[go: up one dir, main page]

CN107992758B - Dynamic management method and device for security mechanism - Google Patents

Dynamic management method and device for security mechanism Download PDF

Info

Publication number
CN107992758B
CN107992758B CN201711227961.6A CN201711227961A CN107992758B CN 107992758 B CN107992758 B CN 107992758B CN 201711227961 A CN201711227961 A CN 201711227961A CN 107992758 B CN107992758 B CN 107992758B
Authority
CN
China
Prior art keywords
attribute
decision tree
security
safety
subject
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711227961.6A
Other languages
Chinese (zh)
Other versions
CN107992758A (en
Inventor
陈性元
杜学绘
任志宇
周超
曹利峰
孙奕
杨智
韩冰
赵建成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201711227961.6A priority Critical patent/CN107992758B/en
Publication of CN107992758A publication Critical patent/CN107992758A/en
Application granted granted Critical
Publication of CN107992758B publication Critical patent/CN107992758B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种安全机制动态管理方法及装置,该方法包括:提取访问数据流的主体属性和客体属性;根据预设的三元关系、所述访问数据流的主体属性和客体属性,确定所述访问数据流所需的安全机制构件;所述三元关系为主体属性、客体属性和安全机制属性之间的关系;将确定出的各个安全机制构件重组,生成安全防护体系。这样,实现了对互联网业务的动态防护,从而使得互联网业务及基于互联网的信息系统的安全防护机制更加的具有针对性、也提高互联网业务或者基于互联网的信息系统的安全防护能力。

Figure 201711227961

The invention discloses a security mechanism dynamic management method and device. The method includes: extracting subject attributes and object attributes of an access data stream; The security mechanism components required for accessing the data stream; the ternary relationship is the relationship between the subject attribute, the object attribute and the security mechanism attribute; the determined security mechanism components are reorganized to generate a security protection system. In this way, the dynamic protection of Internet services is realized, thereby making the security protection mechanism of Internet services and Internet-based information systems more targeted, and also improving the security protection capabilities of Internet services or Internet-based information systems.

Figure 201711227961

Description

一种安全机制动态管理方法及装置A security mechanism dynamic management method and device

技术领域technical field

本发明涉及信息安全领域,尤其涉及一种安全机制动态管理方法及装置。The invention relates to the field of information security, in particular to a method and device for dynamic management of a security mechanism.

背景技术Background technique

互联网是全球性关键信息基础设备,基于互联网的重要信息系统关乎国计民生。其中,重要信息系统是指,不涉及国家秘密,且对国家安全,经济具有重要作用的信息系统,例如:税务、公安、消防等。重要信息系统包含重要信息或者提供重要政务服务,若重要信息系统遭到破坏会对机构财产、政府职能都会受到很大的负面影响,因此,需要一些防护机制对基于互联网的重要信息系统进行安全防护。The Internet is a global key information infrastructure, and important information systems based on the Internet are related to the national economy and people's livelihood. Among them, important information systems refer to information systems that do not involve state secrets and play an important role in national security and economy, such as taxation, public security, and fire protection. Important information systems contain important information or provide important government services. If an important information system is damaged, it will have a great negative impact on the property and government functions of the organization. Therefore, some protection mechanisms are needed to protect the important information systems based on the Internet. .

现有技术中,通常是使用静态、单一的防护机制,例如:为针对某种信息系统预先设置好防护机制,无论何时、何人访问均采用预先设置的安全机制。In the prior art, a static and single protection mechanism is usually used. For example, a protection mechanism is preset for a certain information system, and a preset security mechanism is used whenever and whoever accesses it.

这种静态、单一的防护手段当面对不同的访问对象或者不同的访问客体时,防护手段没有针对性,安全防护性能较差。When faced with different access objects or different access objects, the static and single protection means is not targeted, and the security protection performance is poor.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明实施例提供了一种安全机制动态管理方法及装置,解决了现有技术中,静态、单一的防护手段不具备针对性防护能力,安全防护性能较差的问题。In view of this, the embodiments of the present invention provide a method and device for dynamic management of a security mechanism, which solve the problems in the prior art that static and single protection means do not have targeted protection capability and have poor security protection performance.

本发明实施例提供的一种安全机制动态管理方法,包括:A method for dynamic management of a security mechanism provided by an embodiment of the present invention includes:

提取访问数据流的主体属性和客体属性;Extract the subject attribute and object attribute of the access data stream;

根据预设的三元关系、所述访问数据流的主体属性和客体属性,确定所述访问数据流所需的安全机制构件;所述三元关系为主体属性、客体属性和安全机制属性之间的关系;According to the preset ternary relationship, the subject attribute and object attribute of the access data stream, the security mechanism component required for the access data stream is determined; the ternary relationship is between the subject attribute, the object attribute and the security mechanism attribute Relationship;

将确定出的各个安全机制构件进行组合,生成安全防护体系。Combining the identified security mechanism components to generate a security protection system.

可选的,所述三元关系的构建方法包括:Optionally, the construction method of the ternary relationship includes:

采用决策树方法,根据预设的样本集中的主体属性集、客体属性集和安全机制属性集,分别建立主体属性决策树、客体属性决策树和安全机制属性决策树;Using the decision tree method, according to the subject attribute set, object attribute set and safety mechanism attribute set in the preset sample set, the subject attribute decision tree, the object attribute decision tree and the safety mechanism attribute decision tree are established respectively;

依据预设的安全防护日志、所述主体属性决策树、客体属性决策树和安全机制决策树,构建三元关系;所述三元关系为主体属性、客体属性和安全机制属性之间的关系。According to the preset security protection log, the subject attribute decision tree, the object attribute decision tree and the security mechanism decision tree, a ternary relationship is constructed; the ternary relationship is the relationship between the subject attribute, the object attribute and the security mechanism attribute.

