by the API gateway, so that the user can access the system.

The specific flow is shown in fig. 2, (1) the client sends an application authentication request to the API gateway; (2) The API gateway sends an application authentication request to the self-defined authorization service so that the self-defined authorization service uses a private key to generate Token after verifying the request; if the authentication is successful, (3) the custom authorization service returns an authentication success message (token) to the API gateway; (4) The API gateway returns an authentication success message (token) to the client. When the client carries a token to request to access a service, (5) the client sends a service request (carrying the token) to the API gateway so that the API gateway can verify the token by using the public key, and if the verification fails, the API gateway returns a message of the token verification failure to the client; (6) If the verification is successful, the API gateway sends a service request (carrying parameters parsed from the token) to the protected API; (7) The protected API returns a service reply to the API gateway to cause the API gateway to return the service reply to the client (see step (8) in fig. 2).

The service access Token is a dynamic aging Token and is designed based on JSON Web Token (JWT) Token specification, and the authorization mechanism is based on OAuth2 (Open Authorization 2.0.0) authorization protocol, and performs authentication analysis and forwarding verification on the access request of the terminal user by combining an authorization service and a micro-application service gateway. JWT is an open standard defining secure JSON objects that interact with each other between parties. The service access Token is composed of the same as the JWT Token, and consists of a header, a message body and a signature, wherein the header information specifies the type of the Token and the signature algorithm (RSA algorithm) used. The message body contains authorization information such as the visitor's certificate. Both the header and the message body are encrypted by Base64UrlEncode (an encryption method). The Token message body is specifically formatted as shown in table 1.

Table 1: token message body structure design

S2, after receiving the access request carrying Token sent by the client, the API gateway analyzes the Token carried in the access request to verify whether the Token is effective or not and analyze the corresponding access attribute. The verification process may include the following steps.

In some embodiments, the API gateway may first determine whether the access request carries a Token, and verify whether the access request is valid, and if the access request satisfies a condition, continue to determine whether a service resource requested by the access request exists; if the condition is not satisfied, the access request is denied.

In some embodiments, the API gateway determines whether the requested service resource exists, if so, continues to parse Token, and forwards attribute data obtained by parsing Token to the authorization module; if not, rejecting the corresponding access request.

The API gateway has important position in the system, is not only an entrance of the system, but also a layer of baffle between the client and the server, and plays a role in the whole micro-service architecture. The API gateway is a unified access point exposed by the background application, and all API calls are agreed to be accessed to an API gateway layer, and are accessed and output by the gateway in a unified way. The API gateway in the modified model is subjected to secondary development based on an open source project (Spring Cloud Gateway), and functions of authentication and authorization, request forwarding, log recording and the like are realized by expanding corresponding services.

S3, combining the corresponding log function in the API gateway module and analyzing the accessed Token attribute, and extracting the message data and the trust evaluation index value.

In some embodiments, the trust evaluation index value obtained by preprocessing comprises a user attribute value, a request attribute value, and an object attribute value. First, user information and a service requested by an access request are obtained according to information and access attribute data of the access request. And determining a user attribute value according to the user information, determining a request attribute value according to the service requested by the access request, and determining the request attribute value according to the access request.

On this basis, multi-level fine-grained access control based on dynamic trust evaluation is performed. The specific explanation is as follows:

user attribute value: also referred to as a principal attribute, is a relevant attribute of the user that initiated the access request, such as behavior in the power system, where it is located, security permissions, etc.

Request attribute value: attributes associated with the current request include request access IP (Internet Protocol, internetworking protocol), communication protocol, client, whether it is an exception message, and the type of exception message.

Object attribute value: also referred to as guest properties, are used to define properties of the power mobile micro-application service, e.g., type, state, location, resource, etc., protected by the access control policy.

In some embodiments, the specific content of the trust evaluation index value is shown in table 2.

Table 2: trust evaluation index value

S4, sending the message data processed in the step S3 to a message analysis module, and carrying out anomaly analysis on the request through a neural network model to obtain the current message security state.

First, data preparation is performed. In some embodiments, an ISCX 2012 dataset and a CIC-IDS 2017 dataset may be used.

Then, data preprocessing is performed. In some embodiments, network traffic elements are extracted from the prepared dataset, which in turn is divided into feature analysis of data packets and feature analysis of network flows, where the CIC-IDS 2017 dataset contains feature-statistics files that can be used directly as a training set for deep learning, including source data (PCAP) and network traffic analysis results based on time stamps, source and destination IP, source and destination ports, protocol and attack token flows.

