CN118171283A

CN118171283A - Security policy determination method and device, computing device and storage medium

Info

Publication number: CN118171283A
Application number: CN202410330263.2A
Authority: CN
Inventors: 柳寒; 张园超
Original assignee: Zhejiang eCommerce Bank Co Ltd
Current assignee: Zhejiang eCommerce Bank Co Ltd
Priority date: 2024-03-21
Filing date: 2024-03-21
Publication date: 2024-06-11

Abstract

The embodiment of the specification provides a security policy determining method and device, a computing device and a storage medium, wherein the security policy determining method comprises the following steps: determining a plurality of data objects of a target item and relation data among the data objects, and constructing an object relation graph based on the data objects and the relation data; determining object security identification data of the target item, and identifying a security data object of the plurality of data objects based on the object security identification data and the object relationship graph; determining a safe data object group based on the safe data object, and determining an associated data object group with a safe association relation with the safe data object group from the object relation diagram; an item security policy for the target item is determined based on the set of security data objects and the set of associated data objects. Thereby determining an accurate project security policy that identifies actions that disrupt computer security.

Description

Security policy determination method and device, computing device and storage medium

Technical Field

Embodiments of the present disclosure relate to the field of computer security technologies, and in particular, to a security policy determining method, a security policy determining method apparatus, a computing device, a storage medium, and a computer program product.

Background

With the continuous development of computer technology and computer security technology, various security policies have been designed to ensure computer security. However, the security policy designed in the prior art has high false alarm rate, and can not accurately identify the behavior of destroying the security of the computer. Therefore, how to determine a security policy that can accurately identify behavior recognition that damages the security of a computer is a problem to be solved.

Disclosure of Invention

In view of this, the present embodiments provide a security policy determination method. One or more embodiments of the present specification also relate to a security policy determination device, a computing device, a computer-readable storage medium, and a computer program product that address the technical shortcomings of the prior art.

According to a first aspect of embodiments of the present specification, there is provided a security policy determining method, including:

Determining a plurality of data objects of a target item and relation data among the data objects, and constructing an object relation graph based on the data objects and the relation data;

Determining object safety identification data of the target item, and identifying a safety data object in the plurality of data objects based on the object safety identification data and the object relation diagram, wherein the safety data object is a data object corresponding to the object safety identification data in the plurality of data objects;

Determining a safe data object group based on the safe data object, and determining an associated data object group with a safe association relation with the safe data object group from the object relation diagram;

an item security policy for the target item is determined based on the set of security data objects and the set of associated data objects.

According to a second aspect of embodiments of the present specification, there is provided a security policy determining apparatus comprising:

a graph construction module configured to determine a plurality of data objects of a target item and relationship data between the data objects, and construct an object relationship graph based on the data objects and the relationship data;

An object recognition module configured to determine object security recognition data of the target item and recognize a security data object of the plurality of data objects based on the object security recognition data and the object relationship graph, wherein the security data object is a data object of the plurality of data objects corresponding to the object security recognition data;

an object group confirmation module configured to determine a secure data object group based on the secure data object, and determine an associated data object group having a secure association with the secure data object group from the object relationship graph;

A policy determination module configured to determine an item security policy for the target item based on the set of security data objects and the set of associated data objects.

According to a third aspect of embodiments of the present specification, there is provided a computing device comprising:

A memory and a processor;

The memory is configured to store a computer program/instruction, and the processor is configured to execute the computer program/instruction, where the computer program/instruction, when executed by the processor, implements the steps of the security policy determination method described above.

According to a fourth aspect of embodiments of the present specification, there is provided a computer readable storage medium storing a computer program/instruction which, when executed by a processor, implements the steps of the above-described security policy determination method.

According to a fifth aspect of embodiments of the present specification, there is provided a computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the above-described security policy determination method.

The security policy determining method provided in one or more embodiments of the present specification includes: determining a plurality of data objects of a target item and relation data among the data objects, and constructing an object relation graph based on the data objects and the relation data; determining object safety identification data of the target item, and identifying a safety data object in the plurality of data objects based on the object safety identification data and the object relation diagram, wherein the safety data object is a data object corresponding to the object safety identification data in the plurality of data objects; determining a safe data object group based on the safe data object, and determining an associated data object group with a safe association relation with the safe data object group from the object relation diagram; an item security policy for the target item is determined based on the set of security data objects and the set of associated data objects.

Specifically, the security policy determining method can identify a security data object corresponding to the object security identification data from a plurality of data objects based on the object security identification data and the object relationship diagram of the target item, and then determine an associated data object group having a security association relationship with the security data object from the object relationship diagram; thereby accurately identifying a safer set of data objects. And then, based on the safe data object group and the associated data object group, determining an item safety strategy capable of accurately identifying the behavior of destroying the computer safety, and in the process of carrying out safety protection based on the item safety strategy, if the data object in the request does not meet the item safety strategy, accurately intercepting the data object, thereby avoiding the problem of higher false alarm rate of the safety strategy.