可选的,所述采用决策树方法,根据预设的样本集中的主体属性集、客体属性集和安全机制属性集,分别建立主体属性决策树、客体属性决策树和安全机制属性决策树,包括:Optionally, the decision tree method is used to establish the subject attribute decision tree, the object attribute decision tree and the safety mechanism attribute decision tree respectively according to the subject attribute set, the object attribute set and the safety mechanism attribute set in the preset sample set, including :

针对预设属性集中的每一个参数,提取出该参数包括的各个属性的属性值,得到各个属性和属性值的指派关系;所述预设属性集为主体属性集、客体属性集和安全机制属性集中的任意一个属性集;For each parameter in the preset attribute set, the attribute value of each attribute included in the parameter is extracted, and the assignment relationship of each attribute and attribute value is obtained; the preset attribute set is the subject attribute set, the object attribute set and the security mechanism attribute any set of attributes in the set;

根据所述预设属性集中的每个参数包括的各个属性和属性值的指派关系以及预设的安全管理知识库,将所述预设属性集中的各个参数进行聚类,得到每个参数的类别;According to the assignment relationship of each attribute and attribute value included in each parameter in the preset attribute set and the preset security management knowledge base, cluster each parameter in the preset attribute set to obtain the category of each parameter ;

计算所述每个参数包括的各个属性的信息增益率;Calculate the information gain rate of each attribute included in each parameter;

根据每个参数的类别和所述每个参数包括的各个属性的信息增益率,构建预设属性集的属性决策树;所述属性决策树中各个分支节点为属性,叶节点为聚类结果的各个类别。According to the category of each parameter and the information gain rate of each attribute included in the parameter, an attribute decision tree of the preset attribute set is constructed; each branch node in the attribute decision tree is an attribute, and the leaf node is the clustering result. each category.

可选的,所述依据预设的安全防护日志、所述主体属性决策树、客体属性决策树和安全机制决策树,构建三元关系,包括:Optionally, the ternary relationship is constructed according to the preset security protection log, the subject attribute decision tree, the object attribute decision tree and the security mechanism decision tree, including:

根据预设的安全防护日志,选取出主体属性决策树中每个主体属性和客体属性决策树中每个客体属性对应的安全机制;According to the preset security protection log, select the security mechanism corresponding to each subject attribute in the subject attribute decision tree and each object attribute in the object attribute decision tree;

根据所述安全机制属性决策树,确定选取出的各个安全机制的各个属性;According to the security mechanism attribute decision tree, determine each attribute of each selected security mechanism;

计算选取出的安全机制的各个属性的信息增益率;Calculate the information gain rate of each attribute of the selected security mechanism;

依据主体属性决策树、客体属性决策树和其对应的安全机制、以及各个安全机制的各个属性的信息增益率,构建三元关系。According to the subject attribute decision tree, the object attribute decision tree and its corresponding security mechanism, and the information gain rate of each attribute of each security mechanism, a ternary relationship is constructed.

可选的,所述根据预设的三元关系,分别确定所述主体属性和客体属性对应的安全机制构件,包括:Optionally, according to a preset ternary relationship, the security mechanism components corresponding to the subject attribute and the object attribute are respectively determined, including:

根据预设的三元关系,分别确定访问数据流的主体属性和所述客体属性对应的安全需求防护模板;所述安全需求防护模板为至少一个所述安全属性的集合;According to a preset ternary relationship, respectively determine the security requirement protection template corresponding to the subject attribute of the access data stream and the object attribute; the security requirement protection template is a set of at least one security attribute;

采用松弛度匹配算法,为所述安全机制需求防护模板匹配出多个安全机制构件。Using a slack matching algorithm, a plurality of security mechanism components are matched for the security mechanism requirement protection template.

可选的,所述将确定出的各个安全机制进行组合,生成安全防护体系,包括:Optionally, the determined security mechanisms are combined to generate a security protection system, including:

将各个安全机制构件抽象为索引状态机;Abstract each security mechanism component into an index state machine;

利用所述索引状态机建立安全机制流程;Use the index state machine to establish a safety mechanism process;

按照所述安全机制流程,配置相应的安全设备和/或安全系统,以生成安全防护体系。According to the safety mechanism process, configure corresponding safety equipment and/or safety system to generate a safety protection system.

本发明实施例还提供了一种安全机制动态管理装置,包括:The embodiment of the present invention also provides a security mechanism dynamic management device, including:

提取单元,用于提取访问数据流的主体属性和客体属性;The extraction unit is used to extract the subject attribute and object attribute of the access data stream;

匹配单元,用于根据预设的三元关系、所述访问数据流的主体属性和客体属性,确定所述访问数据流所需的安全机制构件;所述三元关系为主体属性、客体属性和安全机制属性之间的关系;The matching unit is used to determine the security mechanism components required for the access data stream according to the preset ternary relationship, the subject attribute and the object attribute of the access data stream; the ternary relationship is the subject attribute, the object attribute and the Relationships between security mechanism attributes;

组合单元,用于将确定出的各个安全机制构件进行组合,生成安全防护体系。The combination unit is used to combine the determined safety mechanism components to generate a safety protection system.

可选的,还包括:Optionally, also include:

属性决策树建立单元,用于采用决策树方法,根据预设的样本集中的主体属性集、客体属性集和安全机制属性集,分别建立主体属性决策树、客体属性决策树和安全机制属性决策树;The attribute decision tree establishment unit is used to use the decision tree method to establish the subject attribute decision tree, object attribute decision tree and safety mechanism attribute decision tree respectively according to the subject attribute set, object attribute set and safety mechanism attribute set in the preset sample set. ;

三元关系构建单元,用于依据预设的安全防护日志、所述主体属性决策树、客体属性决策树和安全机制决策树,构建三元关系;所述三元关系为主体属性、客体属性和安全机制属性之间的关系。The ternary relationship building unit is used to construct a ternary relationship according to the preset security protection log, the subject attribute decision tree, the object attribute decision tree and the security mechanism decision tree; the ternary relationship is subject attribute, object attribute and Relationships between security mechanism properties.

可选的,所述匹配单元,包括:Optionally, the matching unit includes:

确定子单元,用于根据预设的三元关系,分别确定访问数据流的主体属性和所述客体属性对应的安全需求防护模板;所述安全需求防护模板为至少一个所述安全属性的集合;A determination subunit, configured to respectively determine the subject attribute of the access data stream and the security requirement protection template corresponding to the object attribute according to a preset ternary relationship; the security requirement protection template is a set of at least one of the security attributes;

匹配子单元,用于采用松弛度匹配算法,为所述安全机制需求防护模板匹配出多个安全机制构件。The matching subunit is used for matching a plurality of security mechanism components for the security mechanism requirement protection template by using a slack matching algorithm.

