CN118784299A - Security access policy matching method, device, computer equipment and storage medium - Google Patents

Abstract

The present invention relates to the field of network security technology, and discloses a security access policy matching method, device, computer equipment and storage medium. The method comprises: obtaining access information of a host, wherein the access information comprises first path information and second path information, the first path information is the path information of an access subject, and the second path information is the path information of an access object; based on a correspondence table of preset file names and file identifiers, converting the first path information into first target path information in digital form, and converting the second path information into second target path information in digital form; matching a target security access policy from a security access policy library based on the first target path information and the second target path information; and determining the access rights of the access subject to the access object based on the target security access policy. The present invention improves the matching efficiency of security access policies by converting the path information of the access subject and the access object into digital form.

Description

Security access policy matching method, device, computer equipment and storage medium

Technical Field

The present invention relates to the field of network security technology, and in particular to a security access policy matching method, device, computer equipment and storage medium.

Background Art

With the digital transformation and the development of the network, host security is becoming more and more important in network security. To ensure the security of the host and business, a secure access strategy is essential, and the key to its implementation lies in improving the matching efficiency between the subject and the object.

In the related art, in order to improve the matching efficiency of host security access policies, the resource path in the policy can be constructed into a tree structure. When processing security access policy matching requests, the tree matching algorithm is used for matching to improve efficiency.

However, the matching of related technologies is still the matching of resource paths. When there are many security access policies and long resource paths, there are problems such as low matching efficiency, slow system response speed, and inability to provide real-time protection.

Summary of the invention

In view of this, the present invention provides a security access policy matching method, apparatus, computer equipment and storage medium to solve the problems of low security access policy matching efficiency, slow system response speed and poor real-time protection effect in the related art.

In a first aspect, the present invention provides a security access policy matching method, the method comprising:

Acquire access information of the host, wherein the access information includes first path information and second path information, the first path information is path information of the access subject, and the second path information is path information of the access object;

Based on a preset table of correspondence between file names and file identifiers, converting the first path information into first target path information in digital form, and converting the second path information into second target path information in digital form;

Matching a target security access policy from a security access policy library based on the first target path information and the second target path information;

Based on the target security access policy, the access authority of the access subject to the access object is determined.

The security access policy matching method provided in this embodiment improves the matching efficiency by converting the first path information and the second path information into the first target path information and the second target path information in digital form, and matches the target security access policy from the security access policy library according to the first target path information and the second target path information, thereby improving the system response speed and achieving the effect of real-time protection.

In an optional implementation, the converting the first path information into first target path information in digital form and the converting the second path information into second target path information in digital form based on a preset file name and file identifier correspondence table includes:

Based on the file segmentation identifier, split the first path information and the second path information into multiple file names;

Determine whether the correspondence table between preset file names and file identifiers contains multiple file names;

In the case where the correspondence table between preset file names and file identifiers contains a plurality of the file names, obtaining the file identifiers corresponding to the plurality of the file names based on the correspondence table between the preset file names and file identifiers;

In a case where at least one of the multiple file names is not included in the correspondence table between preset file names and file identifiers, updating the correspondence table between preset file names and file identifiers based on the at least one file name that is not included, so as to obtain file identifiers corresponding to the multiple file names based on the updated correspondence table between preset file names and file identifiers;

Convert the file segmentation identifiers between the multiple file names in the first path information into digital connection identifiers, and replace the multiple file names in the first path information with the file identifiers corresponding to the file names, to obtain the first target path information;

The file segmentation identifiers between the multiple file names in the second path information are converted into digital connection identifiers, and the multiple file names in the second path information are replaced with file identifiers corresponding to the file names to obtain the second target path information.

The security access policy matching method provided in this embodiment improves the matching efficiency, thereby improving the system response speed and achieving the effect of real-time protection by converting the file name in the first path information and the second path information into a corresponding file identifier, and converting the file segmentation identifier in the first path information and the second path information into a digital connection identifier, thereby obtaining the first target path information and the second target path information.

In an optional implementation, matching a target security access policy from a security access policy library based on the first target path information and the second target path information includes:

Obtaining path matching feature values of the first target path information and the second target path information;

Based on the path matching feature value, a target path matching information set is screened out from a security access policy library;

Based on the target path matching information set, obtaining a target security access policy set from a security access policy library;

Based on the first target path information and the second target path information, a target security access policy is matched from the target security access policy set.

The security access policy matching method provided in this embodiment obtains the path matching feature value of the first target path information and the second target path information, and based on the path matching feature value, selects the target path matching information set from the security access policy library, obtains the target security access policy set from the security access policy library based on the target path matching information set, excludes a large number of unmatched items, improves the matching degree of the access subject and the access object, and then matches the target security access policy from the target security access policy set based on the first target path information and the second target path information. The number of accurate matchings of the access subject and the access object path is reduced, thereby greatly improving the matching efficiency.

In an optional implementation, the acquiring the path matching feature value of the first target path information and the second target path information includes:

Determining, based on the number of digital connection identifiers in the first target path information, a level of the first target path represented by the first path matching feature value;

Determine, based on the total number of file identifiers and digital connection identifiers in the first target path information, an intermediate value of the first target path represented by the second path matching feature value;

Based on the file identifier in the first target path information, determine the sum of the file identifiers of the first target path represented by the third path matching feature value;

Determining, based on the number of digital connection identifiers in the second target path information, a level of the second target path represented by the fourth path matching feature value;

Determine, based on the total number of file identifiers and digital connection identifiers in the second target path information, an intermediate value of the second target path represented by the fifth path matching feature value;

Based on the file identifier in the second target path information, a sum of the file identifiers of the second target path represented by the sixth path matching feature value is determined.

The security access policy matching method provided in this embodiment obtains the three path matching feature values of the access subject and the three path matching feature values of the access object, thereby realizing priority matching of the path matching feature values, eliminating a large number of mismatched items in the security access policy library, improving the matching degree between the access subject and the access object, and reducing the number of precise matches of the access subject and access object paths, thereby greatly improving the matching efficiency.

In an optional implementation, the step of filtering out a target path matching information set from a security access policy library based on the path matching feature value includes:

Based on the first path matching feature value and the fourth path matching feature value, a first path matching information set whose first feature value of the access subject is not greater than the first path matching feature value and whose first feature value of the access object is not greater than the fourth path matching feature value is screened out from the security access policy library;

Based on the second path matching feature value, filter out a second path matching information set from the first path matching information set, the second feature value of the access subject being the same as the second path matching feature value;

In the case where the second path matching information set is empty, performing a hierarchical update operation on the first target path information to obtain an updated second path matching feature value and an updated third path matching feature value, and based on the updated second path matching feature value, filtering out from the first path matching information set a second path matching information set whose second feature value of the access subject is the same as the updated second path matching feature value;

In the case where the second path matching information set is empty and the first target path information level is updated to the root directory, determining that the target path matching information set fails to match;

In the case where the second path matching information set is not empty and the first target path information has not been hierarchically updated, based on the third path matching feature value, a third path matching information set whose third feature value of the access subject is the same as the third path matching feature value is filtered out from the second path matching information set;

In the case where the second path matching information set is not empty and the first target path information is hierarchically updated, based on the updated third path matching feature value, a third path matching information set whose third feature value of the access subject is the same as the updated third path matching feature value is filtered out from the second path matching information set;

Based on the fifth path matching feature value, a fourth path matching information set whose second feature value of the access object is the same as the fifth path matching feature value is selected from the third path matching information set;

In the case where the fourth path matching information set is empty, performing a hierarchical update operation on the second target path information to obtain an updated fifth path matching feature value and an updated sixth path matching feature value, and based on the updated fifth path matching feature value, filtering out a fourth path matching information set whose second feature value of the access object is the same as the updated fifth path matching feature value from the third path matching information set;

In the case where the fourth path matching information set is empty and the second target path information level is updated to the root directory, determining that the target path matching information set fails to match;

In the case where the fourth path matching information set is not empty and the second target path information has not been hierarchically updated, based on the sixth path matching feature value, a target path matching information set having a third feature value of the access object that is the same as the sixth path matching feature value is screened out from the fourth path matching information set;

When the fourth path matching information set is not empty and the second target path information is hierarchically updated, based on the updated sixth path matching feature value, a target path matching information set whose third feature value of the access object is the same as the updated sixth path matching feature value is filtered out from the fourth path matching information set.

