CN115080960B

CN115080960B - A security policy detection method, related device and storage medium

Info

Publication number: CN115080960B
Application number: CN202110265770.9A
Authority: CN
Inventors: 王犇
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-03-11
Filing date: 2021-03-11
Publication date: 2025-09-26
Anticipated expiration: 2041-03-11
Also published as: CN115080960A

Abstract

The embodiment of the application provides a security policy detection method, a related device and a storage medium. And acquiring a first strategy and a second strategy to be detected, wherein the first strategy and the second strategy have the same execution action and different execution results. Because each policy is not always applied to all configurable attributes in the full attribute set, a first attribute sequence corresponding to the first policy and a second attribute sequence corresponding to the second policy can be determined according to the full attribute set, then a target attribute sequence is determined according to the first attribute sequence and the second attribute sequence, and the target attribute sequence represents the relation of various attributes between the first policy and the second policy, so that the detection results of the first policy and the second policy can be determined according to the target attribute sequence. By the method, the configured attribute and the unconfigured attribute of the strategy to be detected are all participated in calculation, so that the range and the accuracy of the detection of the security strategy are improved.

Description

Security policy detection method, related device and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method for detecting a security policy, a related device, and a storage medium.

Background

Attribute-based access control (attribute based access control, ABAC) is widely applied in system security as an important security measure, and an ABAC model is used for uniformly modeling identities, resources and environments involved in access control by utilizing attributes, so that the application of an access control strategy is more accurate and flexible.

For a security system with a large number of policies, the defined attributes among the policies are easy to coincide, so that the conflict among the policies frequently occurs, and the security of the system is threatened. For example, if in a security system, there are two policies. The A policy limits the user initiating the access request to allow access when the user meets the conditions of men and over 18 years old, and the B policy limits the user initiating the access request to prohibit access when the user meets the conditions of men and ordinary staff. At this time, when the user who initiates the access request has personal attributes of male, 20 years old and common man-hours, the user satisfies the a policy, thereby allowing access, and also satisfies the B policy, thereby prohibiting access. Thus, between the a-policy and the B-policy, there may be considered a risk of policy conflicts.

In the prior art, the risk detection of policy conflict generally adopts a static attribute conflict detection method, namely, the attributes of all policies are compared, so that the policies with the same attributes and against the authorization result are screened out and used as objects for causing policy conflict. However, in practical applications, even though the attributes are not the same policies, there is still a risk of policy conflicts. This risk is undetectable by existing static attribute conflict detection methods. Therefore, the existing static attribute conflict detection method has the defects of smaller detection range, lower accuracy and larger potential hidden trouble of strategy conflict.

Disclosure of Invention

In view of this, the embodiments of the present application provide a method, a related device and a storage medium for security policy detection, which are used for improving the scope and accuracy of security policy detection.

The first aspect of the present application provides a method for detecting a security policy, including:

Acquiring a first strategy and a second strategy, wherein the first strategy comprises M attributes, the second strategy comprises N attributes, the first strategy and the second strategy have the same execution action and different execution results, and M and N are integers greater than or equal to 1;

generating a first attribute sequence according to M attributes and a full attribute set included in a first strategy, wherein the full attribute set comprises K attributes, the first attribute sequence comprises M first elements and (K-M) second elements, and K is an integer greater than 1;

Generating a second attribute sequence according to N attributes and a full-quantity attribute set included in the second strategy, wherein the second attribute sequence comprises N first elements and (K-N) second elements;

determining a target attribute sequence according to the first attribute sequence and the second attribute sequence;

and determining detection results aiming at the first strategy and the second strategy according to the target attribute sequence.

A second aspect of the present application provides a security policy detection device, including:

The device comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is used for acquiring a first strategy and a second strategy, the first strategy comprises M attributes, the second strategy comprises N attributes, the first strategy and the second strategy have the same execution action and different execution results, and M and N are integers which are larger than or equal to 1;

The generating unit is used for generating a first attribute sequence according to M attributes and a full attribute set included in the first strategy, wherein the full attribute set comprises K attributes, the first attribute sequence comprises M first elements and (K-M) second elements, and K is an integer larger than 1;

the generating unit is further used for generating a second attribute sequence according to the N attributes and the full attribute set included in the second strategy, wherein the second attribute sequence comprises N first elements and (K-N) second elements;

the determining unit is used for determining a target attribute sequence according to the first attribute sequence and the second attribute sequence;

And the determining unit is used for determining detection results aiming at the first strategy and the second strategy according to the target attribute sequence.

In one possible design, in one implementation of the second aspect of the embodiments of the present application,

The determining unit is specifically configured to perform an and operation on the first attribute sequence and the second attribute sequence to obtain a third attribute sequence.

The determining unit is specifically configured to determine that the detection result of the first policy and the second policy is a low risk level in response to the third attribute sequence including K second elements.

In one possible design, in one implementation manner of the second aspect of the embodiment of the present application, the security policy detection device further includes a calculation unit.

And the computing unit is used for performing OR operation on the first attribute sequence and the second attribute sequence to obtain a fourth attribute sequence.

The determining unit is specifically configured to determine that the detection results of the first policy and the second policy are high risk levels in response to the third attribute sequence being equal to the fourth attribute sequence.

The determining unit is specifically configured to determine that the detection results of the first policy and the second policy are risk levels in response to the third attribute sequence not being equal to the fourth attribute sequence.

In one possible design, in one implementation manner of the second aspect of the embodiment of the present application, the security policy detection device further includes a feedback unit.

And the feedback unit is used for feeding back error prompts, and the error prompts are used for indicating that a high risk level exists between the first strategy and the second strategy.

The risk event processing unit is further used for determining a first attribute processing rule corresponding to the first strategy, determining a second attribute processing rule corresponding to the second strategy, and determining a risk event set corresponding to the risk level according to the first attribute processing rule and the second attribute processing rule, wherein the risk event set comprises at least one risk event, each risk event is related to the first attribute and the second attribute, the first attribute is derived from the first strategy, and the second attribute is derived from the second strategy.

The determining unit is further used for determining a first attribute processing rule corresponding to the first strategy;

Determining a second attribute processing rule corresponding to a second strategy;

And determining a risk event set corresponding to the low risk level according to the first attribute processing rule and the second attribute processing rule, wherein the risk event set comprises at least one risk event, each risk event is related to a first attribute and a second attribute, the first attribute is derived from the first strategy, and the second attribute is derived from the second strategy.

In one possible design, in an implementation manner of the second aspect of the embodiment of the present application, the security policy detection device further includes a new unit and a trigger unit.

A new building unit, configured to build a first policy, where the first policy includes a first execution action and a first execution result;

The acquisition unit is further used for acquiring a strategy to be matched, wherein the strategy to be matched comprises a second execution action and a second execution result;

The determining unit is further configured to determine that the policy to be matched is the second policy, in response to the first execution action being the same as the second execution action and the first execution result being different from the second execution result;

and the triggering unit is used for triggering the step of acquiring the first strategy and the second strategy.

In one possible design, in one implementation manner of the second aspect of the embodiment of the present application, the security policy detection device further includes a receiving unit and a configuration unit.