可选的,所述组合单元,包括:Optionally, the combination unit includes:

抽象子单元,用于将各个安全机制构件抽象为索引状态机;The abstract subunit is used to abstract each security mechanism component into an index state machine;

建立子单元,用于利用所述索引状态机建立安全机制流程;establishing a subunit for establishing a safety mechanism process using the index state machine;

生成子单元,用于按照所述安全机制流程,配置相应的安全设备和/或安全系统,以生成安全防护体系。A generation sub-unit is used to configure corresponding safety equipment and/or safety system according to the safety mechanism process, so as to generate a safety protection system.

本发明实施例提供的一种安全机制动态管理方法,包括:提取访问数据流的主体属性和客体属性;根据预设的三元关系、所述访问数据流的主体属性和客体属性,确定所述访问数据流所需的安全机制构件;所述三元关系为主体属性、客体属性和安全机制属性之间的关系;将确定出的各个安全机制重组,生成安全防护体系。这样,实现了对互联网业务的动态防护,从而使得互联网业务及基于互联网的信息系统的安全防护机制更加的具有针对性、也提高互联网业务或者基于互联网的信息系统的安全防护能力。A method for dynamic management of a security mechanism provided by an embodiment of the present invention includes: extracting subject attributes and object attributes of an access data stream; determining the subject attribute and object attribute of the access data stream according to a preset ternary relationship The security mechanism components required for accessing the data stream; the ternary relationship is the relationship between the subject attribute, the object attribute and the security mechanism attribute; the determined security mechanisms are reorganized to generate a security protection system. In this way, the dynamic protection of Internet services is realized, thereby making the security protection mechanism of Internet services and Internet-based information systems more targeted, and also improving the security protection capabilities of Internet services or Internet-based information systems.

除此之外,本发明实施例采用决策树的方法,该方法提高了指派关系优化、降噪处理、语义处理、冲突检测与消解等方面的效果;并且,在得到安全需求防护模板后,采用松弛度匹配算法为安全机制防护模板匹配相应的安全机制,这样,在保证匹配的准确度的同时降低匹配的复杂度;在安全机制重组时采用索引状态机的方法,克服了现有安全机制重组技术在形式化建模方面的不足,解决了从逻辑层面到实例层面过渡的功能映射和路径映射问题,为安全机制的重组提供了理论和技术支撑,同时也优化了算法效率。In addition, the embodiment of the present invention adopts the decision tree method, which improves the effects of assignment relationship optimization, noise reduction processing, semantic processing, conflict detection and resolution, etc.; and, after obtaining the security requirement protection template, adopts The slack matching algorithm matches the corresponding security mechanism for the security mechanism protection template. In this way, the matching accuracy is guaranteed while reducing the matching complexity; the index state machine method is used in the security mechanism reorganization, which overcomes the existing security mechanism reorganization The deficiencies of the technology in formal modeling solve the problem of function mapping and path mapping in the transition from the logic level to the instance level, providing theoretical and technical support for the reorganization of the security mechanism, and also optimizing the algorithm efficiency.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without creative work.

图1示出了本发明实施例提供的一种安全机制动态管理方法的流程示意图;1 shows a schematic flowchart of a method for dynamic management of a security mechanism provided by an embodiment of the present invention;

图2示出了互联网业务主体、客体和安全机制的示意图;Fig. 2 shows the schematic diagram of Internet business subject, object and security mechanism;

图3示出了本发明实施例提供的一种三元关系的构建方法的流程示意图;3 shows a schematic flowchart of a method for constructing a ternary relationship according to an embodiment of the present invention;

图4示出了三元关系的示意图;Figure 4 shows a schematic diagram of a ternary relationship;

图5示出了本发明实施例提供了一种安全机制动态管理装置结构示意图。FIG. 5 shows a schematic structural diagram of an apparatus for dynamic management of a security mechanism provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

参考图1,示出了本发明实施例提供的一种安全机制动态管理方法的流程示意图,在本实施例中,该方法包括:Referring to FIG. 1, a schematic flowchart of a method for dynamic management of a security mechanism provided by an embodiment of the present invention is shown. In this embodiment, the method includes:

S101:提取访问数据流中的主体属性和客体属性;S101: Extract the subject attribute and the object attribute in the access data stream;

本实施例中,如图2所示,在互联网业务中,访问数据流的产生存在主体、客体,其中,主体可以理解为互联网业务中发起互联网业务的对象,客体可以理解为在互联网业务中主体需要访问的对象;例如,主体可以包括:用户、设备等;客体可包括:文档、图片等。In this embodiment, as shown in FIG. 2 , in the Internet service, there are subjects and objects in the generation of the access data stream, wherein the subject can be understood as the object that initiates the Internet service in the Internet service, and the object can be understood as the subject in the Internet service Objects to be accessed; for example, subjects may include: users, devices, etc.; objects may include: documents, pictures, etc.

属性是表示实体特性的标识,如主体为用户时,年龄、岗位均可视为主体属性,客体为文档时,文档类型、文档大小可视为客体属性。S102:根据预设的三元关系、所述访问数据流的主体属性和客体属性,确定所述访问数据流所需的安全机制构件;所述三元关系为主体属性、客体属性和安全机制属性之间的关系;Attributes are identifiers that represent entity characteristics. For example, when the subject is a user, age and position can be regarded as subject attributes, and when the object is a document, the document type and document size can be regarded as object attributes. S102: Determine the security mechanism component required for the access data stream according to a preset ternary relationship, subject attributes and object attributes of the access data stream; the ternary relationship is subject attribute, object attribute and security mechanism attribute The relationship between;

需要说明的是,对访问数据流进行安全防护的包括多种安全机制,例如防火墙,密码等,属性是表示实体特性的标识,在本实施例中,安全机制属性可以包括认证方式、访问控制策略等,环境属性包括时间、空间等。It should be noted that the security protection for the access data flow includes a variety of security mechanisms, such as firewalls, passwords, etc., and attributes are identifiers representing entity characteristics. In this embodiment, the security mechanism attributes may include authentication methods, access control policies, etc. etc., the environmental attributes include time, space, etc.