The security access policy matching method provided in this embodiment matches the three path matching feature values of the access subject with the three feature values of the access subject in the security access policy library, and matches the three path matching feature values of the access object with the three feature values of the access object in the security access policy library, thereby obtaining a target path matching information set. The priority matching of the path matching feature values is achieved, a large number of mismatched items in the security access policy library are eliminated, the matching degree of the access subject and the access object is improved, and the number of accurate matchings of the access subject and the access object path is reduced, thereby greatly improving the matching efficiency.

In an optional implementation, matching a target security access policy from the target security access policy set based on the first target path information and the second target path information includes:

Acquire first target path information and second target path information that trigger successful matching of the target path matching information set;

Based on the first target path information and the second target path information that trigger the successful matching of the target path matching information set, a target security access policy is matched from the target security access policy set.

The security access policy matching method provided in this embodiment can more accurately determine the target security access policy by triggering the first target path information and the second target path information that successfully match the target path matching information set, thereby ensuring the security of the system.

In an optional implementation, the acquiring a target security access policy set from a security access policy library based on the target path matching information set includes:

Obtaining an association identifier in the target path matching information set;

Based on the association identifier, a target security access policy set is obtained from a security access policy library.

The security access policy matching method provided in this embodiment obtains the target security access policy set from the security access policy library by matching the association identifier in the target path information set, thereby ensuring the accuracy of the obtained target security access policy set.

In a second aspect, the present invention provides a security access policy matching device, the device comprising:

An acquisition module, used to acquire access information of a host, wherein the access information includes first path information and second path information, the first path information is path information of an access subject, and the second path information is path information of an access object;

a conversion module, configured to convert the first path information into first target path information in digital form, and convert the second path information into second target path information in digital form, based on a preset table of correspondence between file names and file identifiers;

A matching module, configured to match a target security access policy from a security access policy library based on the first target path information and the second target path information;

The determination module is used to determine the access rights of the access subject to the access object based on the target security access policy.

In a third aspect, the present invention provides a computer device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, and the processor executing the security access policy matching method of the first aspect or any corresponding implementation method thereof by executing the computer instructions.

In a fourth aspect, the present invention provides a computer-readable storage medium having computer instructions stored thereon, the computer instructions being used to enable a computer to execute the security access policy matching method of the first aspect or any corresponding embodiment thereof.

In a fifth aspect, the present invention provides a computer program product, including computer instructions, which are used to enable a computer to execute the security access policy matching method of the first aspect or any corresponding implementation method thereof.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the related technologies, the drawings required for use in the specific embodiments or the related technical descriptions will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

FIG1 is a schematic flow chart of a security access policy matching method according to an embodiment of the present invention;

FIG2 is a schematic diagram of a flow chart of another security access policy matching method according to an embodiment of the present invention;

3 is a schematic diagram of the structure of a security access policy matching system according to an embodiment of the present invention;

FIG4 is a schematic diagram of a process for storing a security access policy according to an embodiment of the present invention;

FIG5 is a schematic flow chart of another security access policy matching method according to an embodiment of the present invention;

6 is a structural block diagram of a security access policy matching device according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of the hardware structure of a computer device according to an embodiment of the present invention.

DETAILED DESCRIPTION

In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the technical solution in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative work are within the scope of protection of the present invention.

With the development of the Internet, network security is becoming more and more important. Hosts are key devices for storing and processing sensitive information. Therefore, host security plays a very important role in network security. In order to ensure the security of hosts and the services running on them, many security access policies are manually issued, which can also be called security access control policies.

It should be noted that the security access control policy is a manually configured security rule, which is sent to the agent installed on the host through the web management terminal or the command line interface of the host. After the security rule is parsed, it finally takes effect on the host, aiming to improve the security of local resource access on the host. For example, the security access control policy on Linux can be shown in Table 1.

Table 1

main body object Permissions /etc/bin /usr/local/check rw (read and write permissions) /usr/local/ZeC /usr/local/ZeC/bin x (execute permission)

An agent is a software component, application, middleware, or other type of program that resides on a host computer and is responsible for performing specific tasks, collecting data, interacting with users, or communicating with other system components.

The three fields in the security access control policy are explained as follows:

Subject: refers to an active entity, the initiator of access. Generally refers to a process, service, program or access user, which causes the flow of information and the change of system status.

It should be noted that the subject can configure a directory. When configuring a directory, the subject includes all processes, services or programs under this directory or in its subdirectories.

Object: refers to a passive entity that contains or receives information. Its position in the flow of information is passive and is under the influence of the subject. The object can be a called program or accessed data, or a directory. Access to the object means access to the information contained in the object.

Permission: refers to the subject's access or execution rights to the protected resources in the object.

As shown in Table 1, when the subject is /etc/bin and the object is /usr/local/check, the subject has read and write permissions on the object, that is, the subject can perform read or write operations on the object.

When the subject is /usr/local/ZeC and the object is /usr/local/ZeC/bin, the subject has execution permission on the object, that is, the subject can perform various operations on the object.

After the user configures the security access control policy, the security access control policy is sent to the agent of the host, and the agent of the host parses the security access control policy to obtain the security access control policy in the above format.

When the subject (user or process) in the host wants to access the object (host resources), it will trigger the security access policy match. If the match is successful, the subject can only execute the permissions matched in the corresponding security access policy on the object, and the execution of unconfigured permissions will be denied. If the subject or object fails to match the corresponding security access policy, no action will be taken, that is, no permission restriction will be made, and the subject's access to the object will not be restricted.

It should be noted that the matching of security access policies refers to the one-to-one matching of the subject actually executed on the host with the subject in the security access control policy, and the object accessed on the host with the object in the security access control policy. After the matching is successful, permission control is performed.

When users operate host resources or other processes access host resources, the matching of security access policies will be triggered. In order to improve user usability, not affect the stability of the business running on the host, and protect host resources in real time, improving the matching efficiency of host security access control policies becomes the key. The matching efficiency of host security access policies is ultimately the matching efficiency of the subject and object in the security access control policy, and the matching efficiency of the subject and object is essentially the matching efficiency of the resource path on the host.

In the related art, in order to improve the matching efficiency of host security access policy, the resource path in the policy can be constructed into a tree structure. When processing security access policy matching requests, that is, when processing the matching of subjects and objects, a tree matching algorithm is used for matching, that is, tree matching, to improve efficiency.

However, the matching of related technologies is still the matching of resource paths on the host. When there are many security access policies and the resource paths of the subject and the object are long, when the security access policy matching is triggered, even if the efficiency is improved by using the tree data structure matching algorithm, it is not obvious, resulting in slow system response speed and poor real-time protection effect.

Of course, when there are many security access policies and the resource paths between the subject and the object are long, the disk space occupied by storing the security access policies is also very large.

An embodiment of the present invention provides a security access policy matching method, which converts the first path information into first target path information in digital form and converts the second path information into second path information in digital form according to a correspondence table between preset file names and file identifiers. Based on the first target path information and the second target path information, the target security access policy is matched from a security access policy library to improve the security access policy matching efficiency and achieve real-time protection effects.

According to an embodiment of the present invention, an embodiment of a security access policy matching method is provided. It should be noted that the steps shown in the flowchart of the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

In this embodiment, a security access policy matching method is provided, which can be used in a mobile terminal, such as a server, a central processing unit, etc. FIG. 1 is a flow chart of a security access policy matching method according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps:

Step S101, obtaining access information of the host.

The access information includes first path information and second path information, the first path information is the path information of the access subject, and the second path information is the path information of the access object. The access subject is the same as the subject described above, and the access object is the same as the object described above.

The access information is information about the access subject (user or process or service, etc.) on the host accessing the object (host resource).

It should be noted that when a user operates a host resource or other processes access a host resource, access information is generated and the server obtains the access information of the host.