Next, the ISCX 2012 data set and CIC-IDS 2017 data set are divided into sample sets, respectively. The set of data is directly divided into two mutually exclusive sets, one being the training set S and one being the test set T, using a set-aside method. Model learning is performed at S, and then the test error is evaluated with T as an estimate of the generalization error.

The neural network model is trained based on the partitioned training set. In some embodiments, long-Short-Term Memory network algorithms (LSTM) may be used to build the neural network model. The training set S was vectorized using an embedded layer that is self-contained in the keras library, an open source artificial neural network library.

In some embodiments, the dropout operation (a common way to remove neural network overfitting) can be used to effectively mitigate the occurrence of overfitting, and to some extent achieve regularization, so that dropouts are performed both before and after the hidden layer. And finally, outputting a two-class result by using a full connection layer, and using a sigmoid function as an activation function.

In some embodiments, the loss function uses a cross entropy loss function, and the optimizer uses an Adam gradient optimization algorithm to calculate an update step size, and update the weight parameters to achieve the best training effect.

And carrying out exception analysis on the access request by using the trained neural network model to obtain a message security state.

S5, the API gateway forwards the trust evaluation index value and the message security state to an authorization and authentication module, the authorization and authentication module carries out trust calculation on the obtained different attribute values to obtain the user trust degree of current access, when the trust degree is greater than a set threshold value, the access authority is granted to the user, and otherwise, the request is refused.

First, the trust evaluation index value is subjected to numerical normalization. In some embodiments, the user attribute value U (e.g., the user device U2 and the user role U3 in table 2), the request attribute value R, and the service attribute value S in the trust evaluation index value may be subjected to numerical normalization to obtain a new user attribute value U ', a request attribute value R ', and a service attribute value S ', which are input feature values of trust calculation. In some embodiments, the numerical normalization is performed as follows:

for percentages and values that are themselves represented in the [0,1] range, they can be converted to forward increasing values by the following formula:

wherein a is _ij E is the initial data _ij Is normalized data. For example, R3, R4, and S1-S3 in Table 2 can be converted to values of [0,1 by the normalization formula described above ]Interval.

For a particular value within a range, if not within the [0,1] interval, it can be converted into the [0,1] interval according to the following formula:

wherein (a) _ij ) _min And (a) _ij ) _max Representing the minimum and maximum values in the data, respectively. For example, R5, R6 in Table 2 can be converted to values of [0,1 by the normalization formula described above]Interval.

In addition, for the calculation of the user equipment attribute U2, inquiring all the history access equipment of the user through a log and performing word frequency statistics to obtain a Set < (equipment, number of access Count) >. If the current equipment can be found in the Set, taking the ratio of the equipment times to the total access times of the user as an attribute value; if the current device is not in the Set, it is noted as 0.

Finally, because the values of the user role attribute U3, the request access attribute R1, and the communication protocol attribute R2 in table 2 are relatively fixed, static mapping is generally adopted, and the values are mapped into the [0,1] interval.

The trust evaluation index value is normalized and then the weight of the trust evaluation index value (e.g., the weight of each index value in the trust evaluation index value) is calculated. In some embodiments, weights may be determined for normalized user attribute value U ', request attribute value R ', and service attribute value S ' using entropy methods. The entropy method is mainly used for weighting an index system and is suitable for calculating weights with more indexes. To calculate the j index weight omega in the user attribute value _j The following are examples:

(1) And constructing an index data matrix. Assuming that there are n samples currently, representing n pieces of request information, and there are m indexes in the user attribute, and the weights need to be determined, the following n×m order feature matrix can be used to represent:

wherein X represents an index data matrix, X _nm Representing m columns located in the nth row in the matrixIndex data of the position of (a).

(2) And calculating an index specific gravity matrix P. Calculating the proportion p of the j index of normalized indexes to the sum of the indexes _ij ：

And further obtaining a specific gravity matrix P of the data:

(3) Calculating index entropy value e _j 。

Wherein the constant k>0,Ensure 0.ltoreq.e _j ≤1。

(4) Calculating index weight omega _j 。

Wherein d _j ＝1-e _j The larger the value of the difference coefficient representing the index, the larger the weight.