本实施例中,三元关系的构建可以是在S101之前执行的,具体的构建方法在下文中详细介绍,在这里就不再赘述。In this embodiment, the construction of the ternary relationship may be performed before S101, and the specific construction method will be described in detail below, and will not be repeated here.

其中,执行了S102后,得到访问数据流所需的安全机制构件,具体的,S102包括:Wherein, after executing S102, the security mechanism components required for accessing the data stream are obtained. Specifically, S102 includes:

根据预设的三元关系,分别确定访问数据流的主体属性和所述客体属性对应的安全需求防护模板;所述安全需求防护模板为至少一个所述安全属性的集合;According to a preset ternary relationship, respectively determine the security requirement protection template corresponding to the subject attribute of the access data stream and the object attribute; the security requirement protection template is a set of at least one security attribute;

采用松弛度匹配算法,为所述安全机制需求防护模板匹配出多个安全机制构件。Using a slack matching algorithm, a plurality of security mechanism components are matched for the security mechanism requirement protection template.

本实施例中,由于三元关系为主体属性、客体属性和安全机制属性之间的关系,因此,根据主体属性和客体属性,可以得到主体属性和客体属性所对应的至少一个安全机制属性,在这里将至少一个安全机制属性的集合表示为安全需求防护模板;但是,仅仅知道安全需求防护模板是不够的,还需要知道安全需求防护模板对应的安全机制,在本实施例中,为了保证匹配的准确度的同时降低匹配的复杂度,可以采用松弛度匹配算法,为得到的安全需求防护模板匹配相应的安全机制构件,具体的,松弛度匹配算法如下公式1)所示:In this embodiment, since the ternary relationship is the relationship between the subject attribute, the object attribute and the security mechanism attribute, according to the subject attribute and the object attribute, at least one security mechanism attribute corresponding to the subject attribute and the object attribute can be obtained. Here, the set of at least one security mechanism attribute is represented as a security requirement protection template; however, it is not enough to know the security requirement protection template only, it is also necessary to know the security mechanism corresponding to the security requirement protection template. To reduce the complexity of matching while maintaining accuracy, a slack matching algorithm can be used to match the corresponding security mechanism components for the obtained security requirement protection template. Specifically, the slack matching algorithm is shown in the following formula 1):

1)S=ω1H12H21) S=ω 1 H 12 H 2 ;

其中,ω1、ω2为权值,0<ω1<1,0<ω2<1;H1用来描述安全机制属性树与安全防护需求树各描述属性子树层次关系相似程度,H2用来描述安全机制属性树与安全防护需求树各描述属性子树的节点个数相似度。Among them, ω 1 and ω 2 are weights, 0<ω 1 <1, 0<ω 2 <1; H 1 is used to describe the similarity degree of the hierarchical relationship between the security mechanism attribute tree and the security protection requirement tree, and H 2 is used to describe the similarity of the number of nodes in the attribute subtree of the security mechanism attribute tree and the security protection requirement tree.

举例说明:假设确定出的访问数据流的主体属性和客体属性对应的安全需求防护模板可以理解为访问数据流所需进行的安全防护的需求的描述,例如安全需求防护模板可以包括:认证、数据封装和访问控制;而安全机制构件,可以理解为功能单元,例如:认证可以包括:口令认证、基于证书认证、基于生物特征认证等,口令类型又包括:口令的长度、类型;匹配的安全机制构件可以为:1)口令长度大于8;2)口令类型为字母+数字。For example: Assume that the security requirement protection template corresponding to the subject attribute and object attribute of the access data stream determined can be understood as the description of the security protection requirements for accessing the data stream. For example, the security requirement protection template may include: authentication, data Encapsulation and access control; while the security mechanism components can be understood as functional units, for example: authentication can include: password authentication, certificate-based authentication, biometric-based authentication, etc., password types include: password length, type; matching security mechanism The components can be: 1) the password length is greater than 8; 2) the password type is alphanumeric.

S103:将确定出的各个安全机制进行组合,生成安全防护体系;S103: Combine the determined safety mechanisms to generate a safety protection system;

本实施例中,访问数据流的主体属性和客体属性分别对应多个安全机制构件,若要生成安全防护系统,需要将这些安全机制构件进行组合,具体的,S103包括:In this embodiment, the subject attribute and the object attribute of the access data stream respectively correspond to multiple security mechanism components. To generate a security protection system, these security mechanism components need to be combined. Specifically, S103 includes:

将各个安全机制构件抽象为索引状态机;Abstract each security mechanism component into an index state machine;

利用所述索引状态机建立安全机制流程;Use the index state machine to establish a safety mechanism process;

按照所述安全机制流程,配置相应的安全设备和/或安全系统,以生成安全防护体系。According to the safety mechanism process, configure corresponding safety equipment and/or safety system to generate a safety protection system.

本实施例中,索引状态机包含状态结构、控制结构及数据结构,三者相互关联。索引状态机中状态结构表征安全机制构件执行操作及状态的变化;控制结构表征安全机制构件执行流中的控制操作及状态变化;数据结构表征安全机制构件操作过程中各部分的变化情况的总记录,它保证了系统内各组成部分之间交互数据的一致性、完整性。In this embodiment, the index state machine includes a state structure, a control structure, and a data structure, and the three are related to each other. The state structure in the index state machine represents the execution operation and state change of the security mechanism component; the control structure represents the control operation and state change in the execution flow of the security mechanism component; the data structure represents the total record of the changes of each part in the operation process of the security mechanism component , which ensures the consistency and integrity of the interactive data between the various components in the system.

具体的,利用索引状态机建立安全机制流程的过程包括:Specifically, the process of using the index state machine to establish the security mechanism process includes:

根据安全机制构件之间的连接关系与控制关系,获取本次访问需要使用的安全机制类型及其具体使用方法,并将每种安全机制类型及其具体的使用方法保存为状态结构的一种状态;According to the connection relationship and control relationship between the security mechanism components, obtain the security mechanism type and specific usage method to be used for this access, and save each security mechanism type and its specific usage method as a state of the state structure ;

设置一种状态到另一种状态转移的规则,并将该规则保存到结构状态机中;Set the rules for transition from one state to another, and save the rules to the structure state machine;

在数据结构中保存个安全机制方法需要的配置信息。The configuration information required by the security mechanism method is stored in the data structure.