Step S102: based on a preset correspondence table between file names and file identifiers, convert the first path information into first target path information in digital form, and convert the second path information into second target path information in digital form.

The correspondence table between the preset file names and file identifiers is placed in the server by the user and includes the correspondence between the file names and file identifiers. For example, the correspondence table between the preset file names and file identifiers may be as shown in Table 2.

Table 2

ID file name 1 usr 2 root … … 45 local 46 bin … … 500 xxx

The file identifier can be represented by an identity identifier (ID). As shown in Table 2, the file name is usr, and the corresponding file identifier is 1. The file name is root, and the corresponding file identifier is 2, and so on.

After the first path information and the second path information are acquired, the first path information is converted into first target path information in digital form, and the second path information is converted into second target path information in digital form according to a preset correspondence table between file names and file identifiers.

Step S103: Match a target security access policy from a security access policy library based on the first target path information and the second target path information.

The security access policy library is set at the host agent end and is used to store the security access policies issued by the user. It should be noted that the security access policies in the security access policy library can exist in the form shown in Table 3.

Table 3

Access Subject Access Object Access Rights 1-45-46 2-501 r

It can be seen that the path information of the subject and object in the security access policy in the security access policy library also exists in digital form.

After the first target path information and the second target path information are acquired, a target security access policy is matched from a security access policy library according to the first target path information and the second target path information.

Step S104: Determine the access rights of the access subject to the access object based on the target security access policy.

When a target security access policy is matched from the security access policy library, the access authority of the access subject to the access object is determined according to the target security access policy.

The security access policy matching method provided in this embodiment improves the matching efficiency and thus improves the system response speed by converting the first path information and the second path information into the first target path information and the second target path information in digital form, and matching the target security access policy from the security access policy library according to the first target path information and the second target path information, thereby achieving the effect of real-time protection. Moreover, the subject and object of the security access policy stored in the security access policy library are also in digital form, thus saving the disk space occupied by storing the security access policy.

In this embodiment, a security access policy matching method is provided, which can be used in a mobile terminal, such as a server, a central processing unit, etc. FIG. 2 is a flow chart of the security access policy matching method according to an embodiment of the present invention. As shown in FIG. 2 , the process includes the following steps:

Step S201, obtaining access information of the host. Please refer to step S101 of the embodiment shown in FIG1 for details, which will not be described in detail here.

Step S202: based on a preset correspondence table between file names and file identifiers, convert the first path information into first target path information in digital form, and convert the second path information into second target path information in digital form.

Specifically, the above step S202 includes:

Step S2021: split the first path information and the second path information into multiple file names based on the file segmentation identifier.

After the first path information and the second path information are acquired, the first path information and the second path information are split into a plurality of file names according to the file segmentation identifiers in the first path information and the second path information.

It should be noted that the file segmentation mark may be “/”. Exemplarily, the first path information is /usr/local/bin, and the first path information is split into usr, local, and bin according to the file segmentation mark.

Similarly, the second path information is split into multiple file names.

Step S2022, determining whether the correspondence table between preset file names and file identifiers contains multiple file names.

After splitting the first path information into multiple file names and splitting the second path information into multiple file names, it is determined whether the preset file name and file identifier correspondence table contains the multiple file names split from the first path information and the multiple file names split from the second path information.

Step S2023, when the preset file name and file identifier correspondence table contains multiple file names, based on the preset file name and file identifier correspondence table, obtain the file identifiers corresponding to the multiple file names.

Among them, the correspondence table between preset file names and file identifiers includes multiple file names split from the first path information and multiple file names split from the second path information, indicating that based on the correspondence table between preset file names and file identifiers, the file identifiers corresponding to the multiple file names split from the first path information and the multiple file names split from the second path information can be obtained.

Based on the preset correspondence table between file names and file identifiers, file identifiers corresponding to the multiple file names split from the first path information and the multiple file names split from the second path information are obtained.

Step S2024, when at least one of the multiple file names is not included in the correspondence table between preset file names and file identifiers, the correspondence table between preset file names and file identifiers is updated based on the at least one file name that is not included, so as to obtain file identifiers corresponding to the multiple file names based on the updated correspondence table between preset file names and file identifiers.

Among them, the correspondence table between preset file names and file identifiers does not include at least one of the multiple file names split from the first path information and the multiple file names split from the second path information, indicating that the file identifiers corresponding to the multiple file names split from the first path information and the multiple file names split from the second path information cannot be obtained based on the correspondence table between preset file names and file identifiers.

Then it is necessary to update the correspondence table of preset file names and file identifiers. Specifically, add at least one file name that is not included and the file identifier corresponding to the file name to the correspondence table of preset file names and file identifiers in the form shown in Table 2. It can be understood that the file identifier corresponding to the file name that is not included can be set by the user, or it can be generated by the server according to the current maximum value of the ID in the correspondence table of preset file names and file identifiers plus 1 in sequence. Exemplarily, the maximum value of the current ID is 500. If there are 2 file names that are not included, the file identifier corresponding to one of the file names that are not included is 501, and the file identifier corresponding to the other file name is 502.

Exemplarily, the updated correspondence table between preset file names and file identifiers may be as shown in Table 4.

Table 4

Exemplarily, when the first path information is /root/test, since the test file name is not included in the correspondence table of preset file names and file identifiers shown in Table 2, it is necessary to update the correspondence table of preset file names and file identifiers. After the update, as shown in Table 4, the test file name and the file identifier corresponding to test, namely 501, are added.

Based on the updated correspondence table between preset file names and file identifiers, file identifiers corresponding to the multiple file names split from the first path information and the multiple file names split from the second path information are obtained.

Step S2025: convert the file segmentation identifiers between the multiple file names in the first path information into digital connection identifiers, and replace the multiple file names in the first path information with the file identifiers corresponding to the file names to obtain the first target path information.

After obtaining the file identifiers corresponding to the multiple file names split from the first path information and the multiple file names split from the second path information, the file segmentation identifiers between the multiple file names in the first path information are converted into digital connection identifiers.

It should be noted that the digital connection identifier may be “-”. Exemplarily, if the first path information is /usr/local/bin, the file separation identifiers between multiple file names in the first path information are converted into digital connection identifiers, and the first path information becomes usr-local-bin.

The multiple file names in the first path information are replaced with the file identifiers corresponding to the file names. For example, as shown in Table 2, the file identifier corresponding to usr is 1, the file identifier corresponding to local is 45, and the file identifier corresponding to bin is 46. Then the first target path information is 1-45-46.

Step S2026: convert the file segmentation identifiers between the multiple file names in the second path information into digital connection identifiers, and replace the multiple file names in the second path information with the file identifiers corresponding to the file names to obtain the second target path information.

As in the aforementioned process of obtaining the first target path information, the second target path information can be obtained similarly.

Step S203: Match the target security access policy from the security access policy library based on the first target path information and the second target path information. For details, please refer to step S103 of the embodiment shown in FIG1 , which will not be described in detail here.

Step S204: Determine the access rights of the access subject to the access object based on the target security access policy. Please refer to step S104 of the embodiment shown in FIG1 for details, which will not be described in detail here.

The security access policy matching method provided in this embodiment improves the matching efficiency, thereby improving the system response speed and achieving the effect of real-time protection by converting the file name in the first path information and the second path information into a corresponding file identifier, and converting the file segmentation identifier in the first path information and the second path information into a digital connection identifier, thereby obtaining the first target path information and the second target path information.

In some optional implementations, the above step S203 includes:

Step a1: Obtain path matching feature values of first target path information and second target path information.

After the first target path information and the second target path information are obtained, the path matching feature value of the first target path information and the path matching feature value of the second target path information are obtained.

Step a2: based on the path matching feature value, filter out the target path matching information set from the security access policy library.

After obtaining the path matching feature value of the first target path information and the path matching feature value of the second target path information, the target path matching information set is filtered out from the security access policy library according to the path matching feature value of the first target path information and the path matching feature value of the second target path information.

Step a3: based on the target path matching information set, obtain the target security access policy set from the security access policy library.