A receiving unit configured to receive timing configuration information;

The configuration unit is used for configuring a timer according to the timing configuration information, and the timer is used for triggering the step of acquiring the first strategy and the second strategy at fixed time.

In a possible design, in an implementation manner of the second aspect of the embodiment of the present application, the security policy detection device further includes a processing unit.

A processing unit for deleting the first strategy or the second strategy, or,

The priority of the first policy or the second policy is reduced.

A third aspect of the application provides a computer device comprising a memory for storing program code, a processor for executing the method of security policy detection of any of the preceding aspects according to instructions in the program code, and a bus system.

A fourth aspect of the application provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the method of security policy detection of any of the above aspects.

A fifth aspect of the application provides a computer program product or computer program comprising computer instructions stored on a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method of security policy detection as described in any of the above aspects.

From the above technical solutions, the embodiment of the present application has the following advantages:

In an embodiment of the present application, a method for detecting a security policy is provided, where a first policy and a second policy that need to be detected by the security policy are acquired first, where the first policy and the second policy have the same execution action and different execution results. And then determining a first attribute sequence corresponding to the first strategy and a second attribute sequence corresponding to the second strategy according to the full attribute set, wherein the full attribute set is a set of attributes configurable by each strategy. Because each policy is not always applied to all configurable attributes in the full set of attributes, the first attribute sequence reflects the configured and unconfigured attributes of the first policy, and the second attribute sequence reflects the configured and unconfigured attributes of the second policy. And determining a target attribute sequence according to the first attribute sequence and the second attribute sequence, wherein the target attribute sequence represents the relation of various attributes between the first strategy and the second strategy, so that the detection results of the first strategy and the second strategy can be determined according to the target attribute sequence. By the method, the configured attribute and the unconfigured attribute of the strategy to be detected are all participated in calculation, so that the range and the accuracy of the detection of the security strategy are improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1a is a schematic diagram of an ABAC access control framework;

FIG. 1b is a schematic diagram of a policy authorization application scenario for an authentication product in an enterprise database;

FIG. 2 is a schematic diagram of an embodiment of a security policy detection method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a detection result of a first policy and a second policy in an embodiment of the present application with a low risk level;

Fig. 4 is a schematic diagram of a detection result of a first policy and a second policy in an embodiment of the present application being a high risk level;

FIG. 5 is a schematic diagram showing the detection results of the first strategy and the second strategy as risk levels in the embodiment of the present application;

FIG. 6 is a flow chart of security policy detection in the present embodiment;

FIG. 7 is a schematic diagram of another flow of security policy detection in the present embodiment;

Fig. 8 is a schematic structural diagram of a security policy detection device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides a security policy detection method, a related device and a storage medium, which are used for improving the range and accuracy of security policy detection.

The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "includes" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.

In recent years, with the development and growth of networks, system security issues have become a major issue to be solved by modern information security. Aiming at different network environments, the configuration of the security policies is more and more complex, and the conflict among the policies occurs, so that the execution efficiency of the security policies is seriously affected.

Attribute-based access control (attribute based access control, ABAC) is an access control model that utilizes attributes of related entities (e.g., identity, resource, and environment) as a basis for authorization to study how access control is exercised over related entities. For such purposes, the overall ABAC access control framework includes several concepts:

A. attributes of an entity may be divided into identity attributes, resource attributes, and environment attributes.

Where an identity (Subject) attribute refers to a specific attribute of a Subject, such as a user or device, that needs access to a resource, such as a user's position, ability, location, administrative relationship, or certificate authority (CERTIFICATE AUTHORITY, CA) certificate. For the user, certain attributes of the users can be defined in a standardized way based on the attribute characteristics of the users in the industry, including departments, functions or executive services to which the users belong;

Resource (Resources) attributes refer to attributes of objects such as Resources accessed by an entity, e.g., objects such as files, data, services, or system devices that the entity needs to access. The attributes of the objects may include identity, location (uniform resource locator, URL), size, or value, and these attributes may be obtained from the "metadata" of the object, and may be inherited by the subject to which they are to be manipulated. That is, the guest property and the host property may have a certain correlation;

an Environment (Environment) attribute refers to Environment information such as time, date, system state, or security level when an entity accesses a resource.

B. the execution Action (Action) is that the entity needs to access specific operation behaviors of the resource, such as operations of reading, writing, modifying or deleting, and the like.

C. And the attribute processing rule is a method for judging whether the execution action of the entity is allowed or not according to the identity attribute, the resource attribute and the environment attribute and in combination with the function expression or the logic operation.

D. the execution result (Flag) is the result of the decision of the entity to access the resource, such as permission or rejection.

A policy is an expression or a set of expressions made up of the above elements, and the result of the expression is the result of execution;

referring to Table 1, for example, there is an ABAC-based policy defining that a VIP user with identity attribute restricted to 20 years old or older is permitted to download a high definition movie on day 10 months 1, and otherwise, is not permitted.

TABLE 1

The method comprises the steps of taking an entity identity attribute of 'over 20 years old' and 'VIP user' as an entity identity attribute ', taking an environment attribute of' 10 month 1 day ', taking a high-definition movie' as a resource attribute, taking a download action as an execution action, and combining the identity attribute, the environment attribute and the resource attribute to form a complete judgment logic which is an attribute processing rule, so that an execution result is allowed. When the attribute of the entity meets the judgment logic of the strategy, the operation of downloading the high-definition movie is allowed, otherwise, the operation is not allowed.

FIG. 1a is a schematic diagram of an ABAC access control framework, as shown in FIG. 1a, after a user initiates a request for accessing a resource, a policy enforcement engine 101 forwards the request to a policy analysis engine 102, the policy analysis engine 102 analyzes the request, and a policy related to the request is obtained from a policy repository 104 through a policy reading engine 103 for analysis by the policy analysis engine 103. Also, the attribute information reading engine 105 needs to read the attributes of the user from the attribute library 106 for use by the policy analysis engine 102. After the policy analysis engine 102 obtains the relevant policies and the relevant attributes of the user, analysis may be performed, and the analysis result may be sent to the policy enforcement engine 101. The policy enforcement engine determines the analysis results to determine if relevant data needs to be obtained from the resource 107 and feeds back to the user.

It should be understood that the security policy detection method provided by the present application may be applied to a system or a program including a security policy detection function in a terminal device, for example, database software that needs to perform authorization authentication, and in particular, the security policy detection system may operate in an ABAC access control framework as shown in fig. 1 a. As can be seen from the figure, the security policy detection system can provide for detecting collision risks among different policies, so as to reduce the collisions of the policies in the running process. It will be appreciated that in fig. 1a, a user may initiate access to a system comprising security policy detection functionality via a terminal device or manage individual policies depending on the outcome of risk detection. The terminal device may be a computer device, and in an actual scenario, there may be more or fewer kinds of terminal devices participating in the security policy detection process, and the specific number and kinds depend on the actual scenario, which is not limited herein. In addition, it should be understood that, regarding the functional modules shown in fig. 1a, the policy enforcement engine 101, the policy analysis engine 102, the policy reading engine 103, the policy repository 104, the attribute information reading engine 105, the attribute repository 106, and the resource 107 may be implemented by other compositions or connections. The block division given in fig. 1a is illustrative and merely a logical function division, and there may be additional divisions in practice. For example, the modules in fig. 1a may be combined or integrated into one server to realize, or there may be multiple servers involved, especially in the scenario of multi-model training interaction, where the specific number of servers depends on the actual scenario.