举例说明:状态结构中保存的安全机制类型包括:安全接入认证、口令认证、强制访问控制等;一种状态向另一种状态转移,相当于一种安全机制类型通过后转向另一种安全机制类型,例如:安全接入认证方式通过后才能进行口令认证。For example: the types of security mechanisms saved in the state structure include: secure access authentication, password authentication, mandatory access control, etc.; one state transitions to another state, which is equivalent to one security mechanism type passing to another security mechanism Mechanism type, for example, password authentication can only be performed after the secure access authentication method is passed.

本实施例中,若需要对互联网业务进行安全防护,在提取出访问数据流的主体属性和客体属性后,根据预设的类型关系库,可以快速的提取出访问数据流所需的安全机制构件,并基于索引状态机,将安全机制重组,得到安全机制防护体系。这样,实现了对互联网业务的动态防护,从而使得互联网业务及基于互联网的信息系统的安全防护机制更加的具有针对性、也提高互联网业务或者基于互联网的信息系统的安全防护能力。In this embodiment, if security protection for Internet services is required, after extracting the subject attribute and object attribute of the access data stream, the security mechanism components required for accessing the data stream can be quickly extracted according to the preset type relation library , and based on the index state machine, the security mechanism is reorganized to obtain a security mechanism protection system. In this way, the dynamic protection of Internet services is realized, thereby making the security protection mechanism of Internet services and Internet-based information systems more targeted, and also improving the security protection capabilities of Internet services or Internet-based information systems.

参考图3,示出了本发明实施例提供的一种三元关系的生成方法的流程示意图,在本实施例中,该方法包括:Referring to FIG. 3, a schematic flowchart of a method for generating a ternary relationship provided by an embodiment of the present invention is shown. In this embodiment, the method includes:

S301:采用决策树方法,根据预设的样本集中的主体属性集、客体属性集和安全机制属性集,分别建立主体属性决策树、客体属性决策树和安全机制属性决策树;S301: Using the decision tree method, according to the subject attribute set, the object attribute set and the safety mechanism attribute set in the preset sample set, respectively establish the subject attribute decision tree, the object attribute decision tree and the safety mechanism attribute decision tree;

本实施例中,样本集为从海量的数据中收集的主体属性集、客体属性集和安全机制属性集,其中主体属性集包括主体及其各主体的各个属性,例如主体为用户,用户的属性包括:年龄、岗位等;客体属性集包括客体及其客体的各个属性,例如:客体属性为文档,文档属性包括:文档类型和文档大小等,本实施例中,采用决策树的方法,建立主体、客体和安全机制的属性的决策树,即建立的决策树中各个分支节点表征的为主体、客体或者安全机制的属性,具体的,针对主体属性决策树、客体属性决策树和安全机制决策树的建立,分别执行以下的步骤1)-4)的步骤:In this embodiment, the sample set is a subject attribute set, an object attribute set and a security mechanism attribute set collected from massive data, wherein the subject attribute set includes the subject and each attribute of each subject, for example, the subject is a user, the user's attribute Including: age, position, etc.; the object attribute set includes the object and various attributes of the object, for example: the object attribute is document, and the document attribute includes: document type and document size, etc. In this embodiment, the method of decision tree is used to establish the subject , the decision tree of the attributes of the object and the security mechanism, that is, each branch node in the established decision tree represents the attributes of the subject, object or security mechanism. Specifically, for the subject attribute decision tree, object attribute decision tree and security mechanism decision tree The establishment of , respectively carry out the steps of the following steps 1)-4):

其中,下文中预设属性集为主体属性集、客体属性集和安全机制属性集中的任意一个属性集;Wherein, the preset attribute set in the following is any attribute set of subject attribute set, object attribute set and security mechanism attribute set;

1)针对预设属性集中的每一个参数,提取出该参数包括的各个属性值,得到各个属性和属性值的指派关系;1) For each parameter in the preset attribute set, extract each attribute value included in the parameter, and obtain the assignment relationship of each attribute and the attribute value;

2)根据所述预设属性集中的每个参数包括的各个属性和属性值的指派关系以及预设的安全管理知识库,将所述预设属性集中的各个参数进行聚类,得到每个参数的类别;2) According to the assignment relationship of each attribute and attribute value included in each parameter in the preset attribute set and the preset security management knowledge base, cluster each parameter in the preset attribute set to obtain each parameter category;

3)计算所述每个参数包括的各个属性的信息增益率;3) Calculate the information gain rate of each attribute included in each parameter;

4)根据每个参数的类别和所述每个参数包括的各个属性的信息增益率,构建预设的属性集的属性决策树;4) construct the attribute decision tree of the preset attribute set according to the category of each parameter and the information gain rate of each attribute included in the each parameter;

需要说明的是,所述属性决策树中各分支节点为属性,页节点为聚类结果的各个类别。It should be noted that each branch node in the attribute decision tree is an attribute, and the page node is each category of the clustering result.

举例说明:若预设属性集为主体属性集,预设属性集中的参数表示各个主体,例如,用户或者设备,若该参数为用户,则提取出的用户的属性值包括年龄、岗位等;本实施例中,需要知道的是,主体属性集中包括不同的用户以及各个用户的属性,其中,属性值包括20,银行员工,则主体属性和属性值的指派关系为:年龄对应20、岗位对应银行员工。For example: if the preset attribute set is a subject attribute set, the parameters in the preset attribute set represent each subject, for example, a user or a device. If the parameter is a user, the extracted attribute values of the user include age, position, etc.; In the embodiment, it should be known that the main attribute set includes different users and the attributes of each user, wherein the attribute value includes 20, and the bank employee, the assignment relationship between the main attribute and the attribute value is: age corresponds to 20, and position corresponds to the bank. Staff.

若预设属性集为客体属性集,预设属性集中的参数表示各个客体,例如:文档、图片等,若该参数为文档,则提取出的用户的属性值包括:文档类型和文档大小。If the preset attribute set is an object attribute set, the parameters in the preset attribute set represent various objects, such as documents, pictures, etc. If the parameter is a document, the extracted user attribute values include: document type and document size.