Drawings

Fig. 1 is an application schematic diagram of a security policy determining method according to an embodiment of the present disclosure;

FIG. 2 is a flow chart of a security policy determination method provided by one embodiment of the present disclosure;

FIG. 3 is a schematic diagram of a security data object set and an associated data object set in a security policy determination method according to an embodiment of the present disclosure;

FIG. 4 is a process flow diagram of a security policy determination method provided in one embodiment of the present disclosure;

Fig. 5 is a schematic structural diagram of a security policy determining device according to an embodiment of the present disclosure;

FIG. 6 is a block diagram of a computing device provided in one embodiment of the present description.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many other forms than described herein and similarly generalized by those skilled in the art to whom this disclosure pertains without departing from the spirit of the disclosure and, therefore, this disclosure is not limited by the specific implementations disclosed below.

The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that, although the terms first, second, etc. may be used in one or more embodiments of this specification to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" depending on the context.

Furthermore, it should be noted that, user information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for analysis, stored data, presented data, etc.) according to one or more embodiments of the present disclosure are information and data authorized by a user or sufficiently authorized by each party, and the collection, use, and processing of relevant data is required to comply with relevant laws and regulations and standards of relevant countries and regions, and is provided with corresponding operation entries for the user to select authorization or denial.

First, terms related to one or more embodiments of the present specification will be explained.

Trusted policy: a security policy based on a trusted idea.

With the continuous development of computer technology and computer security technology, various security policies have been designed to ensure computer security. For example, in the case of enterprise information security construction, the situation of unequal attack and defense is faced, and in order to more effectively combat unknown risks, it is necessary to upgrade the conventional blacklist policy into the whitelist policy. However, the white list generation strategy generated by design is often high in false alarm, so that the white list generation strategy is difficult to be effective, and the reason is that the definition of the trusted behavior is not accurate enough.

Based on this, in the present specification, a security policy determination method is provided, and the present specification relates to a security policy determination apparatus, a computing device, a computer-readable storage medium, and a computer program product, which are described in detail in the following embodiments one by one.

Referring to fig. 1, fig. 1 shows an application schematic diagram of a security policy determining method according to an embodiment of the present disclosure, and based on fig. 1, it can be known that, in the security policy determining method provided in the present disclosure, a reason that a white list generating policy is often misreported is considered to be high, which is that the definition of trusted behavior is not accurate enough. In the security policy confirmation method applied to the server 104, in determining the security policy, first, a data object and relationship data are acquired from the terminal 102. And based on the data object and the relationship data, defining the entity and the relationship of the trusted policy map, wherein the entity comprises staff, application, assets and the like, and the relationship comprises person-to-person relationship, application-to-application relationship and the like. Second, the method is characterized by the following steps. Security metadata is obtained from the terminal 102 and imported into the trusted policy profile in accordance with the profile structure. And finally, determining a direct trusted relationship from the trusted policy map, and reasoning an indirect trusted relationship according to the direct trusted relationship, so as to construct a white list policy based on the direct and indirect trusted relationships. And if the user behavior does not exist in the white list policy in the application process, the expected external behavior is intercepted. Based on the above, the security policy confirmation method of the specification deduces indirect trusted relation data through direct trusted relation data to complement the definition of trusted behaviors, so that a white list policy for accurately identifying risk behaviors is obtained on the premise of not reducing high detection rate, and the problem of high false alarm of the white list policy is reduced.

Referring to fig. 2, fig. 2 shows a flowchart of a security policy determining method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step 202: and determining a plurality of data objects of the target item and relation data among the data objects, and constructing an object relation graph based on the data objects and the relation data.

The target item may be understood as an item capable of protecting computer security, in which the item security policy may be executed, for example, the target item may be a firewall, a security system in a computer or a server, or a server or a client for performing security detection. In one or more embodiments provided in this specification, the target item may be a login detection system for detecting a login behavior of a user, where the login detection system may be applied to a hardware device such as a server, a client, or may be applied to software such as a server, a software system, a computer program, or the like.

The data object may be understood as a data object determined during the operation of the target item, which may be used to represent a device, person, software or identification information involved in the operation of the target item, e.g. the data object may be a user, an application, an IP address, a browser header, a device, etc. The device can be a smart phone, a computer, a server and the like. The person may be a user of the target item, etc. The software may be software associated with the target item. The identification information may be an IP address, MAC address, network port, network information, account information, etc.

Relationship data may be understood as data characterizing the association between the data objects. The association relationship between the data objects may be a trust relationship, and in the case that the data objects are two persons, the association data may be data representing the trust relationship between the persons. For example, the trust relationship may be a relationship between users of the target item, such as a relative relationship, a colleague relationship, or the like. In the case where the data object is a device, software or identification information, the association data may be data characterizing a trust relationship between the device, software or identification information. For example, taking an association relationship between applications as an example, the association relationship may be an upstream-downstream link call relationship. Taking the association relationship between the application and the IP as an example, the association relationship may be that the IP belongs to a certain application.

An object relationship graph may be understood as a graph data structure constructed based on the data objects and the relationship data, e.g., the object relationship graph may be a defined trusted policy graph, where the trusted policy graph may be understood as a graph (i.e., a graph) used to generate the trusted policy; the trusted policy may be understood as a project security policy.