In this embodiment, the server may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, and basic cloud computing services such as big data and artificial intelligence platforms. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminals and servers may be directly or indirectly connected by wired or wireless communication, and the terminals and servers may be connected to form a blockchain network, which is not limited herein.

In practical application, policies in a policy library of a security system are not only more and more complex, but also more and more in number, so that conflicts among the policies occur. For example, in fig. 1a, the request for accessing the resource initiated by the user often involves multiple policies, and if the policy analysis engine 102 finds that multiple policies with different execution results exist when analyzing the multiple policies (for example, the execution result of the policy a is "permission" and the execution result of the policy B is "rejection"), a policy conflict is caused, and the execution efficiency of the policies is seriously affected. Therefore, how to avoid the logic conflict existing between different strategies becomes the key of safe and efficient execution of the strategies.

The security policy detection method provided by the embodiment of the application can be applied to products related to security policy configuration, such as configuration of wind control products, authority management products, identity authentication products or firewall security policies, and the like, and is not limited in particular. For ease of understanding, referring to fig. 1b, fig. 1b is a schematic diagram of a policy authorization application scenario of an authentication product in an enterprise database. When a user requests access to a resource in an enterprise database, an authentication product in the enterprise database will first authenticate the user. As shown in FIG. 1B, the authentication product has the A, B, C, D and E policies at the same time. The user initiating the access request simultaneously meets the judgment logic of the A strategy, the D strategy and the E strategy, so that three execution results are obtained, wherein the execution result of the A strategy is permission access, the execution result of the D strategy is refusal access, and the execution result of the E strategy is refusal access. At this time, the user's access request obtains three inconsistent execution results, namely, execution result conflicts, through the identity authentication product. Therefore, the security policy configured in the identity authentication product has the hidden danger of policy conflict.

In combination with the above description, the method for detecting the security policy in the present application is described below. Referring to fig. 2, fig. 2 is a schematic diagram of an embodiment of a method for detecting a security policy according to an embodiment of the present application, as shown in the drawing, the embodiment of the method for detecting a security policy according to the embodiment of the present application includes:

201. Acquiring a first strategy and a second strategy, wherein the first strategy comprises M attributes, the second strategy comprises N attributes, the first strategy and the second strategy have the same execution action and different execution results, and M and N are integers greater than or equal to 1;

In the embodiment of the application, in order to improve the efficiency of security policy detection, the policies to be detected can be initially screened, and two policies with the same execution action and different execution results can be selected. For example, the execution action of the first policy is "delete", the execution result after the judgment is "permit", the execution action of the second policy is "delete", and the execution result after the judgment is "reject". Then, it may be considered that there is a risk of collision between the first policy and the second policy. That is, there may be a request to execute the action "delete", but the request satisfies both the judgment logic of the first policy, the execution result is "permit", and the judgment logic of the second policy, the execution result is "reject". Therefore, subsequent detection judgment needs to be performed on the first strategy and the second strategy.

And when the execution actions are not the same or the execution results are consistent between the first strategy and the second strategy, the first strategy and the second strategy can be considered that the risk of strategy conflict does not exist. For example, the execution action of the first policy is "delete", the execution result after the judgment is "permit", the execution action of the second policy is "delete", and the execution result after the judgment is "permit". Or the execution action of the first strategy is 'deleting', the judged execution result is 'permission', the execution action of the second strategy is 'downloading', and the judged execution result is 'refusing'. Based on such a situation, in general, the first policy and the second policy are not at risk of policy conflict. Therefore, the next strategy can be directly searched without carrying out subsequent detection on the first strategy and the second strategy, and further screening is carried out.

Further, each policy has a corresponding attribute, so that identity attribute, resource attribute and environment attribute of an entity needing access control are specifically limited. The first strategy and the second strategy to be detected are screened to have respective corresponding attributes, and the number and the types of the attributes of the first strategy and the second strategy are not necessarily the same. In the embodiment of the application, the number of the attributes of the first strategy is M, the number of the second attributes is N, and M and N are integers greater than or equal to 1. For example, the presence of 4 attributes of the first policy limits the entities requesting access, their identity attributes are "VIP user" and "male", the resource attribute is "chat log", the environment attribute is "10 months 1 day", and the presence of 3 attributes of the second policy limits the entities requesting access, their identity attributes are "VIP user" and "female", and the resource attribute is "chat log".

202. Generating a first attribute sequence according to M attributes and a full attribute set included in a first strategy, wherein the full attribute set comprises K attributes, the first attribute sequence comprises M first elements and (K-M) second elements, and K is an integer greater than 1;

in the embodiment of the application, for the entity requesting access, a plurality of related attributes can be obtained, and the obtained attributes, namely the full attribute set in the application, can be used as configurable attributes of the strategy. The full-quantity attribute set includes K attributes, K being an integer greater than 1.

However, for a single policy, the attributes in the full set of attributes may not be all applied. For example, the attributes associated with the user that can be obtained in the system for an access request by the user include gender, age, job position, access object and IP address. I.e., the corresponding full-size attribute set is { gender, age, job position, access object, and IP address), a total of 5 attributes are included. And assuming that the first policy is configured with the attributes "male", "18 years old" and "chat log", it is explained that the first policy uses only three attributes of "gender", "age" and "visit object" in the full set of attributes. Therefore, the first attribute sequence corresponding to the first policy is 3 first elements and (4-3) second elements. The first element is used for representing configured attributes of the strategy relative to the full-quantity attribute set, the second element is used for representing non-configured attributes of the strategy relative to the full-quantity attribute set, and the first attribute sequence is used for representing configuration conditions of the attributes of the full-quantity attribute set in the first strategy.

Further, in order to facilitate subsequent operations, in the embodiment of the present application, the identity attribute, the resource attribute, and the environment attribute of the policy may be encoded respectively. Please refer to table 2, which is used for indicating the attribute sequence corresponding to the policy. In this and subsequent embodiments, the first element code is 1 and the second element code is 0, as an example, will be described. In practical applications, other encoding methods may be used, for example, encoding a first element into a and encoding a second element into B, which is not limited herein.

TABLE 2

Attribute 1	Attribute 2	Attribute 3	Attribute 4	......	Attribute K
						0/1	0/1	0/1	0/1	0/1	0/1

The full-quantity attribute set comprises K attributes, and the attributes corresponding to the full-quantity attribute set of each policy are divided according to configured and unconfigured. Taking table 2 as an example, if the policy configures attribute 1, the corresponding code is 1, and if attribute 2 is not configured, the corresponding code is 0. Assuming that K is equal to 10, the full-quantity attribute set includes 10 attributes, and if one policy is configured with attribute 1, attribute 3, attribute 4, attribute 8 and attribute 10, and attribute 2, attribute 5, attribute 6, attribute 7 and attribute 9 are not configured, the attribute sequence corresponding to the policy is 1011000101.