若预设的属性集为安全机制属性集,预设属性集中的参数表示安全机制,例如:口令认证、安全机制认证等,若该参数为口令认证,则包括的属性为:访问控制策略,数据封装方式等。If the preset attribute set is a security mechanism attribute set, the parameters in the preset attribute set represent the security mechanism, such as password authentication, security mechanism authentication, etc. If the parameter is password authentication, the attributes included are: access control policy, data packaging, etc.

本实施例中,预设的安全管理知识库包括参数分类的历史记录,因此根据参数的各个属性和各个属性对应的属性值,以及安全管理知识库,可以预设参数集进行聚类,将同一类的参数聚为一类。In this embodiment, the preset safety management knowledge base includes the historical records of parameter classification. Therefore, according to each attribute of the parameter and the attribute value corresponding to each attribute, as well as the safety management knowledge base, a preset parameter set can be used for clustering, and the same The parameters of a class are grouped into one class.

本实施例中,信息增益率,又称信息增益比例,是对信息增益的扩展,是属性对分类影响的不确定性和属性本身的不确定性的比值。使用信息增益率作为度量值是为了克服使用信息增益会倾向选择属性值更多的属性的问题。In this embodiment, the information gain rate, also known as the information gain ratio, is an extension of the information gain, and is the ratio of the uncertainty of the attribute's influence on the classification to the uncertainty of the attribute itself. Using the information gain rate as a metric is to overcome the problem that using information gain tends to select attributes with more attribute values.

由于收集到的主体、客体、安全机制属性可能有很多,但并不是所有的属性都对实体分类有用。计算每个属性的信息增益率,属性的信息增益率越大,则其对分类的影响越大,这样的属性即可作为分裂属性用来对实体进行分类。Since there may be many collected subject, object, and security mechanism attributes, not all attributes are useful for entity classification. Calculate the information gain rate of each attribute. The greater the information gain rate of the attribute, the greater the impact on the classification. Such an attribute can be used as a split attribute to classify entities.

本实施例中,各个属性决策树的建立是采用决策树方法,该方法在指派关系优化、降噪处理、语义处理、冲突检测与消解等方面优于其他算法。In this embodiment, the establishment of each attribute decision tree adopts the decision tree method, which is superior to other algorithms in terms of assignment relationship optimization, noise reduction processing, semantic processing, conflict detection and resolution, and the like.

S302:依据预设的安全防护日志、所述主体属性决策树、客体属性决策树和安全机制决策树,构建三元关系;所述三元关系为主体属性决策树和安全机制属性决策树的关系以及客体属性决策树和安全机制属性决策树的关系。S302: Build a ternary relationship according to the preset security protection log, the subject attribute decision tree, the object attribute decision tree and the security mechanism decision tree; the ternary relationship is the relationship between the subject attribute decision tree and the security mechanism attribute decision tree And the relationship between the object attribute decision tree and the security mechanism attribute decision tree.

本实施例中,预设的安全防护日志中包括,不同的主体、客体,采用的安全机制的历史记录,其中,还包括主体和客体的不同属性,用户根据这些历史历史记录以及主体属性决策树、客体属性决策树和安全机制决策树,构建三元关系,具体的,S302包括:In this embodiment, the preset security protection log includes the historical records of different subjects and objects and the adopted security mechanism, and also includes different attributes of the subjects and objects. The user makes a decision tree according to these historical historical records and subject attributes. , the object attribute decision tree and the security mechanism decision tree to construct a ternary relationship. Specifically, S302 includes:

根据预设的安全防护日志,选取出主体属性决策树中每个主体属性和客体属性决策树中每个客体属性对应的安全机制;According to the preset security protection log, select the security mechanism corresponding to each subject attribute in the subject attribute decision tree and each object attribute in the object attribute decision tree;

根据所述安全机制属性决策树,确定选取出的各个安全机制的各个属性;According to the security mechanism attribute decision tree, determine each attribute of each selected security mechanism;

计算选取出的安全机制的各个属性的信息增益率;Calculate the information gain rate of each attribute of the selected security mechanism;

依据主体属性决策树、客体属性决策树和其对应的安全机制、以及各个安全机制的信息增益率,构建三元关系。According to the subject attribute decision tree, the object attribute decision tree and its corresponding security mechanism, and the information gain rate of each security mechanism, a ternary relationship is constructed.

其中,参考图4为三元关系的示意图,从图中可以看出包括:主体属性决策树和安全机制属性决策树的对应关系以及客体属性决策树和安全机制属性决策树的对应关系,即主体属性和安全机制属性的对应关系以及客体属性和安全机制属性的对应关系。4 is a schematic diagram of a ternary relationship. It can be seen from the figure that it includes: the corresponding relationship between the subject attribute decision tree and the security mechanism attribute decision tree, and the corresponding relationship between the object attribute decision tree and the security mechanism attribute decision tree, that is, the subject The corresponding relationship between attributes and security mechanism attributes and the corresponding relationship between object attributes and security mechanism attributes.

本实施例中,通过决策树的方法从海量的数据中构建主体属性决策树、客体属性决策树和安全机制属性决策树,并建立主体属性决策树和安全机制属性决策树的关系,以及客体属性决策树和安全机制属性决策树的关系。当需要建立安全机制时,可以通过类型关系库快速的确定出需要的安全机制属性,从而确定出相应的安全机制,实现了对互联网业务的动态防护,从而使得互联网业务及基于互联网的信息系统的安全防护机制更加的具有针对性、也提高互联网业务或者基于互联网的信息系统的安全防护能力。In this embodiment, the subject attribute decision tree, the object attribute decision tree and the security mechanism attribute decision tree are constructed from massive data by the method of decision tree, and the relationship between the subject attribute decision tree and the security mechanism attribute decision tree, and the object attribute decision tree are established. Relationship between decision tree and security mechanism attribute decision tree. When a security mechanism needs to be established, the required security mechanism attributes can be quickly determined through the type relation library, so as to determine the corresponding security mechanism, and realize the dynamic protection of Internet services, so that the Internet services and Internet-based information systems can be effectively protected. The security protection mechanism is more targeted and improves the security protection capability of Internet services or Internet-based information systems.