After the target path matching information set is screened out, the target security access policy set is obtained from the security access policy library according to the target path matching information set.

Step a4: matching a target security access policy from a target security access policy set based on the first target path information and the second target path information.

After the target security access policy set is acquired, the target security access policy is matched from the target security access policy set according to the first target path information and the second target path information.

The security access policy matching method provided in this embodiment obtains the path matching feature value of the first target path information and the second target path information, and based on the path matching feature value, selects the target path matching information set from the security access policy library, obtains the target security access policy set from the security access policy library based on the target path matching information set, excludes a large number of unmatched items, improves the matching degree of the access subject and the access object, and then matches the target security access policy from the target security access policy set based on the first target path information and the second target path information. The number of accurate matchings of the access subject and the access object path is reduced, thereby greatly improving the matching efficiency.

In some optional implementations, the above step a1 includes:

Step a11: determining the level of the first target path represented by the first path matching feature value based on the number of digital connection identifiers in the first target path information.

The level of the first target path represented by the first path matching feature value is obtained by adding 1 to the number of digital connection identifiers in the first target path information.

Exemplarily, the first target path information is 1-45-46, where the number of digital connection identifiers is 2, and the first path matching feature value is 3.

Step a12: determining the middle value of the first target path represented by the second path matching feature value based on the total number of file identifiers and digital connection identifiers in the first target path information.

Among them, the middle value of the first target path represented by the second path matching feature value is obtained by obtaining the total number of file identifiers and digital connection identifiers in the first target path information, and then obtaining the median of the total number, and the middle value corresponding to the median in the first target path information is determined by the median, that is, the middle value of the first target path.

Exemplarily, the first target path information is 1-45-46, the total number of file identifiers and digital connection identifiers is 5, the median of the total is 3, and the median value corresponding to the median 3 is 45, that is, the median value of the first target path is 45, and the second path matching feature value is 45.

Step a13: determining the sum of the file identifiers of the first target path represented by the third path matching feature value based on the file identifiers in the first target path information.

The sum of the file identifiers of the first target path represented by the third path matching feature value is obtained by adding all the file identifiers in the first target path information.

Exemplarily, the first target path information is 1-45-46, the sum of all file identifiers is 1+45+46=92, and the third path matching feature value is 92.

Step a14: determining the level of the second target path represented by the fourth path matching feature value based on the number of digital connection identifiers in the second target path information.

The level of the second target path represented by the fourth path matching feature value is obtained by adding 1 to the number of digital connection identifiers in the second target path information.

Exemplarily, the second target path information is 2-501, wherein the number of digital connection identifiers is 1, and the fourth path matching feature value is 2.

Step a15: determining the middle value of the second target path represented by the fifth path matching feature value based on the total number of file identifiers and digital connection identifiers in the second target path information.

Among them, the middle value of the second target path represented by the fifth path matching feature value is obtained by obtaining the total number of file identifiers and digital connection identifiers in the second target path information, and then obtaining the median of the total number, and the middle value corresponding to the median in the second target path information is determined by the median, that is, the middle value of the second target path.

Exemplarily, the second target path information is 2-501, the total number of file identifiers and digital connection identifiers is 3, the median of the total is 2, and the median value corresponding to the median 3 is -, that is, the median value of the second target path is -, and the fifth path matching feature value is -.

Step a16: determining the sum of the file identifiers of the second target path represented by the sixth path matching feature value based on the file identifiers in the second target path information.

The sum of the file identifiers of the second target path represented by the sixth path matching feature value is obtained by adding all the file identifiers in the second target path information.

Exemplarily, the second target path information is 2-501, the sum of all file identifiers is 2+501=503, and the sixth path matching feature value is 503.

The security access policy matching method provided in this embodiment obtains the three path matching feature values of the access subject and the three path matching feature values of the access object, thereby realizing priority matching of the path matching feature values, eliminating a large number of mismatched items in the security access policy library, improving the matching degree between the access subject and the access object, and reducing the number of precise matches of the access subject and access object paths, thereby greatly improving the matching efficiency.

In some optional implementations, the above step a2 includes:

Step a21, based on the first path matching feature value and the fourth path matching feature value, filter out from the security access policy library the first path matching information set whose first feature value of the access subject is not greater than the first path matching feature value and whose first feature value of the access object is not greater than the fourth path matching feature value.

Among them, after obtaining the three path matching feature values of the first target path information and the three path matching feature values of the second target path information, according to the first path matching feature value and the fourth path matching feature value, the first path matching information set in which the first feature value of the access subject is not greater than the first path matching feature value and the first feature value of the access object is not greater than the fourth path matching feature value is screened out from the security access policy library.

It should be noted that, because the access subject and access object in the host security access policy can configure the directory, when the directory is configured, all sub-files under this directory are subject to the security access policy of this directory, that is, the access subject and access object that trigger the security access policy can only be affected by the security access policy when they are in the same directory as the access subject and access object of the security access policy or its subdirectory. Therefore, the directory level of the path of the access subject and access object that triggers the security access policy must be greater than or equal to the directory level of the access subject and access object in the security access policy.

It should be further explained that the security access policy library includes a feature value storage table and a security access policy storage table, and the feature value storage table stores the feature value of the access subject and the feature value of the access object in each security access policy issued. Among them, the feature value of the access subject and the feature value of the access object in each security access policy correspond to a feature value identifier, i.e., a feature value ID. Exemplarily, the feature value storage table can be shown in Table 5.

Table 5

The access subject in each security access policy issued is converted into the digital access subject, i.e., the digital subject path information, and the access object is converted into the digital access object, i.e., the digital object path information. The digital access subject, the digital access object, and the access subject's authority information to the access object in each security access policy are stored in the security access policy storage table. Among them, the digital access subject, the digital access object, and the access subject's authority information to the access object in each security access policy correspond to a security access policy ID. Exemplarily, the security access policy storage table can be shown in Table 6.

Table 6

Security Access Policy ID main body object Permissions 1 1-45-46 2-501 r

For example, when a user operates or a process accesses a host resource, a host security access control policy match is triggered. For example, when the /usr/local/bin/vim process wants to access data in the /root/test/bin directory, the access subject and access object that trigger the security access policy match behavior are shown in Table 7.

Table 7

main body object /usr/local/bin/vim /root/test/bin

The path information of the access subject and the path information of the access object are converted into digital path information, as shown in Table 8.

Table 8

main body object 1-45-46-47 2-501-46

At this time, the path matching feature values of the access subject and the path matching feature values of the access object are shown in Table 9.

Table 9

At this time, it is necessary to filter out the target path matching information set from the security access policy library according to the path matching feature value.

First, data whose first characteristic value of the access subject is less than or equal to 4 and whose first characteristic value of the access object is less than or equal to 3 is screened out from the characteristic value storage table in the security access policy library, that is, the first path matching information set. The screened data is shown in Table 10.

Table 10

Among them, the subject feature value 1 corresponds to the first feature value of the access subject, the subject feature value 2 corresponds to the second feature value of the access subject, and the subject feature value 3 corresponds to the third feature value of the access subject. The object feature value 1 corresponds to the first feature value of the access object, the object feature value 2 corresponds to the second feature value of the access object, and the object feature value 3 corresponds to the third feature value of the access object.

Step a22: based on the second path matching feature value, filter out from the first path matching information set a second path matching information set whose second feature value of the access subject is the same as the second path matching feature value.

After the first path matching information set is screened out, a second path matching information set having the same second characteristic value of the access subject as the second path matching characteristic value is screened out from the first path matching information set according to the second path matching characteristic value.

Exemplarily, the filtered first path matching information set is shown in Table 10, the second path matching feature value is -, and the second feature value of the access subject in the first path matching information set is 45, which does not match, and it is determined that the second path matching information set is empty.

Step a23, when the second path matching information set is empty, perform a hierarchical update operation on the first target path information to obtain an updated second path matching feature value and an updated third path matching feature value, and based on the updated second path matching feature value, filter out a second path matching information set from the first path matching information set whose second feature value of the access subject is the same as the updated second path matching feature value.