And finally, calculating the user trust according to the weight. The user's trust level may dynamically change with each trust calculation, and in some embodiments, the system may dynamically adjust according to the scope of authority to which the user's overall trust level belongs by taking the current direct trust level and the historical indirect trust level into consideration, thereby implementing dynamic authority allocation:

(1) And (5) calculating the direct trust degree. By T _now Indicating the direct confidence level of the user. User attribute value U' and request attribute obtained by normalization The value R 'and the service attribute value S' are respectively expressed as Sr _i 、Sr _j And Sr _k And assign a corresponding weight ω to it _i 、ω _j And omega _k . Wherein, trust index weight omega _i 、ω _j And omega _k Can be obtained by means of the calculation of the weights described above, respectively.

Wherein, the liquid crystal display device comprises a liquid crystal display device,representing the trust level of the user attributes->Indicating the degree of trust of the request attribute,representing object attribute confidence, α, γ, and β represent weights for user attributes, request attributes, and object attribute confidence. Alpha+beta+gamma=1, 0 is less than or equal to alpha, beta, gamma is less than or equal to 1, the user attribute value contains n evaluation indexes, the request attribute value contains m evaluation indexes, and the object attribute value contains p evaluation indexes.

(2) And (5) calculating the indirect trust degree. By T _history Indicating the indirect confidence level of the user, i.e. weighting and averaging according to the confidence level of the historical access requests of the user stored previously.

Wherein T' _history Representing the confidence of the user's historical access requests.

(3) The integrated confidence level is composed of direct confidence level and indirect confidence level weighting:

T＝αT _history +(1-α)T _now

wherein, alpha E [0,1] is a history factor, which is used to represent the action of the trust degree of the user history access request in the current trust degree, and the calculation formula is as follows:

wherein ρ ε [0,1] is the decay rate, μ ε [0,1] can be adjusted according to time. The larger the period of time, i.e. the longer the session time, the smaller μ represents a slower overall decay rate.

And S6, the API gateway sends the message security state and the user trust degree to a risk early warning module, early warning judgment is carried out on the access request, when the early warning condition is not met, the service responds normally, and otherwise, early warning processing is carried out on the request.

(1) The likelihood (L) of risk occurrence is determined.

In some embodiments, the risk that may occur during the running of the micro-application may be assigned a value from 1-5 in a hierarchy setting with probability intervals of very low, medium, high, and five higher risk occurrence probabilities, as shown in Table 3.

Table 3: risk classification table

Risk occurrence L	Probability interval	Quantification of score
			Extremely low	[0,10％]	1
Low and low	(10％,30％]	2
			Medium and medium	[30％,55％]	3
High height	[55％,85％]	4
			Higher height	[85％,100％]	5

And determining the possibility of risk occurrence of the request. As known from the comprehensive trust level T, when the comprehensive trust level of the user's request is higher, the risk occurrence probability is smaller, so that the current risk occurrence probability can be obtained as follows:

L＝1-T,0≤L≤1

comparing the risk classification table in table 3, checking which risk interval the current P falls in, and recording the quantized score L corresponding to the occurrence of the current risk _t 。

(2) The severity of the risk is determined (S).

In some embodiments, the severity after risk occurrence is graded from a level 1-5, setting probability intervals of negligible, tiny, moderate, severe, and very severe five risk levels, as shown in table 4.

Table 4: risk severity rating table

Severity of risk occurrence S	Probability interval	Quantification of score
			Negligible	[0,10％]	1
Micro-scale	(10％,40％]	2
			Moderate degree	[40％,60％]	3
Severe severity of	[60％,85％]	4
			Is very serious	[85％,100％]	5

And determining the severity of the risk. As can be seen from the message security state R4, the larger R4 means that the safer the request is, the lower the severity of the risk is, so that the severity of the risk can be obtained:

S＝1-R ₄ ,0≤S≤1

comparing the risk classification table in table 4, checking in which risk severity interval the current S falls, and recording the quantized score S corresponding to the current risk severity _t 。

(3) A risk level (R) is determined.

The risk is classified in a matrix manner with the determined risk occurrence probability (L) as a row and the determined risk severity (S) as a column, resulting in an interface security risk level r=l×s, as shown in table 5.

Table 5: risk level table

Setting the interface risk security level to a risk level threshold according to a risk level table in table 5, wherein intervals [1,4] represent low risk; [5,12] represents a medium risk; [15,25] represents a high risk.