In one or more embodiments provided in the present specification, the constructing an object relationship graph based on the data objects and the relationship data includes:

And taking the data objects as nodes, taking the relation data among the data objects as edges, and constructing an object relation graph based on the nodes and the edges.

The security policy determination method provided by the specification is used for describing the specification in the scene of generating a trusted policy based on graph calculation. The project security policy may be a white list policy. Based on this, considering that project security policies (e.g., whitelist policies) tend to misreport reasons that are high, it may be that the definition of trusted behavior is not accurate enough. Therefore, in the process of generating the white list policy, the security policy determining method provided by the specification can construct a trusted policy map based on a graph calculation mode, determine direct trusted relationship data from the trusted policy map, and infer indirect trusted relationship data based on the direct trusted relationship data, so that definition of trusted behaviors is completed, a white list policy with higher accuracy is generated on the premise of not reducing high detection rate, and the problem of high false alarm of the multi-dimensional white list policy is reduced.

The trusted policy map is composed of nodes and edges between the nodes. That is, the data structure of the constructed trusted policy map includes a plurality of nodes and edges, wherein the edges represent trust relationships between the nodes, and the nodes may be users, applications, IP, browser heads, devices, and the like. While trust relationships may be relationships between users (e.g., relatives, colleagues, etc.), between applications (e.g., upstream and downstream link calls), between applications and IP (e.g., IP attribution to an application).

Based on the above, in the security policy determining method provided in the present disclosure, each data object is used as a node, the relationship data is used as an edge, and then an object relationship diagram is constructed based on the node and the edge, so that a project security policy with a lower false alarm rate can be generated based on the object relationship diagram.

Step 204: object security identification data of the target item is determined, and a security data object in the plurality of data objects is identified based on the object security identification data and the object relationship graph, wherein the security data object is a data object corresponding to the object security identification data in the plurality of data objects.

The object security identification data may be understood as data including multiple types of trusted behaviors in the running process of the target item, where the object security identification data is used to identify a safer security data object in multiple data objects, for example, the object security identification data may be different types of security metadata in different types. The security metadata refers to log data or flow data of the target item. The log data or the flow data comprise trusted actions such as user login, user access, user query data, user modification data, user deletion data and the like. Trusted behavior refers to user behavior that is relatively secure and not computer attack behavior (e.g., network attack behavior).

A secure data object may be understood as a more secure data object that is independent of computer attack behaviour against a target item. For example, for a network attack that masquerades as a login request, the data objects such as the IP address, device information, personnel information, and network port of the network attack are not secure data objects. For a secure login request of a user, the data object such as the IP address, the device information, the personnel information, the network port, etc. of the secure login request may be a secure data object.

In one or more embodiments provided herein, the determining object security identification data of the target item includes:

determining security identification data of an object to be processed of the target item;

And carrying out data preprocessing on the object safety identification data to be processed to obtain the object safety identification data.

The data preprocessing may be set according to an actual application scenario, which is not specifically limited in this specification. For example, the data preprocessing may be a preprocessing mode such as data cleansing, data deduplication, data formatting, and standardization.

The object security identification data to be processed can be understood as object security identification data which needs to be subjected to data preprocessing.

In the above example, when the object security identification data is different types of security metadata such as log data or traffic data, in the process of generating the whitelist policy, it is necessary to determine different types of security metadata of the target item, but because the different types of security metadata have problems such as format errors and data redundancy, data preprocessing operations such as data cleaning, data deduplication, data formatting and standardization are required to be performed on the different types of security metadata, so that security metadata meeting the requirements of the operations of generating the whitelist policy are obtained.

Based on the above, in the security policy determining method provided in the present specification, the object security identification data is obtained by performing data preprocessing on the object security identification data to be processed, so that the project security policy can be rapidly generated based on the better object security identification data, and the performance of the project security policy is improved.

In one or more embodiments provided herein, the identifying a secure data object of the plurality of data objects based on the object security identification data and the object relationship graph includes:

determining a plurality of object safety information contained in the object safety identification data and object identifiers corresponding to the object safety information;

based on the object identification, a security data object corresponding to the object security information is determined from the object relationship graph.

The object security information may be understood as a trusted behavior in the running process of the target item, for example, the object security information may be a trusted behavior of user login, user access, user query data, user modification data, user deletion data, and the like.

Object identification may be understood as information uniquely identifying a data object, e.g., the object identification may be a data object name, a data object number, etc.

In the above example, in the process of generating the whitelist policy, after different kinds of security metadata such as log data or traffic data are determined, a safer trusted action needs to be obtained from the log data or traffic data. The trusted behavior comprises a safer data object such as an IP address, equipment information, personnel information, a network port and the like.

And then determining the data object corresponding to the object identifier from the trusted policy map based on the object identifier of the data object contained in the trusted behavior, and taking the data object corresponding to the object identifier as a safe data object. For example, a secure user login behavior includes a relatively secure data object such as an IP address a, a user B, a network port C, etc. And determining the data object IP address A, the user B and the network port C corresponding to the object identification from the trusted policy map based on the object identifications of the IP address A, the user B and the network port C, and marking the IP address A, the user B and the network port C in the trusted policy map as safe data objects.

Based on the above, in the security policy determining method provided in the present disclosure, the security data objects in the plurality of data objects are identified from the object relationship graph based on the object security identification data, so that it is convenient to generate the project security policy with low false alarm rate based on the security data objects later, and the performance of the project security policy is improved.

In one or more embodiments provided in the present specification, the determining, based on the object identifier, a security data object corresponding to the object security information from the object relationship graph includes:

Determining a data object to be marked corresponding to the security information of each object from the object relation diagram based on the object identification;

and adding the label information corresponding to the security information of each object to the data object to be marked corresponding to the security information of each object to obtain the security data object corresponding to the security information of each object.

The data object to be marked can be understood as a data object to be marked in the object relation diagram.

Tag information may be understood as a tag that needs to be added to a data object for identifying that one or more data objects correspond to an object security information. It should be noted that, different object security information has different flag information, for example, in the case where the object security information is a trusted behavior, i.e. a login behavior of the user a, the corresponding tag information may be "user a login behavior"; or in the case that the object security information is a trusted action of deleting data action of the user B, the corresponding tag information may be "user B deletes data action".

Along with the above example, the above operation of adding the tag information corresponding to each object security information to the data object to be marked corresponding to each object security information may be to import the security metadata into the trusted policy map. The specific process is as follows: firstly, determining data objects such as a user A, application B, IP information C, a browser head D and the like corresponding to the object identification from a trusted policy map based on the object identification of the trusted data object in the trusted behavior; and secondly, adding a corresponding credible behavior label (namely label information) for the data object in the credible strategy map, so that the security metadata is imported into the credible strategy map to obtain the data object with the credible behavior label. In the process of extracting the direct trusted relation pair from the trusted policy map, a plurality of data objects (user T and device T) corresponding to the user login behavior T label can be determined to be a direct trusted relation pair. Thus completing the operation of extracting the direct trusted relationship pair.

Based on the above, in the security policy determining method provided in the present disclosure, tag information corresponding to each object security information is added to a data object to be marked corresponding to each object security information, and then, based on the tag information, a data object can be quickly determined from an object relationship diagram, thereby improving the determining efficiency of a security data object group.

Step 206: and determining a safe data object group based on the safe data object, and determining an associated data object group which has a safe association relation with the safe data object group from the object relation diagram.

Wherein the set of associated data objects may be understood as a set of objects made up of a plurality of associated data objects. The association data object may be understood as a neighboring data object having a security association relationship with a security data object in the security data object group.

The security association may be understood as secure and trusted relationship data between the secure data object and other data objects. Such as relative, same account, etc.

It should be noted that, the set of security data objects may be directly trusted relationship data (or directly trusted relationship pairs) extracted from the trusted policy map, and the set of association data objects may be understood as reasoning indirectly trusted relationship data (i.e., indirectly trusted relationship pairs) from the trusted policy map based on the directly trusted relationship data. For example, entity (i.e., node or secure data object) A and entity B are a direct trusted relationship pair, and further entity A and entity (i.e., neighboring data object) A1 are a trusted relationship (i.e., secure association), thus reasoning that entity A1 and entity B are an indirect trusted relationship pair. Referring specifically to fig. 3, fig. 3 is a schematic diagram of a security data object group and an associated data object group in a security policy determination method according to an embodiment of the present disclosure. Wherein the plurality of circular patterns in the direct trust relationship pair characterize a plurality of secure data objects. The plurality of circular patterns in the indirect trusted relationship pair characterize a plurality of associated data objects having a secure association with the secure data object. The lines between the circular patterns represent different relational data.

In one or more embodiments provided herein, the determining a set of secure data objects based on the secure data objects includes:

determining a plurality of security data objects corresponding to target object security information from the object relation graph, wherein the target object security information is any one of the plurality of object security information;

and constructing a safe data object group corresponding to the target object safety information based on the plurality of safe data objects and the relation data among the safe data objects.

Along the above example, after determining a plurality of secure data objects, an association relationship between a plurality of secure data objects corresponding to one trusted behavior is determined. Based on the plurality of security data objects and the association relation among the security data objects, a security data object group corresponding to the trusted behavior is formed.

Based on this, in the security policy determination method provided in the present specification, a security data object group is configured based on the security data object and the relationship data between the security data objects. Therefore, the subsequent generation of the project security policy with low false alarm rate based on the security data object group is facilitated, and the performance of the project security policy is improved.

In one or more embodiments provided herein, the determining, from the object relationship graph, a plurality of security data objects corresponding to target object security information includes:

based on the tag information, a plurality of security data objects corresponding to the target object security information are determined from the object relationship graph.

Along with the above example, after adding the corresponding trusted behavior tags (i.e., tag information) for the data objects in the trusted policy graph. In the process of extracting the direct trusted relation pair from the trusted policy map, a plurality of data objects (the user T and the device T) corresponding to the tag information of the user login behavior T can be determined to be one direct trusted relation pair. Thus completing the operation of extracting the direct trusted relationship pair.

Based on the above, in the security policy determining method provided in the present specification, the data object is quickly determined from the object relationship diagram by the tag information, so that the determining efficiency of the security data object group is improved.

In one or more embodiments provided in the present specification, the determining, from the object relationship graph, an associated data object group having a security association with the secure data object group includes:

Determining a plurality of adjacent data objects connected with the safety data objects in the safety data object group from the object relation graph, wherein the safety data objects are connected with the adjacent data objects through relation data;

Determining each adjacent data object as an associated data object with a security association relationship with the security data object under the condition that the relationship data between the security data object and the adjacent data object is determined to be consistent with the preset security relationship data;

And constructing an associated data object group which has a safety association relation with the safety data object group based on the plurality of associated data objects and the relation data among the associated data objects.

Wherein the neighboring data object may be understood as a data object connected to the secure data object by relationship data. The preset security relationship data may be set according to an actual application scenario, which is not specifically limited in this specification, for example, the preset security relationship data may be a relative relationship, an upstream and downstream call relationship of an application program, and the like. Reference may be made in particular to the association data between the direct trusted relationship pair and the indirect trusted relationship pair in fig. 2.

Along the above example, after determining the direct trusted relationship pair, it is necessary to determine, from the trusted policy graph, the neighboring nodes (i.e., neighboring data objects) that are connected to each trusted node (i.e., secure data object) in the direct trusted relationship pair. And then determining the relation data (namely, edges) between the trusted node and the adjacent nodes, and judging whether the relation data is consistent with preset safety relation data (namely, preset safety relation data), such as whether the relation data is the same group of relation among employee nodes, the upstream and downstream calling relation among application nodes and the like. If yes, the trust relationship between the security node and the adjacent nodes is determined, so that the edges between the plurality of adjacent nodes and each adjacent node can be constructed to form an indirect trust relationship pair.

Based on the method, the direct trusted relationship data is determined in a graph-based calculation mode, and the indirect trusted relationship data is deduced through the direct trusted relationship data, so that the definition of trusted behaviors is completed, and the problem of high false alarm of a subsequently generated multidimensional white list strategy is reduced on the premise of not reducing the high detection rate.

Step 208: an item security policy for the target item is determined based on the set of security data objects and the set of associated data objects.

The project security policy may be understood as a policy capable of identifying a behavior that breaks the security of a computer. For example, in the field of network security, the act of breaking the security of the computer may be a network attack act. Based on this, the project security policy may be a policy that identifies network attack behavior. For example, the project security policy may be a whitelist policy or a trusted behavioral template.

In one or more embodiments provided herein, the determining the project security policy of the target project based on the set of security data objects and the set of associated data objects includes:

And constructing a white list strategy for the target item by utilizing a safety data object group containing a plurality of types of safety data objects and an association data object group containing a plurality of types of association data objects, wherein the white list strategy is used for intercepting other data object groups except the safety data object group and the association data object group.

Along the above example, after the indirect trusted relationship is inferred from the direct trusted relationship, a multidimensional trusted policy is constructed based on the direct and indirect trusted relationships, which may be understood as a whitelist policy, or a trusted behavior template, and if the user behavior is not present in the whitelist policy or the trusted behavior template, it is determined that the user behavior is an expected external behavior, and the user behavior is intercepted.

Based on the project security policy generated in the mode, the attack behavior can be efficiently detected, and the security operation requirement of low false alarm can be met.

In one or more embodiments provided in the present specification, after determining the project security policy of the target project based on the security data object group and the associated data object group, the method further includes:

running the project security policy in the target project;

under the condition that a data processing request to be detected is received, determining a data object group to be detected contained in the data processing request to be detected;

and under the condition that the data object group to be detected meets the project security policy, determining the data processing request to be detected as a data processing request passing detection, and responding to the data processing request passing detection to perform data processing.

The data processing request to be detected may be understood as a user behavior that needs to be detected by using the project security policy, for example, the data processing request to be detected may be a login behavior of a user, a behavior of adding or deleting data, or the like. The set of data objects to be detected may be understood as data objects carried in the data processing request to be detected, for example, IP information, application information, network port information, etc. carried in the user login behavior.

Along the above example, in a network security scenario, the target item may be a network attack defense system, and after the whitelist policy is generated, the whitelist policy may be run in the network attack defense system. If the new behavior of the user does not meet the trusted policy, the new behavior is the expected external behavior and is intercepted. For example, the user newly added action may be a login request operation (i.e., a data processing request to be detected) initiated by the user. After receiving the login request operation, the system determines a data object group (namely a data object group to be detected) of equipment, personnel, IP, network environment and the like carried in the login request, matches the data object group with a plurality of direct trusted relation pairs and a plurality of indirect trusted relation pairs contained in a white list policy, and confirms that the login request operation is safe login behavior if the data object group is matched with any one of the direct trusted relation pairs or the indirect trusted relation pairs.

If the data object group cannot be matched and consistent with any one of the direct trusted relation pair or the indirect trusted relation pair, determining that the login request operation is an abnormal login request operation initiated by an abnormal user. The abnormal login request operation may be intercepted because the condition of the trusted policy is not satisfied.

Based on the method, the attack behavior can be detected efficiently based on the project security policy, and meanwhile, the security operation requirement of low false alarm is met.

According to the security policy determining method in the embodiment of the present disclosure, based on the object security identification data and the object relationship diagram of the target item, a security data object corresponding to the object security identification data can be identified from a plurality of data objects, and then an association data object group having a security association relationship with the security data object is determined from the object relationship diagram; thereby accurately identifying a safer set of data objects. And then, based on the safe data object group and the associated data object group, determining an item safety strategy capable of accurately identifying the behavior of destroying the computer safety, and in the process of carrying out safety protection based on the item safety strategy, if the data object in the request does not meet the item safety strategy, accurately intercepting the data object, thereby avoiding the problem of higher false alarm rate of the safety strategy.

The following describes, with reference to fig. 4, an example of application of the security policy determining method provided in the present specification in a network security scenario, where the security policy determining method is further described. Fig. 4 is a flowchart of a processing procedure of a security policy determining method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step 402: a data structure defining a trusted policy map.

Specifically, a trusted policy map is constructed based on the plurality of nodes and edges. The nodes may be users, applications, IP, browser heads, devices, etc. Edges represent trust relationships between nodes, and trust relationships may be relationships between users (e.g., relatives, colleagues, etc.), between applications (e.g., upstream and downstream link calls), between applications and IP (e.g., IP is attributed to an application).

Step 404: different kinds of security metadata are collected.

The security metadata refers to different types of data such as log data and flow data of a target item.

The log data or the flow data comprise trusted actions such as user login, user access, user query data, user modification data, user deletion data and the like. Trusted behavior refers to user behavior that is relatively secure and not computer attack behavior (e.g., network attack behavior).

Step 406: the security metadata is preprocessed.

Specifically, the data preprocessing operations such as data cleaning, data deduplication, data formatting, standardization and the like are performed on the different types of security metadata, so that the security metadata meeting the requirements of the operation of generating the white list policy are obtained.

Step 408: and importing the security metadata according to the entities and the relations defined by the atlas.

Specifically, the log data or the flow data includes trusted data objects such as user login, user access, user query data, user modification data, user deletion data and the like, and the trusted data objects include trusted data objects such as users, applications, IP, browser heads, devices and the like.

Based on this, the operation steps of importing the security metadata according to the entities and relationships defined by the map may be:

1. Trusted data objects in the log data or traffic data are identified.

Specifically, from the trusted actions contained in the log data or the traffic data, trusted data objects such as the user a, the application B, IP information C, the browser header D, and the like are identified.

2. Based on the trusted data object, the security metadata is imported into a trusted policy map.

Specifically, firstly, based on the object identification of a trusted data object in trusted behavior, determining data objects such as a user A, application B, IP information C, a browser head D and the like corresponding to the object identification from a trusted policy map;

And secondly, adding a corresponding credible behavior label (namely label information) for the data object in the credible strategy map, so as to import the security metadata into the credible strategy map.

For example, a user login behavior T (trusted behavior in the security metadata) contains trusted data objects of a trusted user T, a device T, etc. After the user T and the device T which are the same as the trusted data object are determined from the trusted policy map, a user login behavior T tag is added for the user T and the device T in the trusted policy map. And in the process of extracting the direct trusted relation pair, determining a plurality of data objects (the user T and the equipment T) corresponding to the user login behavior T label as the direct trusted relation pair.

Step 410: and extracting the direct trusted relation data.

Specifically, based on the tag added to the data object in step 408, identifying a data object corresponding to each trusted behavior (e.g., user login behavior T) from the trusted policy map;

The data object corresponding to each trusted action is used as a direct trusted relation pair (namely direct trusted relation data).

Step 412: and deducing indirect trusted relationship data according to the direct trusted relationship data.

Specifically, first, after determining the direct trusted relationship pair, it is necessary to determine, from the trusted policy map, neighboring nodes connected to each trusted node (i.e., the secure data object) in the direct trusted relationship pair.

Second, relationship data (i.e., edges) between the trusted node and the neighboring nodes is determined.

And finally, judging whether the relationship data is consistent with preset safety relationship data, for example, whether the relationship data is consistent with the safety relationship data such as the same group of relationship between employee nodes, the upstream and downstream calling relationship between application nodes and the like.

If yes, the trust relationship between the security node and the adjacent nodes is determined, so that the edges between the plurality of adjacent nodes and each adjacent node can be constructed to form an indirect trust relationship pair.

For example, the entity a and the entity B are a trusted relationship pair (for example, a user a node, a device end node of the user a, a machine room node where the user a is located, may be a trusted relationship pair) in the trusted policy map, and in addition, the entity a and the entity A1 are a trusted relationship (the user A1 is a child or a partner of the user a), it is inferred that the entity A1 and the entity B are an indirect trusted relationship pair.

Step 414: based on the direct and indirect trusted relationship data, a multidimensional trusted policy is constructed.

Specifically, a multidimensional trusted policy is constructed based on a direct and indirect trusted relationship, the multidimensional trusted policy can be understood as a white list policy or a trusted behavior template, and if the user behavior does not exist in the white list policy or the trusted behavior template in the subsequent application process, the user behavior is determined to be an expected external behavior and is intercepted.

It should be noted that, in the multidimensional trusted policy, the multidimensional means that the trusted policy can intercept abnormal requests of other multiple types or multiple dimensions except direct and indirect trusted relation pairs, so that the network security is protected by the multidimensional.

Step 416: and applying the multidimensional trusted policy.

Specifically, in the network security scenario, the target item may be a network attack defense system, and after the white list policy is generated, the white list policy may be run in the network attack defense system. If the new behavior of the user does not meet the trusted policy, the new behavior is the expected external behavior and is intercepted.

For example, the user newly added action may be a login request operation initiated by the user. After receiving the login request operation, the system determines a data object group of equipment, personnel, IP, network environment and the like carried in the login request, and matches the data object group with a plurality of direct trusted relation pairs and a plurality of indirect trusted relation pairs contained in a white list policy.

If the set of data objects matches any one of the direct trusted relationship pair or the indirect trusted relationship pair, confirming that the login request operates as a secure login behavior.

But if the data object group cannot be matched and consistent with any one of the direct trusted relationship pair or the indirect trusted relationship pair, determining that the login request operation is an abnormal login request operation initiated by an abnormal user. The abnormal login request operation may be intercepted because the condition of the trusted policy is not satisfied.

Based on the above steps, the security policy determining method provided in one or more embodiments of the present disclosure provides a trusted policy generating technology based on graph computation, which aims to intelligently generate a multi-dimensional trusted defense policy based on graph data structure and graph computation, and has the advantages of high detection rate and low false alarm rate, intercept the attack behavior initiated by an attacker, and break the attack action link of the attacker. The method comprises the following steps: first, defining the entity and relation of the trusted policy map, wherein the entity comprises staff, application, asset and the like, and the relation comprises person-to-person relation, application-to-application relation and the like. Secondly, acquiring security metadata and logs, and importing the security metadata and logs into a trusted policy map according to a map structure. And finally, reasoning out an indirect trusted relationship according to the direct trusted relationship, so that a trusted behavior template is constructed based on the direct and indirect trusted relationship, and if the user behavior does not exist in the trusted behavior template, the user behavior is expected to be external and is intercepted.

Based on the method, the trusted policy generation technology based on graph calculation generates a trusted defense policy based on the graph data structure and the graph calculation, so that attack behaviors are defended, and the security operation requirement of low false alarm is met while the attack behaviors are detected efficiently. On the premise of not reducing the high detection rate, the problem of high false alarm of the multi-dimensional white list strategy is reduced.

Corresponding to the above method embodiments, the present disclosure further provides an embodiment of a security policy determining device, and fig. 5 shows a schematic structural diagram of a security policy determining device provided in one embodiment of the present disclosure. As shown in fig. 5, the apparatus includes:

A graph construction module 502 configured to determine a plurality of data objects of a target item and relationship data between the data objects, and construct an object relationship graph based on the data objects and the relationship data;

An object recognition module 504 configured to determine object security recognition data of the target item and recognize a security data object of the plurality of data objects based on the object security recognition data and the object relationship graph, wherein the security data object is a data object of the plurality of data objects corresponding to the object security recognition data;

An object group validation module 506 configured to determine a secure data object group based on the secure data object and determine an associated data object group having a secure association with the secure data object group from the object relationship graph;

a policy determination module 508 is configured to determine an item security policy for the target item based on the set of security data objects and the set of associated data objects.

Optionally, the object recognition module 504 is further configured to:

Optionally, the object group validation module 506 is further configured to:

Determining a plurality of security data objects corresponding to target object security information, wherein the target object security information is any one of the plurality of object security information;

Optionally, the object group validation module 506 is further configured to:

Optionally, the policy determination module 508 is further configured to:

Optionally, the graph construction module 502 is further configured to:

Optionally, the object recognition module 504 is further configured to:

Optionally, the security policy determining method apparatus further includes a request processing module configured to:

running the project security policy in the target project;

The security policy determining device in the embodiment of the present disclosure may identify, based on the object security identification data and the object relationship diagram of the target item, a security data object corresponding to the object security identification data from among a plurality of data objects, and determine, from the object relationship diagram, an association data object group having a security association relationship with the security data object; thereby accurately identifying a safer set of data objects. And then, based on the safe data object group and the associated data object group, determining an item safety strategy capable of accurately identifying the behavior of destroying the computer safety, and in the process of carrying out safety protection based on the item safety strategy, if the data object in the request does not meet the item safety strategy, accurately intercepting the data object, thereby avoiding the problem of higher false alarm rate of the safety strategy.

The above is a schematic scheme of a security policy determination device of the present embodiment. It should be noted that, the technical solution of the security policy determining device and the technical solution of the above-mentioned security policy determining method belong to the same concept, and details of the technical solution of the security policy determining device, which are not described in detail, can be referred to the description of the technical solution of the above-mentioned security policy determining method.