All attributes (including configured attributes and unconfigured attributes) of each policy can participate in operation through the encoding, so that the problem that conflicts cannot be detected due to the fact that the attributes are not related between the first policy and the second policy is avoided.

203. Generating a second attribute sequence according to N attributes and a full-quantity attribute set included in the second strategy, wherein the second attribute sequence comprises N first elements and (K-N) second elements;

in the embodiment of the present application, step 203 is similar to step 202, and a second attribute sequence is generated according to the full-scale attribute set and the attribute configuration condition of the second policy itself, where the second attribute sequence includes N first elements and (K-N) second elements. For specific implementation, please refer to the related description of step 202, and detailed description thereof is omitted here.

It should be noted that, in the embodiment of the present application, the timing relationship between the step 202 and the step 203 is not limited. The step 202 may be performed first, and then the step 203 may be performed, or the step 203 may be performed first, and then the step 202 may be performed, or the step 202 and the step 203 may be performed simultaneously, which is not limited herein.

204. Determining a target attribute sequence according to the first attribute sequence and the second attribute sequence;

After the first attribute sequence corresponding to the first strategy and the second attribute sequence corresponding to the second strategy are obtained, the first attribute sequence and the second attribute sequence can be operated to obtain the target attribute sequence. The target attribute sequence represents the association condition of the first attribute sequence and the second attribute sequence, thereby reflecting the association relation between configured attributes and unconfigured attributes among various strategies.

205. And determining detection results aiming at the first strategy and the second strategy according to the target attribute sequence.

Because the target attribute sequence reflects the association relation between configured attributes and unconfigured attributes among the strategies, the coincidence degree between the first strategy and the second strategy and between the attributes can be judged according to the coding condition of the target attribute sequence, and therefore the detection result between the first strategy and the second strategy is determined. For example, if the target attribute sequence reflects that there are more identical attributes between the first policy and the second policy, then a higher risk of collision between the first policy and the second policy may be considered, and if the target attribute sequence reflects that there are fewer identical attributes between the first policy and the second policy, then a lower risk of collision between the first policy and the second policy may be considered.

The security policy detection method provided by the embodiment of the application can be applied to products related to policy configuration application, such as configuration of wind control products, authority management products or firewall security policies, and the like, and is not limited in particular.

Optionally, based on the embodiment corresponding to fig. 2, in an optional embodiment of the method for detecting a security policy provided by the embodiment of the present application, determining the target attribute sequence according to the first attribute sequence and the second attribute sequence specifically includes:

and performing AND operation on the first attribute sequence and the second attribute sequence to obtain a third attribute sequence.

In this embodiment, the first attribute sequence and the second attribute sequence may be subjected to an and operation to obtain a third attribute sequence.

For example, the full-size attribute set includes attributes of gender, age, position, visit object, and visit date. The attribute configured by the first policy defines that the entity initiating the access request initiates access for a male user (sex) over 20 years old (age) for 10 months and 10 days (access date), and can obtain authorization, the first attribute sequence corresponding to the first policy is (1101), the attribute configured by the second policy defines that the entity initiating the access request refuses the male user (sex) to download games (access objects) for 10 months (access date), and the second attribute sequence corresponding to the second policy is (1011). And performing an AND operation on the first attribute sequence (1101) and the second attribute sequence (1011) to obtain a third attribute sequence (1001). It is known from the third sequence of attributes (1001) that the first policy and the second policy overlap in both the gender and access date attributes.

In this embodiment, the third attribute sequence is obtained by performing an and operation on the first attribute sequence and the second attribute sequence, so as to determine the coincidence ratio of each attribute between the first policy and the second policy, and improve the accuracy of security policy detection.

Optionally, on the basis of the embodiment corresponding to fig. 2, in another optional embodiment of the method for detecting a security policy provided by the embodiment of the present application, determining a detection result for the first policy and the second policy specifically includes:

if the third attribute sequence includes K second elements, determining that the detection results of the first policy and the second policy are low risk levels.

For ease of understanding, referring to fig. 3, fig. 3 is a schematic diagram illustrating a detection result of the first policy and the second policy in an embodiment of the application as a low risk level. Since the first element is used to represent configured attributes of the policy with respect to the full set of attributes, the second element is used to represent non-configured attributes of the policy with respect to the full set of attributes. If the third attribute sequence obtained by the AND operation comprises K second elements, all configured attributes indicating the first strategy and the second strategy do not overlap. The detection results of the first policy and the second policy may be considered as a low risk level at this time, which has a low possibility of risk of occurrence of policy conflict.

For example, the full-size attribute set includes attributes of gender, age, position, and nationality. Wherein the first policy defines that the entity initiating the access request is allowed when the male user (sex) over 20 years old (age) initiates the access, the first attribute sequence corresponding to the first policy is (1100), the second policy defines that the entity initiating the access request is not allowed when the entity initiating the access request is a Chinese user (nationality) under the total manager (position), and the second attribute sequence corresponding to the second policy is (0011). And the first attribute sequence (1100) and the second attribute sequence (0011) are subjected to AND operation to obtain a third attribute sequence (0000), wherein the third attribute sequence (0000) indicates that all configured attributes of the first strategy and the second strategy do not have any coincidence. The detection results of the first policy and the second policy may be considered as a low risk level at this time, which has a low possibility of risk of occurrence of policy conflict. However, in practical applications, low risk levels do not represent an absolute lack of policy conflicts. Based on the above example, when a male Chinese user with an age of 30 years and a position of a common employee initiates an access request, the user satisfies the judgment logic of the first policy, the execution result of which is permitted, and also satisfies the judgment logic of the second policy, the execution result of which is not permitted. At this time, the execution results of the first policy and the second policy may conflict.

In this embodiment, the detection result between the first policy and the second policy is determined to be a low risk level by performing the and operation on the first attribute sequence and the second attribute sequence, so that risk levels of policy conflicts are divided in multiple levels, and the execution efficiency and the management efficiency of the policies are improved.

Optionally, in another optional embodiment of the method for detecting a security policy according to the embodiment of the present application based on the embodiment corresponding to fig. 2, if the third attribute sequence does not include K second elements, the method may further include the following steps:

And performing OR operation on the first attribute sequence and the second attribute sequence to obtain a fourth attribute sequence.

If the third attribute sequence does not include K second elements, it is indicated that a plurality of first elements exist in the third attribute sequence, that is, there is a partial attribute coincidence between the first policy and the second policy. Then an or operation needs to be performed on the first attribute sequence and the second attribute sequence to obtain a fourth attribute sequence.

In this embodiment, after the first attribute sequence and the second attribute sequence are subjected to the and operation, the first attribute sequence and the second attribute sequence are further subjected to the or operation, so that the range of security policy detection is increased, and the accuracy of security policy detection is improved.

and if the third attribute sequence is equal to the fourth attribute sequence, determining that the detection results of the first strategy and the second strategy are high risk levels.