And determining the risk level. The obtained quantized score L corresponding to the risk occurrence _t And a quantized score S corresponding to the obtained risk severity _t Multiplying to obtain the risk level of the time:

R _t ＝L _t ×S _t ,1≤R _t ≤25

R is R _t And comparing the low risk, medium risk and high risk threshold values set in the risk level table of the table 5 to obtain the category of the risk.

(4) And (5) risk early warning and treatment.

And respectively setting three risk levels of low risk, medium risk and high risk into a notification, early warning and alarming three-level risk processing scheme by combining the determined risk level threshold value and the actual running condition of the micro-application, so as to realize the alarm from low risk to high risk on the risk event.

The notification mainly realizes notification of potential risks of daily attention of application operation staff, the early warning represents that the monitoring event needs to be processed by the operation staff, and the warning is an event which needs to be processed immediately.

(5) And carrying out early warning judgment on the access request, if the early warning condition is not met, normally responding by the service, otherwise, carrying out early warning processing on the request.

In the actual micro-application service process, an early warning upgrading mechanism is set, and when an early warning exceeds a certain time limit, the early warning is not processed or is not solved all the time, and ascending processing is needed, so that the dynamic adjustment of a risk early warning mode is realized. And the real-time update of the daily interface access log record transaction set, the regular early warning update risk network model and the association rule are adopted to realize the dynamic optimization of the early warning model.

And S7, when the access request of the client obtains the access right and no corresponding early warning occurs, the API gateway forwards the request to the micro-service cluster and returns the data with successful response to the corresponding micro-application client.

Fig. 3 illustrates a flow chart of an exemplary micro-application architecture oriented security protection method 300 in accordance with an embodiment of the present application. Method 300 is implemented by security guard system 100 oriented to a micro-application architecture. The method 300 may include the following steps.

In step S302, an access request sent by a client is received, and a token of the access request is parsed to obtain access attribute data.

In some embodiments, determining from the access request whether a token of the access request is valid, and determining whether a service resource requested by the access request exists;

and responding to the fact that the token of the access request is valid and the service resource requested by the access request exists, and analyzing the token of the access request to obtain the access attribute data.

In step S304, according to the information of the access request and the access attribute data, message data and trust evaluation index values are obtained.

In some embodiments, the trust evaluation index value may further comprise:

obtaining user information and service requested by the access request according to the information of the access request and the access attribute data;

determining a user attribute value according to the user information;

determining an object attribute value according to the service requested by the access request;

determining a request attribute value according to the access request;

and taking the user attribute value, the object attribute value and the request attribute value as the trust evaluation index value.

In step S306, a message security state is obtained according to the message data.

In some embodiments, the features of the message data are extracted, and an anomaly analysis is performed on the features to obtain the message security state.

In step S308, a user trust level is obtained according to the trust evaluation index value and the message security state, and whether to grant the access right to the client is determined according to the user trust level.

In some embodiments, the trust evaluation index value is subjected to numerical normalization to obtain a new trust evaluation index value;

calculating the weight of the new trust evaluation index value according to the new trust evaluation index value;

And obtaining the user trust degree according to the weight.

In some embodiments, a direct confidence level is calculated from the weights;

acquiring the trust degree of the historical access request of the client, and acquiring indirect trust degree according to the trust degree of the historical access request;

and weighting and calculating the user trust according to the direct trust and the indirect trust.

In some embodiments, the user confidence level is calculated by the following formula:

T＝αT _history +(1-α)T _now

wherein T is the user trust level, T _history For the indirect confidence level, T _now Alpha epsilon 0,1 for the direct confidence]Alpha represents a history factor.

In some embodiments, an index data matrix is obtained according to the new trust evaluation index value;

obtaining an index proportion matrix according to the index data matrix;

obtaining an index entropy value according to the index proportion matrix;

and obtaining the weight according to the index entropy value.

In step S310, it is determined whether the access request meets a risk early warning condition according to the message security state and the user trust level.

In some embodiments, determining a likelihood of risk occurrence based on the user confidence level;

Determining the severity of the risk according to the message security state;

determining a risk level according to the possibility of occurrence of the risk and the severity of the risk;

and determining whether the access request meets a risk early warning condition according to the risk level.

In step S312, in response to the client being granted access rights and the access request not meeting the risk early warning condition, a response request corresponding to the access request is returned to the client.

It should be noted that, the method of the embodiments of the present application may be performed by a single device, for example, a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of embodiments of the present application, and the devices may interact with each other to complete the methods.

It should be noted that some embodiments of the present application are described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Based on the same technical concept, the application also provides an electronic device corresponding to the method of any embodiment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the security protection method facing the micro-application architecture according to any embodiment when executing the program.

Fig. 4 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.

The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.

The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.

The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown in the figure) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.

Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).

Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).

It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.

The electronic device of the foregoing embodiment is configured to implement the corresponding security protection method for a micro-application architecture in any of the foregoing embodiments, and has the beneficial effects of the corresponding security protection method embodiment for a micro-application architecture, which are not described herein.

Based on the same technical concept, corresponding to the micro-application architecture-oriented security protection method of any of the above embodiments, the present application further provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the micro-application architecture-oriented security protection method of any of the above embodiments.

The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be any method or technology for information storage. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.

The computer instructions stored in the storage medium of the foregoing embodiments are used to make the computer execute the security protection method for a micro-application architecture according to any one of the foregoing embodiments, and have the beneficial effects of the corresponding security protection method embodiment for a micro-application architecture, which are not described herein.

Based on the same inventive concept, corresponding to the security protection method for micro-application architecture according to any of the above embodiments, the present application further provides a computer program product, which includes computer program instructions. In some embodiments, the computer program instructions may be executable by one or more processors of a computer to cause the computer and/or the processor to perform the micro-application architecture oriented security protection method. Corresponding to the execution subject corresponding to each step in each embodiment of the security protection method facing the micro-application architecture, the processor executing the corresponding step may belong to the corresponding execution subject.

The computer program product of the foregoing embodiments is configured to enable the computer and/or the processor to execute the security protection method for a micro-application architecture according to any one of the foregoing embodiments, and has the beneficial effects of the corresponding security protection method embodiment for a micro-application architecture, which are not described herein.

Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the application (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the present application, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in detail for the sake of brevity.

Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present application. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform on which the embodiments of the present application are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.

While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.

The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Accordingly, any omissions, modifications, equivalents, improvements and/or the like which are within the spirit and principles of the embodiments are intended to be included within the scope of the present application.

Claims

1. A security protection method for a micro-application architecture, comprising:

obtaining a message security state according to the message data;

and responding to the client being granted with the access right and the access request not meeting the risk early warning condition, and returning a response request corresponding to the access request to the client.

2. The method of claim 1, wherein the receiving the access request sent by the client and parsing the token of the access request to obtain access attribute data comprises:

determining whether a token of the access request is valid or not according to the access request, and determining whether a service resource requested by the access request exists or not;

3. The method according to claim 1, wherein the obtaining the message data and the trust evaluation index value according to the information of the access request and the access attribute data includes:

Determining a user attribute value according to the user information;

determining a request attribute value according to the access request;

4. The method according to claim 1, wherein the obtaining the message security status according to the message data includes:

extracting the characteristics of the message data, and carrying out exception analysis on the characteristics so as to obtain the message security state according to the exception analysis result.

5. The method of claim 1, wherein the obtaining the user confidence level according to the trust evaluation index value and the message security state comprises:

performing numerical normalization processing on the trust evaluation index value to obtain a new trust evaluation index value;

and obtaining the user trust degree according to the weight.

6. The method of claim 5, wherein the obtaining the user confidence level according to the weight comprises:

Calculating the direct trust according to the weight;

7. The method of claim 6, wherein said weighting said user confidence level based on said direct confidence level and said indirect confidence level comprises:

the user confidence level is calculated by the following formula:

T＝αT _history +(1-α)T _now

8. The method of claim 5, wherein calculating the weight of the new trust evaluation index value from the new trust evaluation index value comprises:

obtaining an index data matrix according to the new trust evaluation index value;

obtaining an index proportion matrix according to the index data matrix;

obtaining an index entropy value according to the index proportion matrix;

and obtaining the weight according to the index entropy value.

9. The method of claim 1, wherein determining whether the access request satisfies a risk pre-warning condition based on the message security status and the user confidence level comprises:

Determining the possibility of risk occurrence according to the user trust level;

determining the severity of the risk according to the message security state;

10. The security protection system facing the micro-application architecture is characterized by comprising a server, a gateway module, a message analysis module, an authorization authentication module and a risk early warning module;

11. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 9.