The second path matching information set is empty, indicating that the second path matching information set fails to match, and the matching continues after performing a hierarchical update operation on the first target path information.

It should be noted that the level update operation is a level minus 1 operation. For example, the first target path information is 1-45-46-47, and after the level minus 1 operation, the first target path information becomes 1-45-46, the updated second path matching feature value is 45, and the updated third path matching feature value is 92. If the second feature value of the access subject in the filtered first path matching information set is 45, then a match is determined, and the second path matching information set is shown in Table 10.

Step a24, when the second path matching information set is empty and the first target path information level is updated to the root directory, it is determined that the target path matching information set fails to match.

It should be noted that the second path matching information set is empty, indicating that the second path matching information set fails to match, and the first target path information level is updated to the root directory, indicating that the level update cannot continue. If the level update cannot continue, and the second path matching information set is still not screened out, it is determined that the target path matching information set fails to match.

Step a25, when the second path matching information set is not empty and the first target path information has not been hierarchically updated, based on the third path matching feature value, filter out the third path matching information set whose third feature value of the access subject is the same as the third path matching feature value from the second path matching information set.

Among them, the second path matching information set is not empty and the first target path information has not been hierarchically updated, which means that the second path matching information set screened for the first time is not empty, and the target path matching information set can be further screened according to the third path matching feature value.

Step a26, when the second path matching information set is not empty and the first target path information is hierarchically updated, based on the updated third path matching feature value, a third path matching information set whose third feature value of the access subject is the same as the updated third path matching feature value is filtered out from the second path matching information set.

Among them, the second path matching information set is not empty and the first target path information is hierarchically updated, indicating that the third path matching feature value is also updated. Then, based on the updated third path matching feature value, the third path matching information set whose third feature value of the access subject is the same as the updated third path matching feature value is filtered out from the second path matching information set.

Exemplarily, after the level reduction operation, the first target path information becomes 1-45-46, the updated second path matching feature value is 45, the updated third path matching feature value is 92, and the second path matching information set is shown in Table 10. The third feature value of the access subject in the second path matching information set is 92, which is the same as the updated third path matching feature value, and the third path matching information set is determined as shown in Table 10.

It can be understood that if the third path matching information set is empty, it is determined that the target path matching information set fails to match.

At this point, the path matching feature value of the access subject successfully matches the feature value of the access subject in the security access policy, and a large number of unmatched security access policies are screened out to reduce the number of subsequent matches. It is understandable that if the first target path information level is updated to the root directory and still fails to match successfully, it is determined that the match fails.

Step a27: based on the fifth path matching feature value, a fourth path matching information set whose second feature value of the access object is the same as the fifth path matching feature value is selected from the third path matching information set.

After the third path matching information set is screened out, a fourth path matching information set having the same second characteristic value of the access object as the fifth path matching characteristic value is screened out from the third path matching information set according to the fifth path matching characteristic value.

Exemplarily, the screened third path matching information set is shown in Table 10, the fifth path matching feature value is 501, and the second feature value of the access object in the third path matching information set is -, which means no match, and the fourth path matching information set is determined to be empty.

Step a28, when the fourth path matching information set is empty, perform a hierarchical update operation on the second target path information to obtain an updated fifth path matching feature value and an updated sixth path matching feature value, and based on the updated fifth path matching feature value, select a fourth path matching information set from the third path matching information set whose second feature value of the access object is the same as the updated fifth path matching feature value.

The fourth path matching information set is empty, indicating that the fourth path matching information set fails to match, and the matching continues after performing a hierarchical update operation on the second target path information.

It should be noted that the level update operation is a level minus 1 operation. Exemplarily, the second target path information is 2-501-46, and after the level minus 1 operation, the second target path information becomes 2-501, the updated fifth path matching feature value is -, and the updated third path matching feature value is 503. If the second feature value of the access object in the screened third path matching information set is -, then a match is determined, and the fourth path matching information set is shown in Table 10.

Step a29: when the fourth path matching information set is empty and the second target path information level is updated to the root directory, it is determined that the target path matching information set fails to match.

It should be noted that the fourth path matching information set is empty, indicating that the fourth path matching information set fails to match, and the second target path information level is updated to the root directory, indicating that the level update cannot continue. If the level update cannot continue, and the fourth path matching information set is still not screened out, it is determined that the target path matching information set fails to match.

Step a210, when the fourth path matching information set is not empty and the second target path information has not been hierarchically updated, based on the sixth path matching feature value, a target path matching information set having the same third feature value of the access object as the sixth path matching feature value is selected from the fourth path matching information set.

Among them, the fourth path matching information set is not empty and the second target path information is not hierarchically updated, which means that the fourth path matching information set screened for the first time is not empty, and the target path matching information set can be further screened according to the sixth path matching feature value.

Step a211, when the fourth path matching information set is not empty and the second target path information is hierarchically updated, based on the updated sixth path matching feature value, a target path matching information set whose third feature value of the access object is the same as the updated sixth path matching feature value is filtered out from the fourth path matching information set.

Among them, the fourth path matching information set is not empty and the second target path information is hierarchically updated, indicating that the sixth path matching feature value is also updated. Then, based on the updated sixth path matching feature value, a target path matching information set whose third feature value of the access object is the same as the updated sixth path matching feature value is filtered out from the fourth path matching information set.

Exemplarily, after the level reduction operation, the second target path information becomes 2-501, the updated fifth path matching feature value is -, the updated sixth path matching feature value is 503, and the fourth path matching information set is shown in Table 10. The third feature value of the access object in the fourth path matching information set is 503, which is the same as the updated sixth path matching feature value, and the target path matching information set is determined as shown in Table 10.

It can be understood that if the target path matching information set is empty, it is determined that the target path matching information set fails to match.

At this point, the matching degree between the access subject and the access object in the security access policy in the target security access policy set corresponding to the filtered target path matching information set and the access subject and the access object that triggers the security access policy this time is greatly improved.

The security access policy matching method provided in this embodiment matches the three path matching feature values of the access subject with the three feature values of the access subject in the security access policy library, and matches the three path matching feature values of the access object with the three feature values of the access object in the security access policy library, thereby obtaining a target path matching information set. The priority matching of the path matching feature values is achieved, a large number of mismatched items in the security access policy library are eliminated, the matching degree of the access subject and the access object is improved, and the number of accurate matchings of the access subject and the access object path is reduced, thereby greatly improving the matching efficiency.

In some optional implementations, the above step a4 includes:

Step a41, obtaining the first target path information and the second target path information that trigger the successful matching of the target path matching information set.

Among them, the successful matching of the target path matching information set indicates that the target path matching information set is not empty, and the first target path information and the second target path information that trigger the successful matching of the target path matching information set can be the original first target path information and the original second target path information, or the hierarchically updated first target path information and the hierarchically updated second target path information.

Exemplarily, the original first target path information and the original second target path information are shown in Table 9. In the process of matching the target path matching information set, if the target path matching set is matched according to the original first target path information and the original second target path information, the original first target path information and the original second target path information trigger the successful matching of the target path matching information set. In the process of matching the target path matching information set, if the target path matching set is matched according to the hierarchically updated first target path information and the hierarchically updated second target path information, the hierarchically updated first target path information and the hierarchically updated second target path information trigger the successful matching of the target path matching information set.

As in the above example, what triggers the successful matching of the target path information is the first target path information 1-45-46 after the hierarchical update and the second target path information 2-501 after the hierarchical update.

Step a42, matching a target security access policy from a target security access policy set based on the first target path information and the second target path information that successfully trigger the target path matching information set to match.

Among them, after obtaining the first target path information and the second target path information that successfully match the trigger target path matching information set, the target security access policy is matched from the target security access policy set according to the first target path information and the second target path information that successfully match the trigger target path matching information set.

From the target security access policy set, the first target path information and the second target path information that trigger the successful match of the target path matching information set are matched one by one with each security access policy in the target security access policy set to obtain the target security access policy, and then the permission can be controlled. If the match fails, no action will be taken.

Exemplarily, the hierarchically updated first target path information 1-45-46 and the hierarchically updated second target path information 2-501 are matched one-to-one with each security access policy in the target security access policy set. If the hierarchically updated first target path information 1-45-46 and the hierarchically updated second target path information 2-501 are successfully matched one-to-one with any security access policy in the target security access policy set, the security access policy is determined to be the target security access policy.

The security access policy matching method provided in this embodiment can more accurately determine the target security access policy by triggering the first target path information and the second target path information that successfully match the target path matching information set, thereby ensuring the security of the system.

In some optional implementations, the above step a3 includes:

Step a31, obtaining the association identifier in the target path matching information set.

Among them, there is an association identifier (association ID) in the feature value storage table, which is the security access policy ID corresponding to the feature value in the security access policy storage table. The corresponding security access policy in the security access policy storage table can be determined according to the association identifier in the feature value storage table.

It can be understood that the screened target path matching information set is in the feature value storage table, so the associated identifier in the target path matching information set can be obtained.

Step a32: based on the association identifier, obtain the target security access policy set from the security access policy library.

According to the association identifier, the corresponding target security access policy set can be obtained from the security access policy storage table.

The security access policy matching method provided in this embodiment obtains the target security access policy set from the security access policy library by matching the association identifier in the target path information set, thereby ensuring the accuracy of the obtained target security access policy set.

In some optional implementations, the security access policy matching method further includes:

In the event of a target path matching information set matching failure or a target security access policy matching failure, the information of the target path matching information set matching failure or the target security access policy matching failure is logged so that the user can view the log record and take corresponding measures.

Specifically, select a logging framework that matches the security access strategy, such as Log4j, Logback, etc. Set an appropriate log level to record detailed failure information when necessary.

By adding logging statements, you can log the information about the failure to match the target path information set or the failure to match the target security access policy.

It is understandable that the output format of the log may be customized as needed to better understand and analyze the information of the matching failure.

Users can check log records regularly and determine whether new security access policies need to be issued to ensure network security and repair access vulnerabilities by checking matching failure information.

The security access policy matching method provided in this embodiment can view the information of target path matching information set matching failure or target security access policy matching failure through log records, and then take corresponding measures to handle it, thereby improving the stability and reliability of the system.

In this embodiment, a security access policy matching system is also provided. As shown in FIG. 3 , the system includes a built-in path module, a security policy storage module and a security policy matching module.

Among them, the built-in path module is used to convert the host resource path into a digital representation, and is composed of a built-in path table, a built-in path conversion module, and a built-in path table maintenance module. Taking the Linux operating system host as an example, the built-in path table is a correspondence table between preset file names and file identifiers, as shown in Table 2.

FIG4 is a flow chart of storing a security access policy according to an embodiment of the present invention. As shown in FIG4 , when the issued security access policy needs to be stored, for example, the subject is: /usr/local/bin, the built-in path table is used to convert the subject and object in the security policy through the built-in path conversion module. It should be noted that the security policy is a security access policy. The converted subject is: 1-45-46. The conversion rule is: the file name is converted to the value of the ID in the table corresponding to the file name, and / is converted to -. It is determined whether there is a file name to be converted in the built-in path table. If it exists, the subject and object matching feature values after the security policy conversion are calculated; if it does not exist, the built-in path table is maintained, wherein the matching feature values are the feature values of the access subject and the feature values of the access object. If the subject is: /root/test directory, since test does not exist in the built-in path table, it is necessary to update the built-in path table. The built-in path table updated by the built-in path table maintenance module can be as shown in Table 4. After the built-in path table is updated, the path after the subject conversion is represented as: 2-501.

The security policy storage module is used to store the security access policy converted by the built-in path module. It consists of a security policy conversion storage module, a matching feature value storage module, and a matching feature value calculation module. The security access control policy issued is shown in Table 11.

Table 11

main body object Permissions /usr/local/bin /root/test r

It is first transformed by the built-in path transformation module in the built-in path module, and the converted security access policy is shown in Table 3.

As shown in FIG4 , the matching feature value calculation module is used to calculate the subject and object matching feature values after the security policy conversion. The matching feature value calculation method is as described in a11-a16 above and will not be repeated here.

After calculating the matching feature value, the matching feature value storage module can be used to store the above-mentioned security access policy. Specifically, the path matching feature value corresponding to the security access policy is stored in the feature value storage table, that is, the main and object matching feature values of the security policy are stored, as shown in Table 5. Storing the security access policy in the security access policy storage table is to store the main and object paths after the security policy conversion, as shown in Table 6.

FIG5 is a flow chart of a security access policy matching method according to an embodiment of the present invention. The security policy matching module is used to execute the security access policy matching method shown in FIG5, preferentially matching the path matching feature value, improving the matching degree and then accurately matching the security access policy. Specifically, as shown in FIG5, the method includes:

Step 1: When a user operation or process accesses a local resource on the host, a security policy match is triggered, and the subject and object of the triggering behavior are converted according to the built-in path conversion module. This corresponds to the description of the aforementioned step S102 and will not be repeated here.

Step 2: Calculate the subject and object matching feature values that trigger the behavior. Corresponding to the above-mentioned steps a11 to a16, the relevant descriptions are omitted here.

Step 3: Filter the items in the configuration strategy whose subject and object feature values 1 are less than or equal to the subject and object matching feature values 1. The description of the above step a21 will not be repeated here.

Step 4: If the screening in step 3 is successful, items whose subject matching feature value 2 and feature value 3 in the configuration policy are respectively equal to the subject matching feature value 2 and feature value 3 of the triggering behavior. If the screening in step 3 fails, it is determined that the first path matching information set fails to match.

Step 5: When the screening in step 4 is successful, items whose object matching feature value 2 and feature value 3 in the screening configuration strategy are respectively equal to the object matching feature value 2 and feature value 3 of the triggering behavior.

If the fourth step screening fails, the main path level of the triggering behavior is reduced by 1, and the second step is executed again.

It should be noted that the fourth step and the fifth step correspond to the relevant descriptions of the aforementioned steps a22 to a27, which will not be repeated here.

Step 6: If the screening in step 5 is successful, the paths after the subject and object of the triggering behavior are converted are precisely matched with the paths after the configuration security policy is converted.

In the event that the fifth step screening fails, the object path level of the triggering behavior is reduced by 1, and the process returns to the second step.

It should be noted that the sixth step corresponds to the related descriptions of the aforementioned steps a28-a211 and steps a41 and a42, which will not be repeated here.

Step 7: If the match in step 6 is successful, access control restrictions on resources are performed based on the permission values in the configured security policy.

In case the match fails in step 6, it is determined that the target security access policy fails to match.

The description of the aforementioned step S104 is not repeated here.

It should be noted that all scenarios involving path resource matching can be implemented by the security access policy matching method provided in this embodiment.

The security access policy matching method provided in this embodiment uses a built-in table of correspondence between the names and numbers of common files on a host. When storing security access policies, the subject and object no longer store the actual resource path (/usr/lttc/tcz), but store the converted subject and object (1-23-45). When the resource path is very long, only a short number is needed to replace it, which saves storage space and improves matching efficiency.

Three matching feature values will be stored separately during storage. Before matching the subject and the object one by one, these three matching feature values will be matched first to exclude a large number of mismatches, further improve the matching degree between the subject and the object, and reduce the number of precise matching of the subject and object paths, thereby greatly improving the matching efficiency. The subject and object whose matching feature values are matched will be precisely matched one by one with the host security access control policy configured by the user and stored after the resource path conversion. After all matches are successful, permission control can be performed.

In this embodiment, a security access policy matching device is also provided, which is used to implement the above embodiments and preferred implementation modes, and the descriptions that have been made will not be repeated. As used below, the term "module" can be a combination of software and/or hardware that implements a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, the implementation of hardware, or a combination of software and hardware, is also possible and conceivable.

This embodiment provides a security access policy matching device, as shown in FIG6 , including:

The acquisition module 601 is used to acquire the access information of the host, wherein the access information includes first path information and second path information, the first path information is the path information of the access subject, and the second path information is the path information of the access object.

The conversion module 602 is used to convert the first path information into first target path information in digital form and convert the second path information into second target path information in digital form based on a preset correspondence table between file names and file identifiers.

The matching module 603 is used to match a target security access policy from a security access policy library based on the first target path information and the second target path information.

The determination module 604 is used to determine the access rights of the access subject to the access object based on the target security access policy.

In some optional implementations, the conversion module 602 includes:

The splitting unit is used to split the first path information and the second path information into multiple file names based on the file segmentation identifier.

The first judgment unit is used to judge whether the correspondence table of preset file names and file identifiers contains multiple file names.

The first acquisition unit is used to acquire the file identifiers corresponding to the multiple file names based on the preset file name and file identifier correspondence table when the preset file name and file identifier correspondence table contains multiple file names.

The second acquisition unit is used to update the correspondence table of preset file names and file identifiers based on the at least one file name that is not included when at least one of the multiple file names is not included in the correspondence table of preset file names and file identifiers, so as to obtain file identifiers corresponding to the multiple file names based on the updated correspondence table of preset file names and file identifiers.

The third acquisition unit is used to convert the file segmentation identifiers between the multiple file names in the first path information into digital connection identifiers, and replace the multiple file names in the first path information with the file identifiers corresponding to the file names to obtain the first target path information.

The fourth acquisition unit is used to convert the file segmentation identifiers between the multiple file names in the second path information into digital connection identifiers, and replace the multiple file names in the second path information with the file identifiers corresponding to the file names to obtain the second target path information.

In some optional implementations, the matching module 603 includes:

The fifth acquisition unit is used to acquire the path matching feature value of the first target path information and the second target path information.

The screening unit is used to screen out a target path matching information set from the security access policy library based on the path matching feature value.

The sixth acquisition unit is used to acquire a target security access policy set from the security access policy library based on the target path matching information set.

The first matching unit is used to match a target security access policy from a target security access policy set based on the first target path information and the second target path information.

In some optional implementations, the fifth acquiring unit includes:

The first determining unit is configured to determine, based on the number of digital connection identifiers in the first target path information, a level of the first target path represented by the first path matching feature value.

The second determining unit is used to determine the middle value of the first target path represented by the second path matching feature value based on the total number of the file identifier and the digital connection identifier in the first target path information.

The third determining unit is used to determine the sum of file identifiers of the first target path represented by the third path matching feature value based on the file identifiers in the first target path information.

The fourth determining unit is used to determine the level of the second target path represented by the fourth path matching feature value based on the number of digital connection identifiers in the second target path information.

The fifth determining unit is used to determine the middle value of the second target path represented by the fifth path matching feature value based on the total number of the file identifier and the digital connection identifier in the second target path information.

The sixth determining unit is used to determine the sum of the file identifiers of the second target path represented by the sixth path matching feature value based on the file identifiers in the second target path information.

In some optional embodiments, the screening unit comprises:

The first screening sub-unit is used to screen out a first path matching information set from the security access policy library based on the first path matching feature value and the fourth path matching feature value, in which the first feature value of the access subject is not greater than the first path matching feature value, and the first feature value of the access object is not greater than the fourth path matching feature value.

The second screening subunit is used to screen out the second path matching information set whose second characteristic value of the access subject is the same as the second path matching characteristic value from the first path matching information set based on the second path matching characteristic value.

The third screening sub-unit is used to perform a hierarchical update operation on the first target path information when the second path matching information set is empty, to obtain an updated second path matching feature value and an updated third path matching feature value, and based on the updated second path matching feature value, to screen out a second path matching information set whose second feature value of the access subject is the same as the updated second path matching feature value from the first path matching information set.

The seventh determining unit is configured to determine that the target path matching information set fails to match when the second path matching information set is empty and the first target path information level is updated to the root directory.

The fourth screening subunit is used to screen out a third path matching information set whose third characteristic value of the access subject is the same as the third path matching characteristic value from the second path matching information set based on the third path matching characteristic value when the second path matching information set is not empty and the first target path information has not been hierarchically updated.

The fifth screening sub-unit is used to screen out a third path matching information set whose third characteristic value of the access subject is the same as the updated third path matching characteristic value from the second path matching information set based on the updated third path matching characteristic value when the second path matching information set is not empty and the first target path information is hierarchically updated.

The sixth screening subunit is used to screen out a fourth path matching information set whose second characteristic value of the access object is the same as the fifth path matching characteristic value from the third path matching information set based on the fifth path matching characteristic value.

The seventh screening sub-unit is used to perform a hierarchical update operation on the second target path information when the fourth path matching information set is empty, to obtain an updated fifth path matching feature value and an updated sixth path matching feature value, and based on the updated fifth path matching feature value, to screen out a fourth path matching information set from the third path matching information set whose second feature value of the access object is the same as the updated fifth path matching feature value.

The eighth determining unit is configured to determine that the target path matching information set fails to match when the fourth path matching information set is empty and the second target path information level is updated to the root directory.

The eighth screening subunit is used to screen out a target path matching information set whose third characteristic value of the access object is the same as the sixth path matching characteristic value from the fourth path matching information set based on the sixth path matching characteristic value when the fourth path matching information set is not empty and the second target path information has not been hierarchically updated.

The ninth screening sub-unit is used to screen out a target path matching information set whose third characteristic value of the access object is the same as the updated sixth path matching characteristic value from the fourth path matching information set based on the updated sixth path matching characteristic value when the fourth path matching information set is not empty and the second target path information is hierarchically updated.

In some optional implementations, the first matching unit includes:

A seventh acquisition unit is configured to acquire the first target path information and the second target path information that trigger the successful matching of the target path matching information set.

The first matching subunit is configured to match a target security access policy from a target security access policy set based on the first target path information and the second target path information that trigger a successful match of the target path matching information set.

In some optional implementations, the sixth acquisition unit includes:

The eighth acquisition unit is used to acquire the association identifier in the target path matching information set.

The ninth acquisition unit is used to acquire a target security access policy set from the security access policy library based on the association identifier.

The further functional description of each of the above modules and units is the same as that of the above corresponding embodiments and will not be repeated here.

The security access policy matching device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application Specific Integrated Circuit) circuit, a processor and memory that executes one or more software or fixed programs, and/or other devices that can provide the above functions.

An embodiment of the present invention further provides a computer device having the security access policy matching device shown in FIG. 6 above.

Please refer to Figure 7, which is a schematic diagram of the structure of a computer device provided by an optional embodiment of the present invention. As shown in Figure 7, the computer device includes: one or more processors 701, a memory 702, and interfaces for connecting various components, including high-speed interfaces and low-speed interfaces. The various components are connected to each other using different buses for communication, and can be installed on a common motherboard or installed in other ways as needed. The processor can process instructions executed in the computer device, including instructions stored in or on the memory to display graphical information of the GUI on an external input/output device (such as a display device coupled to the interface). In some optional embodiments, if necessary, multiple processors and/or multiple buses can be used together with multiple memories and multiple memories. Similarly, multiple computer devices can be connected, and each device provides some necessary operations (for example, as a server array, a group of blade servers, or a multi-processor system). In Figure 7, a processor 701 is taken as an example.

The processor 701 may be a central processing unit, a network processor or a combination thereof. The processor 701 may further include a hardware chip. The hardware chip may be a dedicated integrated circuit, a programmable logic device or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable logic gate array, a general purpose array logic or any combination thereof.

The memory 702 stores instructions executable by at least one processor 701, so that the at least one processor 701 executes the method shown in the above embodiment.

The memory 702 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application required for at least one function; the data storage area may store data created according to the use of the computer device, etc. In addition, the memory 702 may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some optional embodiments, the memory 702 may optionally include a memory remotely arranged relative to the processor 701, and these remote memories may be connected to the computer device via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The memory 702 may include a volatile memory, such as a random access memory; the memory may also include a non-volatile memory, such as a flash memory, a hard disk or a solid state drive; the memory 702 may also include a combination of the above types of memory.

The computer device also includes a communication interface 703, which is used for the computer device to communicate with other devices or a communication network.

The embodiment of the present invention also provides a computer-readable storage medium. The method according to the embodiment of the present invention can be implemented in hardware, firmware, or can be implemented as a computer code that can be recorded in a storage medium, or can be implemented as a computer code that is originally stored in a remote storage medium or a non-temporary machine-readable storage medium and will be stored in a local storage medium through a network download, so that the method described herein can be stored in such software processing on a storage medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware. Among them, the storage medium can be a magnetic disk, an optical disk, a read-only storage memory, a random access memory, a flash memory, a hard disk or a solid-state hard disk, etc.; further, the storage medium can also include a combination of the above types of memories. It can be understood that a computer, a processor, a microprocessor controller, or programmable hardware includes a storage component that can store or receive software or computer code. When the software or computer code is accessed and executed by a computer, a processor, or hardware, the method shown in the above embodiment is implemented.

A part of the present invention may be applied as a computer program product, such as a computer program instruction, which, when executed by a computer, can call or provide the method and/or technical solution according to the present invention through the operation of the computer. Those skilled in the art should understand that the existence of the computer program instruction in a computer-readable medium includes, but is not limited to, a source file, an executable file, an installation package file, etc., and accordingly, the way in which the computer program instruction is executed by the computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Here, the computer-readable medium may be any available computer-readable storage medium or communication medium accessible to the computer.

Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the present invention, and such modifications and variations are all within the scope defined by the appended claims.

Claims (10)

1. A security access policy matching method, characterized in that the method comprises: Acquire access information of the host, wherein the access information includes first path information and second path information, the first path information is path information of the access subject, and the second path information is path information of the access object; Based on a preset table of correspondence between file names and file identifiers, converting the first path information into first target path information in digital form, and converting the second path information into second target path information in digital form; Matching a target security access policy from a security access policy library based on the first target path information and the second target path information; Based on the target security access policy, the access authority of the access subject to the access object is determined. 2. The method according to claim 1, characterized in that the converting the first path information into first target path information in digital form and the converting the second path information into second target path information in digital form based on a preset correspondence table between file names and file identifiers comprises: Based on the file segmentation identifier, split the first path information and the second path information into multiple file names; Determine whether the correspondence table between preset file names and file identifiers contains multiple file names; In the case where the correspondence table between preset file names and file identifiers contains a plurality of the file names, obtaining the file identifiers corresponding to the plurality of the file names based on the correspondence table between the preset file names and file identifiers; In a case where at least one of the multiple file names is not included in the correspondence table between preset file names and file identifiers, updating the correspondence table between preset file names and file identifiers based on the at least one file name that is not included, so as to obtain file identifiers corresponding to the multiple file names based on the updated correspondence table between preset file names and file identifiers; Convert the file segmentation identifiers between the multiple file names in the first path information into digital connection identifiers, and replace the multiple file names in the first path information with the file identifiers corresponding to the file names, to obtain the first target path information; The file segmentation identifiers between the multiple file names in the second path information are converted into digital connection identifiers, and the multiple file names in the second path information are replaced with file identifiers corresponding to the file names to obtain the second target path information. 3. The method according to claim 1, characterized in that the step of matching a target security access policy from a security access policy library based on the first target path information and the second target path information comprises: Obtaining path matching feature values of the first target path information and the second target path information; Based on the path matching feature value, a target path matching information set is screened out from a security access policy library; Based on the target path matching information set, obtaining a target security access policy set from a security access policy library; Based on the first target path information and the second target path information, a target security access policy is matched from the target security access policy set. 4. The method according to claim 3, characterized in that the step of obtaining the path matching feature value of the first target path information and the second target path information comprises: Determining, based on the number of digital connection identifiers in the first target path information, a level of the first target path represented by the first path matching feature value; Determine, based on the total number of file identifiers and digital connection identifiers in the first target path information, an intermediate value of the first target path represented by the second path matching feature value; Based on the file identifier in the first target path information, determine the sum of the file identifiers of the first target path represented by the third path matching feature value; Determining, based on the number of digital connection identifiers in the second target path information, a level of the second target path represented by the fourth path matching feature value; Determine, based on the total number of file identifiers and digital connection identifiers in the second target path information, an intermediate value of the second target path represented by the fifth path matching feature value; Based on the file identifier in the second target path information, a sum of the file identifiers of the second target path represented by the sixth path matching feature value is determined. 5. The method according to claim 4, characterized in that the step of filtering out a target path matching information set from a security access policy library based on the path matching feature value comprises: Based on the first path matching feature value and the fourth path matching feature value, a first path matching information set whose first feature value of the access subject is not greater than the first path matching feature value and whose first feature value of the access object is not greater than the fourth path matching feature value is screened out from the security access policy library; Based on the second path matching feature value, filter out a second path matching information set from the first path matching information set, the second feature value of the access subject being the same as the second path matching feature value; In the case where the second path matching information set is empty, performing a hierarchical update operation on the first target path information to obtain an updated second path matching feature value and an updated third path matching feature value, and based on the updated second path matching feature value, filtering out from the first path matching information set a second path matching information set whose second feature value of the access subject is the same as the updated second path matching feature value; In the case where the second path matching information set is empty and the first target path information level is updated to the root directory, determining that the target path matching information set fails to match; In the case where the second path matching information set is not empty and the first target path information has not been hierarchically updated, based on the third path matching feature value, a third path matching information set whose third feature value of the access subject is the same as the third path matching feature value is filtered out from the second path matching information set; In the case where the second path matching information set is not empty and the first target path information is hierarchically updated, based on the updated third path matching feature value, a third path matching information set whose third feature value of the access subject is the same as the updated third path matching feature value is filtered out from the second path matching information set; Based on the fifth path matching feature value, a fourth path matching information set whose second feature value of the access object is the same as the fifth path matching feature value is selected from the third path matching information set; In the case where the fourth path matching information set is empty, performing a hierarchical update operation on the second target path information to obtain an updated fifth path matching feature value and an updated sixth path matching feature value, and based on the updated fifth path matching feature value, filtering out a fourth path matching information set whose second feature value of the access object is the same as the updated fifth path matching feature value from the third path matching information set; In the case where the fourth path matching information set is empty and the second target path information level is updated to the root directory, determining that the target path matching information set fails to match; In the case where the fourth path matching information set is not empty and the second target path information has not been hierarchically updated, based on the sixth path matching feature value, a target path matching information set having a third feature value of the access object that is the same as the sixth path matching feature value is screened out from the fourth path matching information set; When the fourth path matching information set is not empty and the second target path information is hierarchically updated, based on the updated sixth path matching feature value, a target path matching information set whose third feature value of the access object is the same as the updated sixth path matching feature value is filtered out from the fourth path matching information set. 6. The method according to claim 5, characterized in that the step of matching a target security access policy from the target security access policy set based on the first target path information and the second target path information comprises: Acquire first target path information and second target path information that trigger successful matching of the target path matching information set; Based on the first target path information and the second target path information that trigger the successful matching of the target path matching information set, a target security access policy is matched from the target security access policy set. 7. The method according to claim 3, characterized in that the acquiring a target security access policy set from a security access policy library based on the target path matching information set comprises: Obtaining an association identifier in the target path matching information set; Based on the association identifier, a target security access policy set is obtained from a security access policy library. 8. A security access policy matching device, characterized in that the device comprises: An acquisition module, used to acquire access information of a host, wherein the access information includes first path information and second path information, the first path information is path information of an access subject, and the second path information is path information of an access object; a conversion module, configured to convert the first path information into first target path information in digital form, and convert the second path information into second target path information in digital form, based on a preset table of correspondence between file names and file identifiers; A matching module, configured to match a target security access policy from a security access policy library based on the first target path information and the second target path information; The determination module is used to determine the access rights of the access subject to the access object based on the target security access policy. 9. A computer device, comprising: A memory and a processor, wherein the memory and the processor are communicatively connected to each other, the memory stores computer instructions, and the processor executes the security access policy matching method according to any one of claims 1 to 7 by executing the computer instructions. 10. A computer-readable storage medium, characterized in that computer instructions are stored on the computer-readable storage medium, and the computer instructions are used to enable a computer to execute the security access policy matching method according to any one of claims 1 to 7.