For ease of understanding, please refer to fig. 4, fig. 4 is a schematic diagram illustrating a detection result of the first policy and the second policy being a high risk level in an embodiment of the present application. In this embodiment, the first attribute sequence and the second attribute sequence are subjected to an and operation to obtain a third attribute sequence, and the first attribute sequence and the second attribute sequence are subjected to an or operation to obtain a fourth attribute sequence. At this time, if the third attribute sequence is equal to the fourth attribute sequence, that is, the sum operation result of the first attribute sequence and the second attribute sequence is equal to the or operation result, it is indicated that the attributes between the first policy and the second policy are completely overlapped. Therefore, if the execution actions are the same, the attributes are the same, and the execution results are different between the first policy and the second policy, it is explained that the first policy and the second policy have a high possibility of causing policy conflict, and it can be determined that the detection results of the first policy and the second policy are high risk levels.

For example, the full-size attribute set includes attributes of gender, age, position, and nationality. Wherein the first policy defines that the entity initiating the access request is allowed when the male Chinese user (sex and nationality) over 20 years old (age) initiates the access, the first attribute sequence corresponding to the first policy is (1101), and the second policy defines that the entity initiating the access request is not allowed when the male Chinese user (sex and nationality) under 30 years old (age) initiates the access request, and the second attribute sequence corresponding to the second policy is (1101). And performing AND operation on the first attribute sequence (1101) and the second attribute sequence (1101) to obtain a third attribute sequence (1101), wherein the coincidence of configured attributes of the first strategy and the second strategy is illustrated. Then the first attribute sequence and the second attribute sequence are further ored to obtain a fourth attribute sequence (1101). At this time, the third attribute sequence (1101) is identical to the fourth attribute sequence (1101), and then the configured attribute and the unconfigured attribute of the first policy may be determined to be identical to the configured attribute and the unconfigured attribute of the second policy. The possibility of causing policy conflict between the first policy and the second policy can be considered to be high, and the detection results of the first policy and the second policy are determined to be high risk levels. Based on the above example, when a 20-30 year old male chinese user initiates an access request, the user satisfies the judgment logic of the first policy, the execution result is permission, and also satisfies the judgment logic of the second policy, and the execution result is non-permission. At this time, the execution results of the first policy and the second policy may conflict.

In this embodiment, the and operation results of the first attribute sequence and the second attribute sequence are compared with the or operation results of the first attribute sequence and the second attribute sequence, so as to determine that the detection result between the first policy and the second policy is a high risk level, and therefore the risk level of the policy conflict is divided in multiple levels, and the efficiency of executing and managing the policies is improved. And the condition of high risk conflict existing between strategies is avoided, so that the stability of strategy execution is improved.

if the third attribute sequence is not equal to the fourth attribute sequence, determining that the detection results of the first strategy and the second strategy are the risk level.

For ease of understanding, referring to fig. 5, fig. 5 is a schematic diagram illustrating a detection result of the first policy and the second policy as a risk level in an embodiment of the present application. In this embodiment, the first attribute sequence and the second attribute sequence are subjected to an and operation to obtain a third attribute sequence, and the first attribute sequence and the second attribute sequence are subjected to an or operation to obtain a fourth attribute sequence. At this time, if the third attribute sequence is not equal to the fourth attribute sequence, that is, the sum operation result of the first attribute sequence and the second attribute sequence is not equal to the or operation result, it is indicated that there is a partial coincidence of the attributes between the first policy and the second policy. The first policy and the second policy are described as having a certain policy conflict risk, and the detection result of the first policy and the second policy can be determined as the risk level.

For example, the full-size attribute set includes attributes of gender, age, position, and nationality. Wherein the first policy defines that the entity initiating the access request is allowed when the male Chinese user (sex and nationality) over 20 years old (age) initiates the access, the first attribute sequence corresponding to the first policy is (1101), the second policy defines that the entity initiating the access request is not allowed when the entity initiating the access request is the male Chinese user (sex and nationality) under the position (age) of the total manager, and the second attribute sequence corresponding to the second policy is (1011). And performing AND operation on the first attribute sequence (1101) and the second attribute sequence (1011) to obtain a third attribute sequence (1001), wherein the configured attributes of the first strategy and the second strategy are overlapped. Then the first attribute sequence and the second attribute sequence are further ored to obtain a fourth attribute sequence (1111). At this time, the third attribute sequence (1001) is not identical to the fourth attribute sequence (1111), and thus the configured attribute and the unconfigured attribute of the first policy may be determined, and the configured attribute and the unconfigured attribute of the second policy are not identical to each other, and there is a partial coincidence between the attributes of the first policy and the second policy. The first policy and the second policy are described as having a certain policy conflict risk, and the detection result of the first policy and the second policy can be determined as the risk level. Based on the above example, when a male Chinese user who is over 20 years old and whose job position is a common employee initiates an access request, the user satisfies the judgment logic of the first policy, the execution result is permission, and also satisfies the judgment logic of the second policy, and the execution result is non-permission. At this time, the execution results of the first policy and the second policy may conflict.

In this embodiment, the and operation results of the first attribute sequence and the second attribute sequence are compared with the or operation results of the first attribute sequence and the second attribute sequence, so that it is determined that the detection result between the first policy and the second policy is a risk level, and therefore risk levels of policy conflicts are divided in multiple levels, and execution efficiency and management efficiency of policies are improved.

Optionally, in another optional embodiment of the method for detecting a security policy according to the embodiment of the present application based on the embodiment corresponding to fig. 2, after determining that the detection result of the first policy and the detection result of the second policy are high risk levels, the method may further include the following steps:

And feeding back an error prompt, wherein the error prompt is used for indicating that a high risk level exists between the first strategy and the second strategy.

In this embodiment, after determining that a high risk level exists between the first policy and the second policy, it is explained that there is a greater possibility of causing policy conflict between the first policy and the second policy. Thus, feedback related error cues may be provided. Therefore, errors can be timely reported, and the safety of policy execution is improved.

Optionally, in another optional embodiment of the method for detecting a security policy according to the embodiment of the present application based on the embodiment corresponding to fig. 2, after determining that the detection result of the first policy and the second policy is a risk level, the method may further include the following steps:

determining a first attribute processing rule corresponding to a first strategy;

And determining a risk event set corresponding to the risk level according to the first attribute processing rule and the second attribute processing rule, wherein the risk event set comprises at least one risk event, each risk event is related to a first attribute and a second attribute, the first attribute is derived from the first strategy, and the second attribute is derived from the second strategy.

In this embodiment, after determining that the detection results of the first policy and the second policy are the risk level, a set of risk events that can cause policy conflict, that is, a risk event set, may be determined by combining attribute processing rules of the first policy and the second policy. The attribute processing rule is a method for judging whether the execution action of the entity is allowed or not by combining a function expression or logic operation based on the identity attribute, the resource attribute and the environment attribute of the policy. The risk event satisfies both the first attribute and the judgment logic corresponding to the first policy and the second attribute and the judgment logic corresponding to the second policy, so that two different execution results are obtained, namely the risk event causing policy conflict.

For example, the first policy defines that the entity that initiated the access request is allowed when an over 20 year old male Chinese user initiates the access, and the second policy defines that the entity that initiated the access request is not allowed when an under-the-total manager male Chinese user initiates the access request. When a male Chinese user with the age of 20 years and the position below the total manager initiates an access request, the user meets the judgment logic of the first strategy, the execution result is permission, the judgment logic of the second strategy is also met, and the execution result is non-permission. At this time, the execution results of the first policy and the second policy may conflict.

In this embodiment, after determining that the detection result is the risk level, the attribute processing rules of the first policy and the second policy are further calculated, and a risk event causing policy conflict is determined in advance, so that the execution efficiency and the management efficiency of the policies are improved.

Optionally, in another optional embodiment of the method for detecting a security policy according to the embodiment of the present application based on the embodiment corresponding to fig. 2, after determining that the detection result of the first policy and the detection result of the second policy are low risk levels, the method may further include the following steps:

In this embodiment, after determining that the detection results of the first policy and the second policy are low risk levels, a set of risk events that can cause policy conflict, that is, a risk event set, may be determined by combining attribute processing rules of the first policy and the second policy. The attribute processing rule is a method for judging whether the execution action of the entity is allowed or not by combining a function expression or logic operation based on the identity attribute, the resource attribute and the environment attribute of the policy. The risk event satisfies both the first attribute and the judgment logic corresponding to the first policy and the second attribute and the judgment logic corresponding to the second policy, so that two different execution results are obtained, namely the risk event causing policy conflict.

For example, the first policy defines that the entity that initiated the access request is allowed when it initiates access to male users over 20 years old, and the second policy defines that the entity that initiated the access request is not allowed when it initiates access to chinese users below the total manager. The risk event corresponding to the first strategy and the second strategy is that when a male Chinese user with the age of more than 20 years old and the position of less than the total manager initiates an access request, the user meets the judgment logic of the first strategy, the execution result is allowed, and also meets the judgment logic of the second strategy, and the execution result is not allowed. At this time, the execution results of the first policy and the second policy may conflict.

Optionally, on the basis of the embodiment corresponding to fig. 2, in another optional embodiment of the method for detecting a security policy provided by the embodiment of the present application, before acquiring the first policy and the second policy, the method may further include the following steps:

creating a first strategy, wherein the first strategy comprises a first execution action and a first execution result;

Obtaining a strategy to be matched, wherein the strategy to be matched comprises a second execution action and a second execution result;

If the first execution action is the same as the second execution action and the first execution result is different from the second execution result, determining that the strategy to be matched is a second strategy;

Triggering the step of acquiring the first strategy and the second strategy.

The security policy detection method provided by the application can be applied to detection of new policies. When the first strategy is newly built, in order to detect the compatibility of the strategy with other strategies in the strategy library, the collision risk in the strategy operation process is reduced, and the risk detection of the newly built strategy can be automatically triggered after each new strategy. Further, since the number of policies may be larger, the original policies (i.e. policies to be matched) to be detected may be initially screened. And selecting a strategy to be matched, which has the same executing action as the first strategy and has the opposite executing result, as a second strategy, so as to execute the subsequent security strategy detection flow on the first strategy and the second strategy. For ease of understanding, referring to fig. 6, fig. 6 is a schematic flow chart of security policy detection in the present embodiment. As shown in fig. 6, in particular:

Step 601, a user can design a strategy through management equipment;

Step 602, creating a corresponding policy in the security policy detection system;

Step 603, the security policy detection system acquires the original policy in the policy library;

step 604, carrying out security policy detection on the newly created policy and the original policy;

Step 605, after obtaining the detection result, feeding back to the management device;

Step 606, the management device performs corresponding processing on the strategy according to different detection results;

Step 607, after processing the policy with the risk of policy conflict, in order to further ensure compatibility of the policy, the policy may be subjected to risk detection again;

Step 608, judging whether the risk of policy conflict is still detected, if so, returning to the execution step 605, and if not, ending the detection flow.

In this embodiment, when a new policy is created, security policy detection is automatically performed on the new policy and the original policy, so that security of policy creation is improved, and potential collision hazards of the new policy to the original policy are reduced.

Receiving timing configuration information;

and configuring a timer according to the timing configuration information, wherein the timer is used for triggering the step of acquiring the first strategy and the second strategy at fixed time.

In this embodiment, security policy detection may also be performed on multiple policies at regular time. Specifically, a user with a certain authority such as an administrator can set timing information for a system with a security policy detection function according to service requirements, and then the system configures a timer according to the timing information. Therefore, the detection and maintenance of strategy conflict can be carried out on each strategy at regular time, and the safety and reliability in the strategy operation process are improved.

Deleting the first policy or the second policy, or,

The priority of the first policy or the second policy is reduced.

In this embodiment, after determining that a high risk level exists between the first policy and the second policy, it is explained that there is a greater possibility of causing policy conflict between the first policy and the second policy. Therefore, the first strategy or the second strategy can be actively deleted, or the priority of the first strategy or the second strategy can be reduced, so that the simultaneous operation of a plurality of strategies with higher conflict risks is avoided, and the safety and the reliability of strategy execution are improved.

In the embodiment of the application, a security policy detection method for two different policies is introduced. In practical application, since a plurality of strategies exist in the strategy library of the system, one strategy to be detected can be determined first, and then each strategy in the strategy library is detected one by one, so that whether the strategy has a collision risk with other strategies in the strategy library is judged. For ease of understanding, please refer to fig. 7, which is an exemplary illustration of another flow chart of security policy detection in the present embodiment. As shown in fig. 7, in particular:

In step 701, the security policy detection is triggered, which may be actively triggered by the management device or the server, or may be triggered in a timing manner in response to a timer, or may be triggered automatically every time a policy is newly built, which is not limited herein.

Step 702, obtaining a target strategy to be detected, so that the target strategy and other strategies are matched and detected one by one;

step 703, encoding the attribute of the target policy, specifically referring to the description related to step 202 shown in fig. 2, which is not repeated here;

step 704, obtaining a first attribute sequence corresponding to the target strategy after encoding;

Step 705, circularly traversing the policies to be matched in the policy library, selecting the policies with the same execution actions and different execution results as the target policies, and carrying out subsequent detection flow on the policies to be matched and the target policies one by one. If the cyclic traversal of the strategy library is completed, ending the corresponding cyclic flow;

Step 706, encoding the attribute of the policy to be matched, specifically referring to the description related to step 202 shown in fig. 2, which is not described herein again;

Step 707, obtaining a second attribute sequence corresponding to the strategy to be matched after encoding;

Step 708, judging whether the sum operation result of the first attribute sequence and the second attribute sequence is 0, if yes, executing step 709, and if no, executing step 710;

Step 709, if the sum operation result of the first attribute sequence and the second attribute sequence is 0, determining that the risk level is low, and executing step 715;

Step 710, if the sum operation result of the first attribute sequence and the second attribute sequence is not 0, determining whether the sum operation result of the first attribute sequence and the second attribute sequence is equal to the or operation result of the first attribute sequence and the second attribute sequence, if yes, executing step 711, and if not, executing step 714;

step 711, if the sum operation result of the first attribute sequence and the second attribute sequence is equal to the or operation result of the first attribute sequence and the second attribute sequence, determining that the risk level is high, and executing step 712 or executing step 713;

Step 712, after determining that the detection result between the strategies is a high risk level, feeding back an error prompt;

Step 713, deleting or lowering priority of one of the policies after determining that the detection result between the policies is a high risk level;

Step 714, if the sum operation result of the first attribute sequence and the second attribute sequence is not equal to the or operation result of the first attribute sequence and the second attribute sequence, determining that the risk level is a risk level, and executing step 715;

Step 715, determining a risk event set corresponding to the risk level and the low risk level.

In order to better implement the above-described aspects of the embodiments of the present application, the following provides related apparatuses for implementing the above-described aspects. Referring to fig. 8, fig. 8 is a schematic structural diagram of a security policy detection device according to an embodiment of the present application, and a security policy detection device 800 includes:

an obtaining unit 801, configured to obtain a first policy and a second policy, where the first policy includes M attributes, the second policy includes N attributes, the first policy and the second policy have the same execution action and different execution results, and M and N are integers greater than or equal to 1;

A generating unit 802, configured to generate a first attribute sequence according to M attributes and a full-quantity attribute set included in the first policy, where the full-quantity attribute set includes K attributes, the first attribute sequence includes M first elements and (K-M) second elements, and K is an integer greater than 1;

the generating unit 802 is further configured to generate a second attribute sequence according to the N attributes and the full-scale attribute set included in the second policy, where the second attribute sequence includes N first elements and (K-N) second elements;

a determining unit 803, configured to determine a target attribute sequence according to the first attribute sequence and the second attribute sequence;

a determining unit 803, configured to determine a detection result for the first policy and the second policy according to the target attribute sequence.

Optionally, based on the embodiment corresponding to fig. 8, in one embodiment of the security policy detection device 800 provided in the embodiment of the present application,

The determining unit 803 is specifically configured to perform an and operation on the first attribute sequence and the second attribute sequence, so as to obtain a third attribute sequence.

The determining unit 803 is specifically configured to determine, in response to the third attribute sequence including K second elements, that the detection result of the first policy and the second policy is a low risk level.

Optionally, on the basis of the embodiment corresponding to fig. 8, in one embodiment of the security policy detection device 800 provided in the embodiment of the present application, the security policy detection device further includes a calculating unit 804.

The calculating unit 804 is configured to perform an or operation on the first attribute sequence and the second attribute sequence, so as to obtain a fourth attribute sequence.

The determining unit 803 is specifically configured to determine that the detection results of the first policy and the second policy are high risk levels in response to the third attribute sequence being equal to the fourth attribute sequence.

The determining unit 803 is specifically configured to determine that the detection result of the first policy and the second policy is a risk level in response to the third attribute sequence not being equal to the fourth attribute sequence.

Optionally, on the basis of the embodiment corresponding to fig. 8, in one embodiment of the security policy detection device 800 provided in the embodiment of the present application, the security policy detection device further includes a feedback unit 805.

A feedback unit 805, configured to feedback an error hint, where the error hint is used to indicate that a high risk level exists between the first policy and the second policy.

The determining unit 803 is further configured to determine a first attribute processing rule corresponding to the first policy, determine a second attribute processing rule corresponding to the second policy, and determine a risk event set corresponding to the risk level according to the first attribute processing rule and the second attribute processing rule, where the risk event set includes at least one risk event, each risk event is related to a first attribute and a second attribute, the first attribute is derived from the first policy, and the second attribute is derived from the second policy.

The determining unit 803 is further configured to determine a first attribute processing rule corresponding to the first policy;

Optionally, on the basis of the embodiment corresponding to fig. 8, in one embodiment of the security policy detection device 800 provided in the embodiment of the present application, the security policy detection device further includes a new unit 806 and a trigger unit 807.

A new creating unit 806, configured to create a first policy, where the first policy includes a first execution action and a first execution result;

the obtaining unit 801 is further configured to obtain a policy to be matched, where the policy to be matched includes a second execution action and a second execution result;

The determining unit 803 is further configured to determine that the policy to be matched is the second policy in response to the first execution action being the same as the second execution action and the first execution result being different from the second execution result;

a triggering unit 807 configured to trigger the step of acquiring the first policy and the second policy.

Optionally, on the basis of the embodiment corresponding to fig. 8, in one embodiment of the security policy detection device 800 provided in the embodiment of the present application, the security policy detection device further includes a receiving unit 808 and a configuration unit 809.

A receiving unit 808 for receiving timing configuration information;

A configuration unit 809 for configuring a timer according to the timing configuration information, the timer being used for timing triggering the step of acquiring the first policy and the second policy.

Optionally, on the basis of the embodiment corresponding to fig. 8, in one embodiment of the security policy detection device 800 provided in the embodiment of the present application, the security policy detection device further includes a processing unit 810.

A processing unit 810 for deleting the first policy or the second policy, or,

The priority of the first policy or the second policy is reduced.

In this embodiment, the security policy detection device 800 may execute the security policy detection method provided in the foregoing embodiments corresponding to fig. 2, fig. 6 or fig. 7, so as to improve the scope and accuracy of security policy detection.

The embodiment of the application also provides a computer device for executing the security policy detection method provided by the embodiment corresponding to fig. 2, 6 or 7. Referring to fig. 9, fig. 9 is a schematic diagram of a computer device according to an embodiment of the application. As shown, the computer device 900 can vary considerably in configuration or performance and can include one or more central processing units (central processing units, CPU) 922 (e.g., one or more processors) and memory 932, one or more storage mediums 930 (e.g., one or more mass storage devices) that store applications 942 or data 944. Wherein the memory 932 and the storage medium 930 may be transitory or persistent. The program stored on the storage medium 930 may include one or more modules (not shown), each of which may include a series of instruction operations in a computer device. Still further, the central processor 922 may be arranged to communicate with a storage medium 930 to execute a series of instruction operations in the storage medium 930 on the computer device 900.

The computer device 900 can also include one or more power supplies 926, one or more wired or wireless network interfaces 950, one or more input/output interfaces 958, and/or one or more operating systems 941, such as a Windows Server ^TM,Mac OS X^TM,Unix^TM,Linux^TM,FreeBSD^TM, or the like.

The security policy detection method in the above embodiment may be based on the structure of the computer device shown in fig. 9.

Embodiments of the present application also provide a computer-readable storage medium having a computer program stored therein, which when run on a computer, causes the computer to perform the method as described in the foregoing embodiments.

Embodiments of the present application also provide a computer program product comprising a program which, when run on a computer, causes the computer to perform the method described in the previous embodiments.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.

In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or partly in the form of a software product, or all or part of the technical solution, which is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, an interactive video management device, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. The storage medium includes a U disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.

While the application has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that the foregoing embodiments may be modified or equivalents may be substituted for some of the features thereof, and that the modifications or substitutions do not depart from the spirit and scope of the embodiments of the application.

It should be noted that, the information related to the user (including, but not limited to, user equipment information, user personal information, user chat records, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.

Claims

1. A method of security policy detection, comprising:

Acquiring a first strategy and a second strategy, wherein the first strategy comprises M attributes, the second strategy comprises N attributes, the first strategy and the second strategy have the same execution action and different execution results, and the M and the N are integers which are more than or equal to 1;

generating a first attribute sequence according to the M attributes and a full-quantity attribute set included in the first strategy, wherein the full-quantity attribute set comprises K attributes, the first attribute sequence comprises M first elements and K-M second elements, and K is an integer greater than 1;

generating a second attribute sequence according to the N attributes and the full attribute set included in the second strategy, wherein the second attribute sequence comprises N first elements and K-N second elements;

determining a target attribute sequence according to the first attribute sequence and the second attribute sequence, wherein the determining comprises the steps of performing AND operation on the first attribute sequence and the second attribute sequence to obtain a third attribute sequence;

According to the target attribute sequence, determining detection results for the first strategy and the second strategy specifically comprises the following steps:

If the third attribute sequence does not comprise K second elements, performing OR operation on the first attribute sequence and the second attribute sequence to obtain a fourth attribute sequence;

2. The method of claim 1, wherein determining the detection results for the first policy and the second policy from the target attribute sequence comprises:

And if the third attribute sequence comprises K second elements, determining that the detection results of the first strategy and the second strategy are low risk levels.

3. The method of claim 1, wherein determining the detection results for the first policy and the second policy from the target attribute sequence comprises:

And if the third attribute sequence is not equal to the fourth attribute sequence, determining that the detection results of the first strategy and the second strategy are the risk level.

4. The method of claim 1, wherein after the determining that the detection result of the first policy and the second policy is a high risk level, the method further comprises:

5. A method according to claim 3, wherein after said determining that the detection result of the first policy and the second policy is a risk level, the method further comprises:

determining a first attribute processing rule corresponding to the first strategy;

determining a second attribute processing rule corresponding to the second strategy;

6. The method of claim 2, wherein after the determining that the detection result of the first policy and the second policy is a low risk level, the method further comprises:

determining the first attribute processing rule corresponding to the first strategy;

determining the second attribute processing rule corresponding to the second strategy;

And determining a risk event set corresponding to the low risk level according to the first attribute processing rule and the second attribute processing rule, wherein the risk event set comprises at least one risk event, each risk event is related to a first attribute and a second attribute, the first attribute is derived from the first policy, and the second attribute is derived from the second policy.

7. The method of any one of claims 1 to 6, wherein prior to the acquiring the first policy and the second policy, the method further comprises:

newly establishing the first strategy, wherein the first strategy comprises a first execution action and a first execution result;

If the first execution action is the same as the second execution action and the first execution result is different from the second execution result, determining the policy to be matched as the second policy;

Triggering the step of acquiring the first strategy and the second strategy.

8. The method of any one of claims 1 to 6, wherein prior to the acquiring the first policy and the second policy, the method further comprises:

Receiving timing configuration information;

9. The method of claim 1 or 4, wherein after determining that the detection result of the first policy and the second policy is a high risk level, the method further comprises:

deleting the first policy or the second policy, or,

The priority of the first policy or the second policy is reduced.

10. A security policy detection device, characterized in that the security policy detection device comprises:

The device comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is used for acquiring a first strategy and a second strategy, the first strategy comprises M attributes, the second strategy comprises N attributes, the first strategy and the second strategy have the same execution action and different execution results, and the M and the N are integers which are larger than or equal to 1;

The generating unit is used for generating a first attribute sequence according to the M attributes and a full attribute set included in the first strategy, wherein the full attribute set comprises K attributes, the first attribute sequence comprises M first elements and K-M second elements, and K is an integer greater than 1;

the generating unit is further configured to generate a second attribute sequence according to the N attributes and the full attribute set included in the second policy, where the second attribute sequence includes N first elements and K-N second elements;

The determining unit is specifically configured to perform an and operation on the first attribute sequence and the second attribute sequence to obtain a third attribute sequence;

the determining unit is used for determining detection results aiming at the first strategy and the second strategy according to the target attribute sequence;

the computing unit is used for carrying out OR operation on the first attribute sequence and the second attribute sequence to obtain a fourth attribute sequence in response to the fact that the third attribute sequence does not comprise K second elements;

11. The apparatus according to claim 10, wherein the determining unit is specifically configured to determine that the detection result of the first policy and the second policy is a low risk level in response to the third attribute sequence including K second elements.

12. The apparatus according to claim 10, wherein the determining unit is specifically configured to determine that the detection result of the first policy and the second policy is a risk level in response to the third attribute sequence not being equal to the fourth attribute sequence.

13. The apparatus of claim 10, wherein the apparatus further comprises:

and the feedback unit is used for feeding back an error prompt after the detection results of the first strategy and the second strategy are determined to be high risk levels, wherein the error prompt is used for indicating that the high risk levels exist between the first strategy and the second strategy.

14. The apparatus of claim 12, wherein the device comprises a plurality of sensors,

The determining unit is further configured to determine a first attribute processing rule corresponding to the first policy after the determining that the detection result of the first policy and the second policy is a risk level, determine a second attribute processing rule corresponding to the second policy, and determine a risk event set corresponding to the risk level according to the first attribute processing rule and the second attribute processing rule, where the risk event set includes at least one risk event, each risk event is related to a first attribute and a second attribute, the first attribute is derived from the first policy, and the second attribute is derived from the second policy.

15. The apparatus of claim 11, wherein the apparatus further comprises:

The determining unit is further configured to determine, after the detection results of the first policy and the second policy are determined to be low risk levels, the first attribute processing rule corresponding to the first policy, determine the second attribute processing rule corresponding to the second policy, and determine a risk event set corresponding to the low risk levels according to the first attribute processing rule and the second attribute processing rule, where the risk event set includes at least one risk event, each risk event is related to a first attribute and a second attribute, the first attribute is derived from the first policy, and the second attribute is derived from the second policy.

16. The apparatus according to any one of claims 10 to 15, further comprising:

a new building unit, configured to build the first policy, where the first policy includes a first execution action and a first execution result;

The obtaining unit is further configured to obtain a policy to be matched, where the policy to be matched includes a second execution action and a second execution result;

The determining unit is further configured to determine that the policy to be matched is the second policy in response to the first execution action being the same as the second execution action and the first execution result being different from the second execution result;

And the triggering unit is used for triggering the steps of acquiring the first strategy and the second strategy.

17. The apparatus according to any one of claims 10 to 15, further comprising:

a receiving unit configured to receive timing configuration information;

18. The apparatus according to claim 10 or 13, characterized in that the apparatus further comprises:

And the processing unit is used for deleting the first strategy or the second strategy after the detection results of the first strategy and the second strategy are determined to be high risk levels, or reducing the priority of the first strategy or the second strategy.

19. A computer device, the computer device comprising a processor and a memory:

the memory being for storing program code and the processor being for performing the method of security policy detection according to any of claims 1to 9 according to instructions in the program code.

20. A computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the detection method of security policy detection as claimed in any one of the preceding claims 1 to 9.

21. A computer program product comprising computer instructions stored in a computer readable storage medium, a processor of a computer device reading the computer instructions from the computer readable storage medium, the processor executing the computer instructions to cause the computer device to perform the method of security policy detection of any of the preceding claims 1 to 9.