Fig. 6 illustrates a block diagram of a computing device 600 provided in accordance with one embodiment of the present description. The components of computing device 600 include, but are not limited to, memory 610 and processor 620. The processor 620 is coupled to the memory 610 via a bus 630 and a database 650 is used to hold data.

Computing device 600 also includes access device 640, access device 640 enabling computing device 600 to communicate via one or more networks 660. Examples of such networks include public switched telephone networks (PSTN, public Switched Telephone Network), local area networks (LAN, localAreaNetwork), wide area networks (WAN, wideAreaNetwork), personal area networks (PAN, personalAreaNetwork), or combinations of communication networks such as the internet. The access device 640 may include one or more of any type of network interface, wired or wireless, such as a network interface card (NIC, network interface controller), such as an IEEE802.11 wireless local area network (WLAN, wireless LocalAreaNetwork) wireless interface, a worldwide interoperability for microwave access (Wi-MAX, worldwide Interoperability for MicrowaveAccess) interface, an ethernet interface, a universal serial bus (USB, universal Serial Bus) interface, a cellular network interface, a bluetooth interface, near Field Communication (NFC).

In one embodiment of the present description, the above-described components of computing device 600, as well as other components not shown in FIG. 6, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device shown in FIG. 6 is for exemplary purposes only and is not intended to limit the scope of the present description. Those skilled in the art may add or replace other components as desired.

Computing device 600 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smart phone), wearable computing device (e.g., smart watch, smart glasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or personal computer (PC, personal Computer). Computing device 600 may also be a mobile or stationary server.

Wherein the processor 620 is configured to execute computer-executable instructions that, when executed by the processor, perform the steps of the security policy determination method described above.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for computing device embodiments, since they are substantially similar to security policy determination method embodiments, the description is relatively simple, as relevant to see a partial description of security policy determination method embodiments.

An embodiment of the present specification also provides a computer-readable storage medium storing a computer program/instruction which, when executed by a processor, implements the steps of the above-described security policy determination method.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for computer-readable storage medium embodiments, since they are substantially similar to the security policy determination method embodiments, the description is relatively simple, with reference to portions of the description of the security policy determination method embodiments being relevant.

An embodiment of the present specification also provides a computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the above-described security policy determination method.

The foregoing is a schematic version of a computer program product of this embodiment. It should be noted that, the technical solution of the computer program product and the technical solution of the above-mentioned security policy determining method belong to the same concept, and details of the technical solution of the computer program product, which are not described in detail, can be referred to the description of the technical solution of the above-mentioned security policy determining method.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The computer instructions include computer program code that may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be increased or decreased appropriately according to the requirements of the patent practice, for example, in some areas, according to the patent practice, the computer readable medium does not include an electric carrier signal and a telecommunication signal.

It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the embodiments are not limited by the order of actions described, as some steps may be performed in other order or simultaneously according to the embodiments of the present disclosure. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the embodiments described in the specification.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

The preferred embodiments of the present specification disclosed above are merely used to help clarify the present specification. Alternative embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the teaching of the embodiments. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. This specification is to be limited only by the claims and the full scope and equivalents thereof.

Claims

1. A security policy determination method, comprising:

2. The security policy determination method according to claim 1, the identifying a security data object of the plurality of data objects based on the object security identification data and the object relationship graph, comprising:

3. The security policy determination method according to claim 2, the determining a set of security data objects based on the security data object, comprising:

4. The security policy determining method according to claim 3, wherein the determining, based on the object identification, the security data object corresponding to the object security information from the object relationship graph includes:

Adding the label information corresponding to the security information of each object to the data object to be marked corresponding to the security information of each object to obtain a security data object corresponding to the security information of each object;

the determining, from the object relation graph, a plurality of security data objects corresponding to the security information of the target object, including:

5. The security policy determining method according to claim 1, wherein determining, from the object relation graph, an associated data object group having a security association relation with the security data object group, comprises:

6. The security policy determination method according to claim 1, the determining the item security policy of the target item based on the security data object group and the associated data object group, comprising:

7. The security policy determination method according to claim 1, wherein the constructing an object relationship graph based on the data objects and the relationship data includes:

8. The security policy determination method according to claim 1, the determining object security identification data of the target item, comprising:

9. The security policy determination method according to claim 1, wherein after determining the item security policy of the target item based on the security data object group and the associated data object group, further comprising:

running the project security policy in the target project;

10. A security policy determination apparatus comprising:

11. A computing device, comprising:

A memory and a processor;

The memory is adapted to store a computer program/instruction, the processor being adapted to execute the computer program/instruction, which when executed by the processor, implements the steps of the security policy determination method of any of claims 1 to 9.

12. A computer readable storage medium storing a computer program/instruction which when executed by a processor performs the steps of the security policy determination method of any of claims 1 to 9.

13. A computer program product comprising computer programs/instructions which when executed by a processor implement the steps of the security policy determination method of any of claims 1 to 9.