参考图5,示出了本发明实施例提供了一种安全机制动态管理装置结构示意图,在本实施例中,该装置包括:Referring to FIG. 5 , a schematic structural diagram of an apparatus for dynamic management of a security mechanism provided by an embodiment of the present invention is shown. In this embodiment, the apparatus includes:

提取单元501,用于提取访问数据流的主体属性和客体属性;Extraction unit 501, used to extract the subject attribute and object attribute of the access data stream;

匹配单元502,用于根据预设的三元关系、所述访问数据流的主体属性和客体属性,确定所述访问数据流所需的安全机制构件;所述三元关系为主体属性、客体属性和安全机制属性之间的关系;A matching unit 502, configured to determine the security mechanism components required for the access data stream according to a preset ternary relationship, the subject attribute and object attribute of the access data stream; the ternary relationship is subject attribute, object attribute and the relationship between the properties of the security mechanism;

组合单元503,用于将确定出的各个安全机制构件进行组合,生成安全防护体系。The combining unit 503 is configured to combine the determined safety mechanism components to generate a safety protection system.

可选的,还包括:Optionally, also include:

属性决策树建立单元,用于采用决策树方法,根据预设的样本集中的主体属性集、客体属性集和安全机制属性集,分别建立主体属性决策树、客体属性决策树和安全机制属性决策树;The attribute decision tree establishment unit is used to use the decision tree method to establish the subject attribute decision tree, object attribute decision tree and safety mechanism attribute decision tree respectively according to the subject attribute set, object attribute set and safety mechanism attribute set in the preset sample set. ;

三元关系构建单元,用于依据预设的安全防护日志、所述主体属性决策树、客体属性决策树和安全机制决策树,构建三元关系;所述三元关系为主体属性、客体属性和安全机制属性之间的关系。The ternary relationship building unit is used to construct a ternary relationship according to the preset security protection log, the subject attribute decision tree, the object attribute decision tree and the security mechanism decision tree; the ternary relationship is subject attribute, object attribute and Relationships between security mechanism properties.

可选的,所述匹配单元,包括:Optionally, the matching unit includes:

确定子单元,用于根据预设的三元关系,分别确定访问数据流的主体属性和所述客体属性对应的安全需求防护模板;所述安全需求防护模板为至少一个所述安全属性的集合;A determination subunit, configured to respectively determine the subject attribute of the access data stream and the security requirement protection template corresponding to the object attribute according to a preset ternary relationship; the security requirement protection template is a set of at least one of the security attributes;

匹配子单元,用于采用松弛度匹配算法,为所述安全机制需求防护模板匹配出多个安全机制构件。The matching subunit is used for matching a plurality of security mechanism components for the security mechanism requirement protection template by using a slack matching algorithm.

可选的,所述组合单元,包括:Optionally, the combination unit includes:

抽象子单元,用于将各个安全机制构件抽象为索引状态机;The abstract subunit is used to abstract each security mechanism component into an index state machine;

建立子单元,用于利用所述索引状态机建立安全机制流程;establishing a subunit for establishing a safety mechanism process using the index state machine;

生成子单元,用于按照所述安全机制流程,配置相应的安全设备和/或安全系统,以生成安全防护体系。A generation sub-unit is used to configure corresponding safety equipment and/or safety system according to the safety mechanism process, so as to generate a safety protection system.

通过本实施例的装置,实现了对互联网业务的动态防护,从而使得互联网业务及基于互联网的信息系统的安全防护机制更加的具有针对性、也提高互联网业务或者基于互联网的信息系统的安全防护能力。Through the device of this embodiment, dynamic protection of Internet services is realized, so that the security protection mechanism of Internet services and Internet-based information systems is more targeted, and the security protection capabilities of Internet services or Internet-based information systems are improved. .

需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。It should be noted that the various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. For the same and similar parts among the various embodiments, refer to each other Can.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (6)

1. A dynamic management method for a security mechanism is characterized by comprising the following steps:
extracting subject attributes and object attributes of the access data stream;
determining a security mechanism component required by the access data stream according to a preset ternary relationship, and the subject attribute and the object attribute of the access data stream; the three-element relation is the relation among the subject attribute, the object attribute and the safety mechanism attribute;
combining the determined safety mechanism components to generate a safety protection system;
the determining a security mechanism component required by the access data stream according to the preset ternary relationship, the subject attribute and the object attribute of the access data stream includes:
respectively determining a subject attribute of an access data stream and a safety demand protection template corresponding to the object attribute according to a preset ternary relationship; the security requirement protection template is a set of at least one security attribute;
matching a plurality of safety mechanism components for the safety mechanism demand protection template by adopting a sag matching algorithm;
the combining the determined safety mechanisms to generate a safety protection system includes:
abstracting each security mechanism component into an index state machine;
establishing a security mechanism flow by utilizing the index state machine;
and configuring corresponding safety equipment and/or safety systems according to the safety mechanism flow so as to generate a safety protection system.
2. The method of claim 1, wherein the method for constructing the ternary relationship comprises:
respectively establishing a subject attribute decision tree, an object attribute decision tree and a security mechanism attribute decision tree according to a subject attribute set, an object attribute set and a security mechanism attribute set in a preset sample set by adopting a decision tree method;
constructing a ternary relationship according to a preset safety protection log, the subject attribute decision tree, the object attribute decision tree and a safety mechanism decision tree; the three-element relation is the relation among the subject attribute, the object attribute and the safety mechanism attribute.
3. The method according to claim 2, wherein the establishing the subject attribute decision tree, the object attribute decision tree and the security mechanism attribute decision tree according to the subject attribute set, the object attribute set and the security mechanism attribute set in the preset sample set by using the decision tree method comprises:
extracting attribute values of the attributes included in each parameter aiming at each parameter in a preset attribute set to obtain an assignment relation between each attribute and each attribute value; the preset attribute set is any one of a subject attribute set, an object attribute set and a security mechanism attribute set;
clustering the parameters in the preset attribute set according to the assignment relationship between each attribute and each attribute value included in each parameter in the preset attribute set and a preset safety management knowledge base to obtain the category of each parameter;
calculating the information gain rate of each attribute included in each parameter;
constructing an attribute decision tree of a preset attribute set according to the category of each parameter and the information gain rate of each attribute included in each parameter; each branch node in the attribute decision tree is an attribute, and a leaf node is each category of the clustering result.
4. The method of claim 2, wherein the constructing the ternary relationship according to the preset security protection log, the subject attribute decision tree, the object attribute decision tree, and the security mechanism decision tree comprises:
selecting each subject attribute in the subject attribute decision tree and a safety mechanism corresponding to each object attribute in the object attribute decision tree according to a preset safety protection log;
determining each attribute of each selected security mechanism according to the security mechanism attribute decision tree;
calculating the information gain rate of each attribute of the selected security mechanism;
and constructing a ternary relationship according to the subject attribute decision tree, the object attribute decision tree, the corresponding security mechanisms of the subject attribute decision tree and the object attribute decision tree, and the information gain rate of each attribute of each security mechanism.
5. An apparatus for dynamic management of security mechanisms, comprising:
the extraction unit is used for extracting the subject attribute and the object attribute of the access data stream;
the matching unit is used for determining a security mechanism component required by the access data stream according to a preset ternary relationship, and the subject attribute and the object attribute of the access data stream; the three-element relation is the relation among the subject attribute, the object attribute and the safety mechanism attribute;
the combination unit is used for combining the determined safety mechanism components to generate a safety protection system;
the matching unit is configured to:
respectively determining a subject attribute of an access data stream and a safety demand protection template corresponding to the object attribute according to a preset ternary relationship; the security requirement protection template is a set of at least one security attribute;
matching a plurality of safety mechanism components for the safety mechanism demand protection template by adopting a sag matching algorithm;
the combination unit matches a plurality of safety mechanism components for the safety mechanism requirement protection template;
the combining the determined safety mechanisms to generate a safety protection system includes:
abstracting each security mechanism component into an index state machine;
establishing a security mechanism flow by utilizing the index state machine;
and configuring corresponding safety equipment and/or safety systems according to the safety mechanism flow so as to generate a safety protection system.
6. The apparatus of claim 5, further comprising:
the attribute decision tree establishing unit is used for respectively establishing a subject attribute decision tree, an object attribute decision tree and a security mechanism attribute decision tree according to a subject attribute set, an object attribute set and a security mechanism attribute set in a preset sample set by adopting a decision tree method;
the ternary relationship construction unit is used for constructing a ternary relationship according to a preset safety protection log, the subject attribute decision tree, the object attribute decision tree and the safety mechanism decision tree; the three-element relation is the relation among the subject attribute, the object attribute and the safety mechanism attribute.
CN201711227961.6A 2017-11-29 2017-11-29 Dynamic management method and device for security mechanism Active CN107992758B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711227961.6A CN107992758B (en) 2017-11-29 2017-11-29 Dynamic management method and device for security mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711227961.6A CN107992758B (en) 2017-11-29 2017-11-29 Dynamic management method and device for security mechanism

Publications (2)

Publication Number Publication Date
CN107992758A CN107992758A (en) 2018-05-04
CN107992758B true CN107992758B (en) 2020-01-14

Family

ID=62034092

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711227961.6A Active CN107992758B (en) 2017-11-29 2017-11-29 Dynamic management method and device for security mechanism

Country Status (1)

Country Link
CN (1) CN107992758B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111563529A (en) * 2020-03-31 2020-08-21 中国科学院信息工程研究所 Data category attribute representation method and access control method
CN113315792B (en) * 2021-07-30 2021-11-30 深圳市永达电子信息股份有限公司 Object extraction method and device of network data, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092668A (en) * 2014-06-23 2014-10-08 北京航空航天大学 A Construction Method of Reconfigurable Network Security Service
CN104601530A (en) * 2013-10-31 2015-05-06 中兴通讯股份有限公司 Implementing method and system for could security service

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9158567B2 (en) * 2009-10-20 2015-10-13 Dell Products, Lp System and method for reconfigurable network services using modified network configuration with modified bandwith capacity in dynamic virtualization environments

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601530A (en) * 2013-10-31 2015-05-06 中兴通讯股份有限公司 Implementing method and system for could security service
CN104092668A (en) * 2014-06-23 2014-10-08 北京航空航天大学 A Construction Method of Reconfigurable Network Security Service

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Dynamic authenticated data structures with access control for outsourcing data stream;Yi Sun;《IET Information Security》;20170817;第11卷(第5期);第235-242页 *
智能安全防护软件自主决策系统研究;沈柳青;《中国优秀硕士学位论文全文数据库 信息科技辑》;20120215(第02期);第I139-336页 *

Also Published As

Publication number Publication date
CN107992758A (en) 2018-05-04

Similar Documents

Publication Publication Date Title
CN104765848B (en) What support result efficiently sorted in mixing cloud storage symmetrically can search for encryption method
WO2021077642A1 (en) Network space security threat detection method and system based on heterogeneous graph embedding
JP5744892B2 (en) Text filtering method and system
CN109379377A (en) Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium
CN110851879A (en) Method, device and equipment for infringement and evidence preservation based on evidence preservation block chain
US20230315993A1 (en) Systems and processes for natural language processing
JP6611199B2 (en) System and method for restricting user access to suspicious objects in social networks
CN106919555A (en) The system and method that the field of the data for being included in log stream is extracted
CN112016317A (en) Sensitive word recognition method and device based on artificial intelligence and computer equipment
TW201737072A (en) Application program project evaluation method and system
CN111400504A (en) Method and device for identifying enterprise key people
US10282461B2 (en) Structure-based entity analysis
CN108701155A (en) Expert Detection in Social Networks
CN112925954A (en) Method and apparatus for querying data in a graph database
CN111652685A (en) Information processing method, apparatus, computer equipment, and computer-readable storage medium
CN105989261A (en) Method for securing electronic device and computer system
CN107992758B (en) Dynamic management method and device for security mechanism
KR20210056744A (en) External information recognizing and information providing method using blockchain
CN106855973A (en) A kind of management method and device for network storage resource
CN103514412B (en) Method and cloud server for constructing role-based access control system
CN117744053A (en) A user semantic role mining method and device based on overlapping clustering
JP2009277183A (en) Information identification device and information identification system
WO2023177401A1 (en) Systems and processes for natural language processing
CN110661769B (en) System and method for blocking network connection
KR101886526B1 (en) Method and system for specifying payload signature for elaborate application traffic classification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant