CN116561743A - Business process management method and device, storage medium and electronic equipment - Google Patents
Business process management method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN116561743A CN116561743A CN202310520577.4A CN202310520577A CN116561743A CN 116561743 A CN116561743 A CN 116561743A CN 202310520577 A CN202310520577 A CN 202310520577A CN 116561743 A CN116561743 A CN 116561743A
- Authority
- CN
- China
- Prior art keywords
- target
- service
- business process
- business
- target service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 326
- 230000008569 process Effects 0.000 title claims abstract description 300
- 238000007726 management method Methods 0.000 title abstract description 66
- 238000001514 detection method Methods 0.000 claims abstract description 117
- 238000010586 diagram Methods 0.000 claims description 55
- 230000006870 function Effects 0.000 claims description 8
- 239000000725 suspension Substances 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 6
- 230000003993 interaction Effects 0.000 description 8
- 238000012795 verification Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 5
- 230000000007 visual effect Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012512 characterization method Methods 0.000 description 2
- 238000012797 qualification Methods 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005094 computer simulation Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a business process management method, a business process management device, a storage medium and electronic equipment, and relates to the field of information security. The method comprises the following steps: acquiring a target service flow chart and operating a target service according to the target service flow chart, wherein the target service flow chart is used for describing a flow for realizing the target service; when the target service starts to run, performing state detection on the running process of the target service through a state machine to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the running process of the target service; and determining a target management strategy of the business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing the safety control of the business process. The invention solves the technical problem that the security of the business process is lower because the tamper attack cannot be effectively prevented when the business process is safely managed and controlled in the prior art.
Description
Technical Field
The present invention relates to the field of information security, and in particular, to a method and apparatus for managing a business process, a storage medium, and an electronic device.
Background
There are a large number of various business processes in existing IT applications, some of which are implemented by hard coding and some of which are implemented by Business Process Management (BPM) tool configuration. From the perspective of service bearing end to end, one service flow spans the front end and the back end, and the front end and the back end are required to interact for many times.
At present, in the prior art, service flow coding is mainly performed manually by a developer, a back-end service flow logic code is developed firstly, or a service flow is configured by a BPM flow tool, and a call entry for each interaction is provided for the front end, then a front-end service interaction logic code is developed, coding is required for each interaction process, and finally the front-end and back-end codes are subjected to end-to-end joint debugging, testing and the like of the service flow, so that service security risks are hidden in massive personalized custom code logic, and attack risks such as front-end tamper data attack, front-end verification/front-end operation bypassing and the like are avoided.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a business process management method, a device, a storage medium and electronic equipment, which at least solve the technical problem that the security of the business process is low because tamper attack cannot be effectively prevented when the business process is safely managed and controlled in the prior art.
According to an aspect of an embodiment of the present invention, there is provided a method for managing a business process, including: acquiring a target service flow chart and operating a target service according to the target service flow chart, wherein the target service flow chart is used for describing a flow for realizing the target service; when the target service starts to run, performing state detection on the running process of the target service through a state machine to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the running process of the target service; and determining a target management strategy of the business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing the safety control of the business process.
Further, obtaining the target business flow diagram includes: responding to a target operation and a target instruction sent by a target object through a target interface to obtain a service flow chart to be issued, wherein the target operation is a dragging operation on a plurality of service components in a service component library, and the target instruction is a connection instruction on the plurality of service components; and publishing the service flow chart to be published to obtain a target service flow chart.
Further, when the target service starts to run, performing state detection on the running process of the target service through a state machine to obtain a detection result, including: when the target service starts to run, acquiring a code file corresponding to the target service flow chart; determining a circulation path of each business process link of the business process according to the code file, wherein the circulation path is used for representing the circulation condition of each business process link; generating a path diagram corresponding to the business process according to the circulation path of each business process link, wherein the path diagram is used for describing circulation processes of a plurality of business process links; initializing a state machine according to the path diagram, and detecting the state of the running process of the target service through the initialized state machine to obtain a detection result.
Further, initializing the state machine according to the path diagram, including: and initializing a first data structure, a second data structure and a third data structure of the state machine respectively according to the path diagram, wherein the first data structure is used for recording historical business process links of business process execution, the second data structure is used for recording business process links to be executed next in the business process, and the third data structure is used for recording current business process links of business process execution.
Further, the state detection is performed on the running process of the target service through the initialized state machine, so as to obtain a detection result, which comprises the following steps: acquiring a business process link state table, wherein the business process link state table is used for recording the running state of each business process link in the running process of the target business; judging whether the current business process link executed by the business process meets the preset requirement or not according to the initialized state machine and the data in the business process link state table, and obtaining a judging result; and determining a detection result according to the judgment result.
Further, determining a target management policy for the service flow corresponding to the target service according to the detection result, including: if the detection result is that the detection is passed, continuing to execute the target management strategy; if the detection result is that the detection is not passed, taking the suspension flow as a target management strategy.
Further, before the target business flow diagram is acquired, the method further comprises: defining service components according to the specification information of the service components and the specification information of the service flows, and generating a plurality of service components, wherein the specification information of the service components is used for defining standard forms for describing functions of the service components, the specification information of the service flows is used for defining standard forms for describing service flow capacity, and the service flow capacity is the capacity of executable service flows; and generating a service component library according to the plurality of service components.
According to another aspect of the embodiment of the present invention, there is also provided a device for managing a business process, including: the first acquisition module is used for acquiring a target service flow chart and running a target service according to the target service flow chart, wherein the target service flow chart is used for describing a flow for realizing the target service; the first detection module is used for carrying out state detection on the operation process of the target service through a state machine when the target service starts to operate to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the operation process of the target service; the first determining module is used for determining a target management strategy of a business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing safety control of the business process.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program is configured to execute the above-described business process management method when run.
According to another aspect of an embodiment of the present invention, there is also provided an electronic device including one or more processors; and a memory for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the method of managing a business process as described above when run.
In the embodiment of the invention, a mode of controlling the running state of the business process by a state machine is adopted in the running process of the target business, a target business flow chart is firstly obtained, the target business is run according to the target business flow chart, then when the target business starts to run, the state of the running process of the target business is detected by the state machine to obtain a detection result, and then the target management strategy of the business process corresponding to the target business is determined according to the detection result. The target business flow chart is used for describing a flow for realizing the target business, the detection result is used for representing whether network attack exists in the running process of the target business, and the target management strategy is used for realizing the safety control of the business flow.
In the process, a data base is provided for the operation of the target service by acquiring the target service flow chart; when the target service starts to operate, the state machine is used for detecting the state of the operation process of the target service, so that whether each process link of the operation of the service process of the target service operates according to each step of the target service flow chart can be accurately determined, and therefore, abnormal process links can be found timely, network attacks in the operation process of the target service can be found timely, the operation state of the service process can be managed and controlled, further, the target management strategy of the service process corresponding to the target service can be rapidly determined according to the detection result, the service process can be safely controlled timely, tampering attacks are effectively prevented, loss caused by the fact that certain key process links are not executed due to the tampering attacks is avoided, the safety management efficiency of the service process is improved, and the safety of the service process is improved, so that the stability and reliability of the service operation are improved.
Therefore, through the technical scheme of the invention, the purpose of timely discovering the network attack in the running process of the target service, timely carrying out safety control on the service flow and effectively preventing the falsification attack is achieved, thereby realizing the technical effect of improving the safety of the service flow, and further solving the technical problem that the safety of the service flow is lower because the falsification attack cannot be effectively prevented when the service flow is safely managed and controlled in the prior art.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a flow chart of an alternative business process management method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a typical business process logical vulnerability security attack;
FIG. 3 is a schematic diagram of a framework of an alternative business process management system according to an embodiment of the present invention;
FIG. 4 is an alternative business process assembly schematic according to an embodiment of the present invention;
FIG. 5 is a flow chart of an alternative business process runtime state machine security control, in accordance with an embodiment of the present invention;
FIG. 6 is a schematic diagram of an alternative loaded business flow diagram in accordance with an embodiment of the present invention;
FIG. 7 is a schematic diagram of path expansion of an alternative business flow diagram in accordance with an embodiment of the present invention;
FIG. 8 is a schematic diagram of an alternative business process state machine data structure, in accordance with an embodiment of the present invention;
FIG. 9 is a schematic diagram of an alternative business component configuration in accordance with an embodiment of the present invention;
FIG. 10 is a schematic diagram of an alternative business process management apparatus according to an embodiment of the present invention;
fig. 11 is a schematic diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the related information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for presentation, analyzed data, etc.) related to the present invention are information and data authorized by the user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
Example 1
According to an embodiment of the present invention, there is provided an embodiment of a method of managing a business process, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases the steps shown or described may be performed in an order different from that herein.
FIG. 1 is a flow chart of an alternative business process management method according to an embodiment of the invention, as shown in FIG. 1, comprising the steps of:
Step S101, a target business flow chart is obtained, and a target business is operated according to the target business flow chart, wherein the target business flow chart is used for describing a flow for realizing the target business.
In the above steps, the target service flow chart may be obtained through an application system, a processor, an electronic device, or the like, optionally, the target service flow chart may be obtained through a service flow management system, and the target service may be operated according to the target service flow chart. Optionally, the target service flow chart includes a plurality of service components and connection relationships between the service components, and when the target service is executed, the target service flow chart is executed according to the service flow in the target service flow chart.
Step S102, when the target service starts to run, the state of the running process of the target service is detected through a state machine to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the running process of the target service.
Optionally, the state machine represents a mathematical computational model of a finite number of states and transitions and actions between these states, in this embodiment, states refer primarily to the operational states of each flow link in the business flow. Optionally, when the target service starts to run, the state machine detects the running process of the target service, so as to obtain a detection result.
Optionally, the detection result may be that the detection is passed or not passed, if the detection result is that the detection is passed, the process links of the service flow operation of the target service are considered to be operated according to the execution sequence of the target service flow chart, that is, the current service flow links executed by the service flow do not have network attack; if the detection result is that the detection is not passed, the flow links of the service flow operation of the target service are not operated according to the execution sequence of the target service flow chart, namely the current service flow links of the service flow execution have network attack.
FIG. 2 is a schematic diagram of a typical business process logical vulnerability security attack, where, as shown in FIG. 2, the security vulnerability is that the monetary benefit service does not check the qualification of the user to participate in the activity again, and an attacker can bypass the procedure link of the activity qualification check by simulating a fake message, and directly call the monetary benefit service to obtain benefits.
It should be noted that, in this embodiment, when the target service starts to operate, the state machine detects the operation process of the target service, so that it can be accurately determined whether each flow link of the operation of the service flow of the target service is operated according to each step of the target service flow chart, so that an abnormal flow link can be found in time, and a network attack in the operation process of the target service can be found in time, thereby realizing management and control of the operation state of the service flow, and improving the security of the service flow.
Step S103, determining a target management strategy of the business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing the safety control of the business process.
Optionally, according to the detection result, a target management policy of the service flow corresponding to the target service may be determined, where the target management policy may be to continue execution or suspend the flow. Optionally, if the detection result is that the detection is passed, continuing to execute the target management strategy; if the detection result is that the detection is not passed, taking the suspension flow as a target management strategy.
Based on the above-mentioned schemes defined in steps S101 to S103, it can be known that, in the embodiment of the present invention, a mode of controlling the operation state of the service flow by a state machine is adopted in the operation process of the target service, firstly, a target service flow chart is obtained, the target service is operated according to the target service flow chart, then, when the target service starts to operate, the state of the operation process of the target service is detected by the state machine, a detection result is obtained, and then, a target management policy for the service flow corresponding to the target service is determined according to the detection result. The target business flow chart is used for describing a flow for realizing the target business, the detection result is used for representing whether network attack exists in the running process of the target business, and the target management strategy is used for realizing the safety control of the business flow.
It is easy to notice that in the above process, by acquiring the target service flow chart, a data base is provided for the operation of the target service; when the target service starts to operate, the state machine is used for detecting the state of the operation process of the target service, so that whether each process link of the operation of the service process of the target service operates according to each step of the target service flow chart can be accurately determined, and therefore, abnormal process links can be found timely, network attacks in the operation process of the target service can be found timely, the operation state of the service process can be managed and controlled, further, the target management strategy of the service process corresponding to the target service can be rapidly determined according to the detection result, the service process can be safely controlled timely, tampering attacks are effectively prevented, loss caused by the fact that certain key process links are not executed due to the tampering attacks is avoided, the safety management efficiency of the service process is improved, and the safety of the service process is improved, so that the stability and reliability of the service operation are improved.
Therefore, through the technical scheme of the invention, the purpose of timely discovering the network attack in the running process of the target service, timely carrying out safety control on the service flow and effectively preventing the falsification attack is achieved, thereby realizing the technical effect of improving the safety of the service flow, and further solving the technical problem that the safety of the service flow is lower because the falsification attack cannot be effectively prevented when the service flow is safely managed and controlled in the prior art.
FIG. 3 is a schematic diagram of a framework of an alternative business process management system according to an embodiment of the present invention, and as shown in FIG. 3, mainly includes 3 large modules: unified business process language specification, business process editor, and business process runtime state machine controller.
Optionally, for consistent description of various business processes, a unified business process language is defined, mainly comprising business component specifications and business process specifications.
Optionally, the business process editor mainly comprises business component management, business process assembly and data bus management functions, the business component management mainly achieves the functions of inquiring, searching, information browsing, component offline and the like of an atomic component and a combined component, the construction of a business component library can be achieved through business component management, and when a business process is developed, a developer can directly select a business component from the business component library to assemble according to requirements. Alternatively, business process assembly may be implemented based on H5 (HTML 5) visualization technology, with the constituent elements of the business process mainly including start, enter (data entry), component, solid line, dashed line, exit (result return), end, etc. The service components are connected through lines, wherein a solid line represents synchronous call, a dotted line represents asynchronous call, and the service flow is mainly triggered and executed through a front-end request.
Optionally, the execution logic of the state machine controller during the operation of the business process mainly comprises loading the business process diagram, expanding the business process diagram, initializing a state machine data structure, controlling the state machine safety, checking the safety control result, and outputting the safety risk or the process execution result.
It should be noted that, the state machine controller effectively avoids the risk of falsification attack of input parameters falsification and falsification attack of the business process links, for example, falsification attack of front end artificial initiation falsification request, rule verification of skipping key business process links, etc. by the business process runtime.
In an alternative embodiment, obtaining the target business flow diagram includes: responding to a target operation and a target instruction sent by a target object through a target interface to obtain a service flow chart to be issued, wherein the target operation is a dragging operation on a plurality of service components in a service component library, and the target instruction is a connection instruction on the plurality of service components; and publishing the service flow chart to be published to obtain a target service flow chart.
Optionally, in the process of acquiring the target service flow chart, firstly, responding to target operation and target instruction sent by the target object through the target interface to obtain the service flow chart to be issued. The target object may be a developer, the target interface may be a front-end visual interface of a management system of a service flow, and the service component library is formed by a plurality of service components obtained by performing componentization processing on services of different service types, where each service component corresponds to one service flow link.
Optionally, the developer performs a drag operation on a plurality of service components in the service component library at the front-end visual interface, drags the service components to the arrangement area, and connects each service component according to the execution sequence of each service flow link to arrange the service flow. The back end of the business process management system responds to the dragging operation and the connection instruction, renders the business process to be released on the front end visual interface, and further releases the business process to be released to obtain the target business process.
FIG. 4 is an optional business process assembly schematic diagram according to an embodiment of the invention, as shown in FIG. 4, after the assembly is started, the message is sent after the assembly is started, the message is sent for verification, after the message is sent, the message is successfully sent, the message is verified and the verification result is judged, if the verification is not passed, the message is sent again, if the verification is passed, the user basic information is obtained, and after the assembly is output, the process is ended; and asynchronously calling a client list query service after the component enters the server, carrying out client query judgment, outputting a query failure result and ending by the component when the query fails, querying a user list when the query is successful, carrying out user list query judgment, outputting a query failure result and ending by the component when the query fails, and ending after the query is successful, carrying out user basic information query and outputting a query result by the component.
It should be noted that, by acquiring the target service flow chart, a data base is provided for the operation of the target service.
In an alternative embodiment, when the target service starts to run, the state machine detects the running process of the target service to obtain a detection result, including: when the target service starts to run, acquiring a code file corresponding to the target service flow chart; determining a circulation path of each business process link of the business process according to the code file, wherein the circulation path is used for representing the circulation condition of each business process link; generating a path diagram corresponding to the business process according to the circulation path of each business process link, wherein the path diagram is used for describing circulation processes of a plurality of business process links; initializing a state machine according to the path diagram, and detecting the state of the running process of the target service through the initialized state machine to obtain a detection result.
FIG. 5 is a flow chart of an alternative business process runtime state machine security control, as shown in FIG. 5, wherein the execution logic of the execution engine of the business process runtime state machine controller mainly comprises loading the business process chart, expanding the business process chart, initializing the state machine data structure, state machine security control, checking the security control results, outputting security risks or business process execution results, according to an embodiment of the present invention.
Optionally, when the target service starts to run, the code file corresponding to the target service flow chart is acquired, so that the calling logic of the service flow can be defined. For example, when running after an application is started or a process is published, JSON descriptions (i.e., code files) of business processes are loaded.
Fig. 6 is a schematic diagram of an optional loaded service flow chart according to an embodiment of the present invention, where, as shown in fig. 6, the loaded service flow chart includes a start, an end, and 9 node objects (node 1-node 9), where node1 represents an input parameter binding (i.e. input parameters), node2 represents a call to a short message authentication code sending service (i.e. service is sendMsg), node3 represents a call to an authentication code checking service (i.e. service is checkCode), node4 represents a call to an authentication result judging service (i.e. service is a check result), node5 represents an authentication result is a pass, a call to acquire user list service (i.e. service is sigetuserlist), node6 represents a call to a client information query service (i.e. service is sqallcut), node7 represents a call to acquire detailed information service (i.e. service is sPersonShow), node8 represents an output parameter splicing (i.e. output parameters are output parameters) and node9 represents that the authentication result is a pass.
Further, according to the code file, the circulation path of each business process link of the business process can be determined, so that a path diagram corresponding to the business process can be generated according to the circulation path of each business process link. Specifically, the target business flow chart is expanded, that is, all possible link circulation paths in the target business flow chart are expanded for the node object of each business flow link, so as to obtain a full path chart (that is, a path chart corresponding to the generated business flow) as shown in fig. 7. Specifically, the method for expanding the service flow chart is as follows:
step 1: traversing from the starting node, searching the nearest node of the connecting line, then connecting the starting node with the node next to the starting node to form a path, and firstly establishing a path from Start to node 1.
Step 2: and continuing to search the nearest node of the connection line according to the node1, then connecting the nearest node, and establishing a path from the node1 to the node 2.
Step 3: continuing to search the nearest node3 according to the node2, and establishing a path from the node2 to the node 3.
Step 4: continuing to search the nearest node4 according to the node3, and establishing a path from the node3 to the node 4.
Step 5: continuing to search the nearest nodes of the node4 with the nodes 2, 5 and 9 according to the node4, and establishing paths from the node4 to the nodes 2, 5 and 9.
Step N: and the like, completing the full path expansion of the business flow diagram structure.
Further, the state machine is initialized according to the path diagram, so that the state machine can determine what the correct execution logic of the service flow is, and the state of the running process of the target service can be detected through the initialized state machine, and a detection result can be obtained.
It should be noted that, by acquiring the code file corresponding to the target service flow chart, the calling logic of the service flow can be clarified, and an accurate data basis is provided for generating the path chart corresponding to the service flow subsequently, so that the state machine can be initialized according to the path chart, and the state machine can clarify what the correct execution logic of the service flow is, thereby timely finding out abnormal flow links, timely finding out network attack in the running process of the target service, and realizing management and control of the running state of the service flow.
In an alternative embodiment, initializing the state machine according to the path diagram includes: and initializing a first data structure, a second data structure and a third data structure of the state machine respectively according to the path diagram, wherein the first data structure is used for recording historical business process links of business process execution, the second data structure is used for recording business process links to be executed next in the business process, and the third data structure is used for recording current business process links of business process execution.
Optionally, according to the path diagram, three data structures of the state machine are initialized, respectively: the business process execution link tracking data (namely a first data structure) is used for recording which links the business process has executed; the next executable link state data (namely a second data structure) of the business process is used for recording the next effective executable link of the business process; and the currently executed link state data (namely a third data structure) is used for recording the links which need to be executed currently. Optionally, each data structure adopts a 64-bit integer type, wherein the states of links are represented by bits, the specific data structure is shown in fig. 8, optionally, a circle represents a link which can be executed next, a triangle represents a link which can not be called by a front end to be executed, and a round rectangle represents a common link.
It should be noted that, the first data structure, the second data structure and the third data structure designed in this embodiment greatly reduce the memory requirement, so that the bit operation mode is adopted in the subsequent security verification, and the operation efficiency is improved.
In an alternative embodiment, the state detection is performed on the operation process of the target service through the initialized state machine, so as to obtain a detection result, which includes: acquiring a business process link state table, wherein the business process link state table is used for recording the running state of each business process link in the running process of the target business; judging whether the current business process link executed by the business process meets the preset requirement or not according to the initialized state machine and the data in the business process link state table, and obtaining a judging result; and determining a detection result according to the judgment result.
Optionally, in the process of detecting the running process of the target service through the initialized state machine and obtaining the detection result, firstly, acquiring a service flow link state table, wherein the service flow link state table is dynamically updated in real time according to the execution condition of a flow link, and the service flow link state table is stored in a bit mode and is stored in a 64-bit integer type.
Further, through the initialized state machine and the data in the business process link state table, whether the current business process link executed by the business process meets the preset requirement or not can be judged, and a judgment result is obtained. Specifically, the correct execution logic execution according to the business process meets the preset requirement. When the currently executed business process link is required to be checked to be effective, the state machine can judge whether the currently called process link is legal or not according to the data in the business process link state table. Optionally, the currently executed link state data and the next executable link state data of the business process are subjected to bit-wise and (& gt) operation, so that a judgment result can be obtained, if the operation result is 1, the process link execution is legal (i.e. meets the preset requirement), and if the operation result is 0, the process link execution is illegal. Alternatively, if the number of flow links exceeds 64, multiple int stores are employed, which requires multiple bitwise and (≡) operations.
Further, according to the judgment result, the detection result can be determined. If the judgment result shows that the current business process link executed by the business process meets the preset requirement, determining that the detection result is passing, wherein the detection result shows that the current business process link executed by the characterization business process does not have network attack; if the judgment result is that the current business process link executed by the business process does not meet the preset requirement, determining that the detection result is that the detection is failed, wherein the detection is that the network attack exists in the current business process link which does not pass through the characterization business process.
It should be noted that, the state machine can determine whether the currently invoked process link is legal according to the data in the service process link state table, so that an abnormal process link can be found in time, and a network attack in the operation process of the target service can be found in time, thereby realizing the management and control of the operation state of the service process, effectively preventing the tampering attack, avoiding the loss caused by that some key process links are not executed in the tampering attack, and improving the security of the service process.
In an alternative embodiment, determining a target management policy for a service flow corresponding to a target service according to a detection result includes: if the detection result is that the detection is passed, continuing to execute the target management strategy; if the detection result is that the detection is not passed, taking the suspension flow as a target management strategy.
Optionally, if the detection result is that the detection is passed, continuing to execute the detection result as a target management strategy until all flow links are operated, and outputting an execution result of the service flow to the front-end visual interface; if the detection result is that the detection is not passed, taking the suspension flow as a target management strategy, and outputting a security risk prompt to a front-end visual interface.
In the process, the security control of the service flow is realized in time, the tampering attack is effectively prevented, the loss caused by that certain key flow links of the tampering attack are not executed is avoided, the security management efficiency of the service flow is improved, and the security of the service flow is improved, so that the stability and the reliability of the service operation are improved.
In an alternative embodiment, before the target business flow diagram is obtained, the method further comprises: defining service components according to the specification information of the service components and the specification information of the service flows, and generating a plurality of service components, wherein the specification information of the service components is used for defining standard forms for describing functions of the service components, the specification information of the service flows is used for defining standard forms for describing service flow capacity, and the service flow capacity is the capacity of executable service flows; and generating a service component library according to the plurality of service components.
Optionally, a library of business components needs to be built before the target business flow diagram is obtained. The service component definition is performed according to the specification information of the service component and the specification information of the service flow, so that a plurality of service components can be generated, and further, a service component library can be generated according to the plurality of service components.
Optionally, the business component is a business logic package for business activities that is indivisible. The business component consists of front-end showing and interacting capability and business flow capability, namely the business component not only comprises front-end showing and interacting, but also integrates back-end business service and partial business rules. Optionally, the business component supports various forms of front-end capabilities, which are typically run on a browser, android/iOS App, etc., and business process capabilities are run on the back-end.
Fig. 9 is a schematic diagram of an alternative service component according to an embodiment of the present invention, where, as shown in fig. 9, the service component exposes input and output interfaces to the outside, and the inside of the component adopts a process layout technology, so that visualization and transparency of internal logic can be achieved. Optionally, the service components are further divided into atomic components and combined components according to the multiplexing and coupling characteristics. The atomic assembly is formed by arranging the service, and the combined assembly is formed by arranging the atomic assembly and the combined assembly.
Optionally, the front end is mainly implemented through HTML5, CSS3, javaScript or Android/iOS native App, the front end display and interaction capability is released in the form of a front end control, and the HTML5 front end display and interaction capability, the Android/iOS App front end display and interaction capability, the large screen front end display and interaction capability, and the like as shown in fig. 9, and the front end display and interaction capability and business process capability are bound to form a business component.
Optionally, the service flow capacity is composed of a series of links, the links are assembled into a service flow through flow control instructions such as sequence, branch, circulation and the like, each link is bound with a service component, and data exchange is performed among the service components by adopting a data bus technology.
It should be noted that, in this embodiment, by designing a set of standardized business process security control language and constructing a realizing system, the additional coding of the developer against the tamper attack risk is not needed, and the management system of the business process automatically controls according to the state machine mechanism, so that the efficiency and quality of the security development of the business process are greatly improved, the workload of the developer is reduced, the security management efficiency of the business process is improved, the business risk management level is improved, and the security of the business process is improved, thereby improving the stability and reliability of the business operation.
Therefore, through the technical scheme of the invention, the purpose of timely discovering the network attack in the running process of the target service, timely carrying out safety control on the service flow and effectively preventing the falsification attack is achieved, thereby realizing the technical effect of improving the safety of the service flow, and further solving the technical problem that the safety of the service flow is lower because the falsification attack cannot be effectively prevented when the service flow is safely managed and controlled in the prior art.
Example 2
According to an embodiment of the present invention, there is provided an embodiment of a business process management apparatus, where fig. 10 is a schematic diagram of an alternative business process management apparatus according to an embodiment of the present invention, as shown in fig. 10, and the apparatus includes: a first obtaining module 1001, configured to obtain a target service flow chart, and run a target service according to the target service flow chart, where the target service flow chart is used to describe a flow of implementing the target service; the first detection module 1002 is configured to perform state detection on an operation process of the target service by using a state machine when the target service starts to operate, to obtain a detection result, where the detection result is used to characterize whether a network attack exists in the operation process of the target service; the first determining module 1003 is configured to determine, according to the detection result, a target management policy for a service flow corresponding to the target service, where the target management policy is used to implement security control for the service flow.
It should be noted that the first obtaining module 1001, the first detecting module 1002, and the first determining module 1003 correspond to steps S101 to S103 in the above embodiment, and the three modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the above embodiment 1.
Optionally, the first acquisition module includes: the response module is used for responding to target operation and target instructions sent by a target object through a target interface to obtain a service flow chart to be issued, wherein the target operation is a dragging operation on a plurality of service components in a service component library, and the target instructions are connection instructions on the plurality of service components; the release module is used for releasing the business flow chart to be released to obtain a target business flow chart.
Optionally, the first detection module includes: the second acquisition module is used for acquiring a code file corresponding to the target service flow chart when the target service starts to run; the second determining module is used for determining a circulation path of each business process link of the business process according to the code file, wherein the circulation path is used for representing the circulation condition of each business process link; the first generation module is used for generating a path diagram corresponding to the business process according to the circulation path of each business process link, wherein the path diagram is used for describing the circulation process of a plurality of business process links; the first processing module is used for initializing the state machine according to the path diagram, and detecting the state of the running process of the target service through the initialized state machine to obtain a detection result.
Optionally, the first processing module includes: the second processing module is used for respectively initializing a first data structure, a second data structure and a third data structure of the state machine according to the path diagram, wherein the first data structure is used for recording historical business process links of business process execution, the second data structure is used for recording business process links to be executed next in the business process, and the third data structure is used for recording current business process links of business process execution.
Optionally, the first processing module further comprises: the third acquisition module is used for acquiring a business process link state table, wherein the business process link state table is used for recording the running state of each business process link in the running process of the target business; the first judging module is used for judging whether the current business process link executed by the business process accords with the preset requirement or not through the initialized state machine and the data in the business process link state table, and obtaining a judging result; and the third determining module is used for determining a detection result according to the judging result.
Optionally, the first determining module includes: a fourth determining module, configured to continuously execute the target management policy if the detection result is that the detection result passes; and the fifth determining module is used for taking the suspension flow as a target management strategy if the detection result is that the detection is not passed.
Optionally, the device for managing a business process further includes: the second generating module is used for defining service components according to the specification information of the service components and the specification information of the service flow before acquiring the target service flow chart to generate a plurality of service components, wherein the specification information of the service components is used for defining standard forms for describing functions of the service components, the specification information of the service flow is used for defining standard forms for describing service flow capacity, and the service flow capacity is the capacity of executable service flow; and the third generating module is used for generating a service component library according to the plurality of service components.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is configured to execute the above-described business process management method when running.
Example 4
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, wherein fig. 11 is a schematic diagram of an alternative electronic device according to an embodiment of the present invention, as shown in fig. 11, the electronic device including one or more processors; and a memory for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the method of managing a business process as described above when run. The processor when executing the program implements the following steps: acquiring a target service flow chart and operating a target service according to the target service flow chart, wherein the target service flow chart is used for describing a flow for realizing the target service; when the target service starts to run, performing state detection on the running process of the target service through a state machine to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the running process of the target service; and determining a target management strategy of the business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing the safety control of the business process.
Optionally, the processor when executing the program further implements the following steps: obtaining a target business flow diagram, comprising: responding to a target operation and a target instruction sent by a target object through a target interface to obtain a service flow chart to be issued, wherein the target operation is a dragging operation on a plurality of service components in a service component library, and the target instruction is a connection instruction on the plurality of service components; and publishing the service flow chart to be published to obtain a target service flow chart.
Optionally, when the target service starts to operate, performing state detection on an operation process of the target service through a state machine to obtain a detection result, including: when the target service starts to run, acquiring a code file corresponding to the target service flow chart; determining a circulation path of each business process link of the business process according to the code file, wherein the circulation path is used for representing the circulation condition of each business process link; generating a path diagram corresponding to the business process according to the circulation path of each business process link, wherein the path diagram is used for describing circulation processes of a plurality of business process links; initializing a state machine according to the path diagram, and detecting the state of the running process of the target service through the initialized state machine to obtain a detection result.
Optionally, initializing the state machine according to the path diagram includes: and initializing a first data structure, a second data structure and a third data structure of the state machine respectively according to the path diagram, wherein the first data structure is used for recording historical business process links of business process execution, the second data structure is used for recording business process links to be executed next in the business process, and the third data structure is used for recording current business process links of business process execution.
Optionally, performing state detection on the running process of the target service through the initialized state machine to obtain a detection result, including: acquiring a business process link state table, wherein the business process link state table is used for recording the running state of each business process link in the running process of the target business; judging whether the current business process link executed by the business process meets the preset requirement or not according to the initialized state machine and the data in the business process link state table, and obtaining a judging result; and determining a detection result according to the judgment result.
Optionally, determining, according to the detection result, a target management policy for a service flow corresponding to the target service includes: if the detection result is that the detection is passed, continuing to execute the target management strategy; if the detection result is that the detection is not passed, taking the suspension flow as a target management strategy.
Optionally, before the target service flow chart is acquired, defining service components according to the specification information of the service components and the specification information of the service flow, and generating a plurality of service components, wherein the specification information of the service components is used for defining a standard form for describing functions of the service components, the specification information of the service flow is used for defining a standard form for describing service flow capacity, and the service flow capacity is the capacity of executable service flow; and generating a service component library according to the plurality of service components.
The device herein may be a server, PC, PAD, cell phone, etc.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (10)
1. A method for managing a business process, comprising:
acquiring a target service flow chart and operating a target service according to the target service flow chart, wherein the target service flow chart is used for describing a flow for realizing the target service;
when the target service starts to run, performing state detection on the running process of the target service through a state machine to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the running process of the target service;
and determining a target management strategy for the business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing the safety control of the business process.
2. The method of claim 1, wherein obtaining the target business flow diagram comprises:
responding to a target operation and a target instruction sent by a target object through a target interface, and obtaining a service flow chart to be issued, wherein the target operation is a dragging operation on a plurality of service components in a service component library, and the target instruction is a connection instruction on the plurality of service components;
And publishing the service flow chart to be published to obtain the target service flow chart.
3. The method according to claim 1, wherein when the target service starts to operate, performing state detection on the operation process of the target service by using a state machine to obtain a detection result, including:
when the target service starts to run, acquiring a code file corresponding to the target service flow chart;
determining a circulation path of each business process link of the business process according to the code file, wherein the circulation path is used for representing the circulation condition of each business process link;
generating a path diagram corresponding to the business process according to the circulation path of each business process link, wherein the path diagram is used for describing circulation processes of a plurality of business process links;
and initializing the state machine according to the path diagram, and detecting the state of the running process of the target service through the initialized state machine to obtain the detection result.
4. A method according to claim 3, wherein initializing the state machine according to the path diagram comprises:
And initializing a first data structure, a second data structure and a third data structure of the state machine according to the path diagram, wherein the first data structure is used for recording historical business process links executed by the business process, the second data structure is used for recording business process links to be executed next by the business process, and the third data structure is used for recording current business process links executed by the business process.
5. The method of claim 3, wherein performing state detection on the running process of the target service by using an initialized state machine to obtain the detection result comprises:
acquiring a business process link state table, wherein the business process link state table is used for recording the running state of each business process link in the running process of the target business;
judging whether the current business process link executed by the business process accords with a preset requirement or not through the initialized state machine and data in the business process link state table, and obtaining a judging result;
and determining the detection result according to the judgment result.
6. The method of claim 1, wherein determining a target management policy for the business process corresponding to the target business according to the detection result comprises:
if the detection result is that the detection is passed, continuing to execute the target management strategy;
and if the detection result is that the detection is not passed, taking the suspension flow as the target management strategy.
7. The method of claim 1, wherein prior to obtaining the target business flow diagram, the method further comprises:
performing service component definition according to the specification information of the service components and the specification information of the service flow, and generating a plurality of service components, wherein the specification information of the service components is used for defining a standard form for describing functions of the service components, the specification information of the service flow is used for defining a standard form for describing service flow capacity, and the service flow capacity is the capacity capable of executing the service flow;
and generating a service component library according to the plurality of service components.
8. A business process management apparatus, comprising:
the first acquisition module is used for acquiring a target service flow chart and running a target service according to the target service flow chart, wherein the target service flow chart is used for describing the flow for realizing the target service;
The first detection module is used for carrying out state detection on the operation process of the target service through a state machine when the target service starts to operate to obtain a detection result, wherein the detection result is used for representing whether network attack exists in the operation process of the target service;
the first determining module is used for determining a target management strategy of the business process corresponding to the target business according to the detection result, wherein the target management strategy is used for realizing safety control of the business process.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program is arranged to execute the method of managing a business process according to any of the claims 1 to 7 at run-time.
10. An electronic device, the electronic device comprising one or more processors; a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running a program, wherein the program is configured to perform the method of managing business processes of any of claims 1 to 7 when run.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310520577.4A CN116561743A (en) | 2023-05-09 | 2023-05-09 | Business process management method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310520577.4A CN116561743A (en) | 2023-05-09 | 2023-05-09 | Business process management method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116561743A true CN116561743A (en) | 2023-08-08 |
Family
ID=87499573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310520577.4A Pending CN116561743A (en) | 2023-05-09 | 2023-05-09 | Business process management method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116561743A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117312174A (en) * | 2023-11-29 | 2023-12-29 | 苏州元脑智能科技有限公司 | Program error path detection method, device, equipment and readable storage medium |
-
2023
- 2023-05-09 CN CN202310520577.4A patent/CN116561743A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117312174A (en) * | 2023-11-29 | 2023-12-29 | 苏州元脑智能科技有限公司 | Program error path detection method, device, equipment and readable storage medium |
| CN117312174B (en) * | 2023-11-29 | 2024-02-23 | 苏州元脑智能科技有限公司 | Program error path detection method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110941528B (en) | Log buried point setting method, device and system based on fault | |
| KR101691245B1 (en) | System and method for web service monitoring | |
| CN105528295B (en) | Mobile applications anomaly detection method and device | |
| CN111949531B (en) | Block chain network testing method, device, medium and electronic equipment | |
| CN111782551B (en) | Test method and device for block chain item and computer equipment | |
| CN116561743A (en) | Business process management method and device, storage medium and electronic equipment | |
| CN111597120A (en) | Interface test apparatus, method, electronic device, and computer-readable storage medium | |
| CN116155771A (en) | Network anomaly test method, device, equipment, storage medium and program | |
| CN115599347A (en) | Automatic code development implementation method and system | |
| CN115878207A (en) | Micro-service management method, device and system | |
| CN107679423A (en) | Partition integrity inspection method and device | |
| CN106681852B (en) | A kind of method of adjustment and device of browser compatibility | |
| CN109101408B (en) | Method and device for detecting service availability in joint debugging environment | |
| CN113515452B (en) | Automatic test method, system, electronic equipment and storage medium for application | |
| CN115167842A (en) | Visual development method, device, system, electronic equipment and medium of business | |
| CN114461465A (en) | Micro-service test method, system and related device for hybrid CPU (Central processing Unit) architecture equipment | |
| CN116501596A (en) | Application program testing method and device | |
| Bucchiarone et al. | Towards an architectural approach for the dynamic and automatic composition of software components | |
| Liu | A formal object-oriented test model for testing Web applications | |
| CN115022387B (en) | Cross-domain pre-inspection request processing method, device, equipment and medium | |
| CN112799710B (en) | Model release system and model release method | |
| CN116542768A (en) | Method for processing batch transaction, electronic device, storage medium and program product | |
| Fuchs et al. | Improving Integration Testing of Web Service by Propagating Symbolic Constraint Test Artifacts Spanning Multiple Software Projects (S). | |
| CN117332424A (en) | Method and device for integrating security scanning in research and development process | |
| CN114281396A (en) | Deployment method and device of application system resources and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |