CN112583761A - Management method and device of security entity, computer equipment and storage medium - Google Patents
Management method and device of security entity, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112583761A CN112583761A CN201910925864.7A CN201910925864A CN112583761A CN 112583761 A CN112583761 A CN 112583761A CN 201910925864 A CN201910925864 A CN 201910925864A CN 112583761 A CN112583761 A CN 112583761A
- Authority
- CN
- China
- Prior art keywords
- attribute
- modified
- managed
- node
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title abstract description 87
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000004044 response Effects 0.000 claims abstract description 5
- 230000004048 modification Effects 0.000 claims description 16
- 238000012986 modification Methods 0.000 claims description 16
- 230000000750 progressive effect Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 description 13
- 230000003068 static effect Effects 0.000 description 8
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种安全实体的管理方法,安全实体的存储结构为树状结构,所述树状结构包括若干节点,每个所述节点处设置所述安全实体一个属性,所述方法包括:响应于针对所述安全实体的管理指令,从所述管理指令中确定所述安全实体的待管理属性;构建用于查询所述待管理属性的查询路径,其中,所述查询路径包括若干有递进关系的层;利用所述查询路径查询所述树状结构,并利用所述查询路径在所述树状结构中查询设置所述待管理属性的节点;根据查询结果管理所述待管理属性。本公开还提供了一种安全实体的管理装置、一种计算机设备以及一种计算机可读存储介质。
The invention discloses a management method of a security entity. The storage structure of the security entity is a tree-like structure, and the tree-like structure includes several nodes, and an attribute of the security entity is set at each of the nodes. The method includes: In response to the management instruction for the security entity, the to-be-managed attribute of the security entity is determined from the management instruction; a query path for querying the to-be-managed attribute is constructed, wherein the query path includes a number of query the tree structure using the query path, and use the query path to query the tree structure for the node that sets the attribute to be managed; manage the attribute to be managed according to the query result. The present disclosure also provides a security entity management apparatus, a computer device, and a computer-readable storage medium.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a management method and device of a security entity, computer equipment and a computer readable storage medium.
Background
The network security refers to that the hardware, software and data in the system of the network system are protected and are not damaged, changed or leaked due to accidental or malicious reasons, the system continuously, reliably and normally operates, and the network service is not interrupted. Generally, an object actually participating in network security is referred to as a network security entity.
The inventor finds that the prior art has at least the following defects in the process of researching the invention: because the types of the network security entities are very many, the attribute information of each network security entity is also very complex, and the management mode based on the two-dimensional table in the prior art causes the security entities to be very complicated to manage and easy to be confused.
Disclosure of Invention
The present invention is directed to a method, an apparatus, a computer device, and a computer-readable storage medium for managing a security entity, which can solve the above-mentioned drawbacks in the prior art.
One aspect of the present invention provides a method for managing a security entity, where a storage structure of the security entity is a tree structure, the tree structure includes a plurality of nodes, and each node sets an attribute of the security entity, and the method includes: in response to a management instruction for the security entity, determining an attribute to be managed of the security entity from the management instruction; constructing a query path for querying the attribute to be managed, wherein the query path comprises a plurality of layers with progressive relation; inquiring the tree structure by using the inquiry path, and inquiring nodes for setting the attributes to be managed in the tree structure by using the inquiry path; and managing the attribute to be managed according to the query result.
Optionally, the secure entity has a unique identifier, and the secure entity associates the tree structure through the unique identifier, and constructing a query path for querying the attribute to be managed includes: obtaining the unique identifier; constructing the query path using the unique identifier.
Optionally, the obtaining the unique identifier comprises: judging whether the management instruction carries the unique identifier or not; if the management instruction carries the unique identifier, acquiring the unique identifier from the management instruction; and if the management instruction does not carry the unique identifier, acquiring the unique identifier from the index relationship of the secure entity, wherein the index relationship of the secure entity comprises the relationship between the secure entity and the unique identifier.
Optionally, when the management instruction is a new instruction, the attribute to be managed is an attribute to be newly added, and managing the attribute to be managed according to the query result includes: if the query result is that the node with the attribute to be newly added is queried, error reporting processing is carried out; and if the query result indicates that the node with the attribute to be newly added is not queried, newly adding a node in the tree structure, and storing the attribute to be newly added at the newly added node.
Optionally, when the management instruction is a delete instruction, the attribute to be managed is an attribute to be deleted, and managing the attribute to be managed according to the query result includes: and if the query result is that the node with the attribute to be deleted is queried, deleting the attribute to be deleted at the node with the attribute to be deleted.
Optionally, when the management instruction is a modification instruction, the attribute to be managed is an attribute to be modified, and the method further includes: determining an attribute used for modifying the attribute to be modified from the modification instruction, wherein the attribute is called a substitute attribute; managing the attributes to be managed according to the query result comprises: and if the query result is that the node with the attribute to be modified is queried, modifying the attribute to be modified by using the alternative attribute at the node with the attribute to be modified.
Optionally, modifying the attribute to be modified by using the substitute attribute includes: when the alternate attribute carries a preset identifier, modifying the attribute to be modified by using the alternate attribute; when the alternate attribute does not carry the preset identifier and the attribute to be modified carries the preset identifier, forbidding to modify the attribute to be modified by using the alternate attribute; and when the alternate attribute and the attribute to be modified do not carry the preset identifier, comparing the priorities of the alternate attribute and the attribute to be modified, wherein when the priority of the alternate attribute is greater than or equal to the priority of the attribute to be modified, the attribute to be modified is modified by using the alternate attribute, and when the priority of the alternate attribute is smaller than the priority of the attribute to be modified, the attribute to be modified is forbidden to be modified by using the alternate attribute.
Another aspect of the present invention provides an apparatus for managing a security entity, where a storage structure of the security entity is a tree structure, the tree structure includes a plurality of nodes, and each node sets an attribute of the security entity, and the apparatus includes: the determining module is used for responding to a management instruction aiming at the safety entity and determining the attribute to be managed of the safety entity from the management instruction; the building module is used for building a query path for querying the attribute to be managed, wherein the query path comprises a plurality of layers with progressive relation; the query module is used for querying the tree structure by using the query path and querying the node for setting the attribute to be managed in the tree structure by using the query path; and the management module is used for managing the attribute to be managed according to the query result.
Optionally, the secure entity has a unique identifier, and the secure entity associates the tree structure with the unique identifier, and the construction module is further configured to: obtaining the unique identifier; constructing the query path using the unique identifier.
Optionally, the construction module, when obtaining the unique identifier, is further configured to: judging whether the management instruction carries the unique identifier or not; if the management instruction carries the unique identifier, acquiring the unique identifier from the management instruction; and if the management instruction does not carry the unique identifier, acquiring the unique identifier from the index relationship of the secure entity, wherein the index relationship of the secure entity comprises the relationship between the secure entity and the unique identifier.
Optionally, when the management instruction is a new instruction, the attribute to be managed is an attribute to be added, and the management module is further configured to: if the query result is that the node with the attribute to be newly added is queried, error reporting processing is carried out; and if the query result indicates that the node with the attribute to be newly added is not queried, newly adding a node in the tree structure, and storing the attribute to be newly added at the newly added node.
Optionally, when the management instruction is a delete instruction, the attribute to be managed is an attribute to be deleted, and the management module is further configured to: and if the query result is that the node with the attribute to be deleted is queried, deleting the attribute to be deleted at the node with the attribute to be deleted.
Optionally, when the management instruction is a modification instruction, the attribute to be managed is an attribute to be modified, and the apparatus further includes: the processing module is used for determining an attribute used for modifying the attribute to be modified from the modification instruction, and the attribute is called a substitute attribute; the management module is further configured to: and if the query result is that the node with the attribute to be modified is queried, modifying the attribute to be modified by using the alternative attribute at the node with the attribute to be modified.
Optionally, when the attribute to be modified is modified by using the substitute attribute, the management module is further configured to: when the alternate attribute carries a preset identifier, modifying the attribute to be modified by using the alternate attribute; when the alternate attribute does not carry the preset identifier and the attribute to be modified carries the preset identifier, forbidding to modify the attribute to be modified by using the alternate attribute; and when the alternate attribute and the attribute to be modified do not carry the preset identifier, comparing the priorities of the alternate attribute and the attribute to be modified, wherein when the priority of the alternate attribute is greater than or equal to the priority of the attribute to be modified, the attribute to be modified is modified by using the alternate attribute, and when the priority of the alternate attribute is smaller than the priority of the attribute to be modified, the attribute to be modified is forbidden to be modified by using the alternate attribute.
Yet another aspect of the present invention provides a computer apparatus, comprising: the present invention relates to a secure entity management method, and more particularly, to a secure entity management method, and a secure entity management program.
A further aspect of the present invention provides a computer-readable storage medium on which a computer program is stored, which, when executed by a processor, implements a method of managing a security entity as described in any of the embodiments above.
The management method of the security entity stores each attribute of the security entity on one node, so that the storage structure of the security entity integrally forms a layered tree structure, the structure is clear, the management is convenient, and the child nodes can share the attribute definition of the father node, thereby reducing the repeated definition. When the attributes of the security entity are managed, a query path suitable for the tree structure is constructed, for example, the query path comprises a plurality of layers with progressive relations, then nodes of the tree structure are positioned layer by layer through the query path, and a query result is accurately and quickly obtained, for example, the query result is the node which is set with the attribute to be managed and is queried, or the query result is the node which is not queried and is set with the attribute to be managed, further, the attribute to be managed can be managed according to the query result.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 schematically shows a schematic diagram of a tree structure according to an embodiment of the invention;
fig. 2 schematically shows a flow chart of a method of management of a security entity according to an embodiment of the invention;
fig. 3 schematically shows a block diagram of a management device of a security entity according to an embodiment of the invention;
fig. 4 schematically shows a block diagram of a computer device adapted to implement a method of management of a security entity according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The invention provides a management method of a safety entity, wherein the storage structure of the safety entity is a tree structure, the tree structure comprises a plurality of nodes, and each node is provided with an attribute of the safety entity. Specifically, the attributes of the security entity can be divided into basic attributes, static attributes, dynamic attributes and security attributes, each type of attribute includes a plurality of fine granularity attributes, each type of attribute and each fine granularity attribute occupy a node respectively, and the node occupied by each fine granularity attribute included in each type of attribute is a child node of the node occupied by the type of attribute, and through the distribution, the storage structure of the whole security entity forms a hierarchical tree structure.
Fig. 1 schematically shows a schematic diagram of a tree structure according to an embodiment of the invention. As shown in fig. 1, taking the security entity as a sample file as an example, the storage structure of the sample file is the tree structure in fig. 1. Specifically, the node occupied by each type of attributes in the basic attributes, the static attributes, the dynamic attributes and the security attributes in the sample file attributes is a child node of the node occupied by the sample file attributes. The basic attribute may be information such as a file size and a file type. The static attribute may be a static format of the file, for example, the static attribute may include the following attributes: the node occupied by each attribute under the basic attribute is a child node of the node occupied by the basic attribute; the executable file includes the following attributes: PE (Portable executable) file, ELF (executable and Linking Format) file and Mach-O (Mach object) file, wherein the node occupied by each attribute in the executable file is a child node of the node occupied by the executable file. The dynamic attribute is a dynamic behavior executed by the file, for example, the dynamic attribute may include the following attributes: file behavior, network behavior, registry behavior, and the like, and the node occupied by each attribute under the dynamic attribute is a child node of the node occupied by the dynamic attribute. The security attributes may include reputation information of the file, antivirus software (abbreviated as softening) detection information, security level, and the like, and the node occupied by each attribute under the security attributes is a child node of the node occupied by the security attributes.
Based on the tree structure described in the above embodiment, when managing the attributes to be managed of the security entity, the attributes to be managed can be searched by constructing a query path applicable to the tree structure, and then the attributes to be managed are managed according to the query result. In particular, fig. 2 schematically shows a flow chart of a management method of a security entity according to an embodiment of the present invention. As shown in fig. 2, the method for managing a security entity may include steps S201 to S204, where:
step S201, in response to a management instruction for the secure entity, determining an attribute to be managed of the secure entity from the management instruction.
The security entity is an object actually participating in network security, such as a sample File (File), an IP address, a domain name, a URL (uniform resource locator), a terminal device, a process, a mail, an enterprise, and the like.
In this embodiment, the management instruction may indicate which attribute of which security entity is managed this time, and the indicated attribute may be referred to as an attribute to be managed; the management instruction may also simply indicate which security entity is managed, and all attributes of the security entity are referred to as attributes to be managed.
Step S202, constructing a query path for querying the attribute to be managed, wherein the query path comprises a plurality of layers with progressive relation.
In this embodiment, the query path may be referred to as a Uniform Resource Identifier (URI) and is used to quickly locate the attribute to be managed. Because the storage structure of the security entity is a tree structure with a hierarchical relationship, in order to quickly locate the node for setting the attribute to be managed in the tree structure, the query path can be constructed into a plurality of layers with progressive relationships, so that when searching is performed, the layers in the tree structure can be progressively positioned, wherein the progressive relationships represent the sub-level of the next layer which is the previous layer.
Optionally, several of the layers may be determined by the security entity and the attribute to be managed. For example, the layer determined by the security entity may determine the tree structure corresponding to the security entity, i.e., all data tables storing the attributes of the security entity; the layer determined by the attribute to be managed can quickly locate the node for setting the attribute to be managed from the tree structure, namely, a data table for storing the attribute to be managed is determined from all the determined data tables, and the position of the attribute to be managed in the data table is determined. Wherein, the layer determined by the security entity may be a layer determined by a name of the security entity or information (such as a label) characterizing the security entity, and the layer determined by the attribute to be managed may be a layer determined by a name of the attribute to be managed or information (such as a label) characterizing the attribute to be managed. In addition, since the attribute to be managed is a sub-level of the security entity, the layer determined by the attribute to be managed in the query path is a sub-level of the layer determined by the security entity.
Optionally, the secure entity has a unique identifier, and the secure entity associates the tree structure with the unique identifier, in order to accurately find the tree structure corresponding to the secure entity, the unique identifier of the secure entity needs to be taken into account when constructing the query path, so as to locate the tree structure of the secure entity by the unique identifier. Specifically, step S202 may include step S2021 and step S2022, where:
step S2021, the unique identifier is acquired.
Taking the Secure entity as a sample file as an example, the unique identifier may be a unique value obtained by performing Secure Hash Algorithm 1 (SHA-1) calculation on the sample file: SHA 1.
In this embodiment, two cases may exist in constructing the query path, one case is that the management instruction carries a unique identifier, and the query path may be constructed by directly using the unique identifier, for example, the management instruction manages a PDF file with SHA1 of 90903; in another case, the management instruction does not carry the unique identifier, and the unique identifier needs to be determined from a pre-established index relationship, for example, the management instruction is to manage the PDF file. Specifically, step S2021 may include steps a1 to A3, in which:
step A1, judging whether the management instruction carries the unique identifier.
If the management instruction carries the unique identifier, executing step a 2; if the management command does not carry the unique identifier, step a3 is executed.
Step a2, obtaining the unique identifier from the management instruction.
Step a3, obtaining the unique identifier from the index relationship of the secure entity, wherein the index relationship of the secure entity includes the relationship between the secure entity and the unique identifier.
In this embodiment, an index relationship is established in advance for a part of the secure entities. For example, if the management command is to manage the PDF files arranged in the top 10 by SHA1, the index relationship of the PDFs is found out from all the index relationships, the SHA1 of all the PDFs is found out from the index relationships of all the PDFs, and then the SHA1 is sorted to select the SHA1 arranged in the top 10.
Step S2022, construct the query path using the unique identifier.
Optionally, several of said layers are determined by said secure entity, said unique identifier and said attribute to be managed. When a plurality of tree structures corresponding to security entities of the same type exist (for example, a plurality of sample files exist, and the storage structure of each sample file is a tree structure), the layer determined by the security entities cannot accurately determine the corresponding tree structure, and at this time, the unique identifier can be taken into account when a query path is constructed.
For example, if the security entity is a files file, the attribute to be managed is a static attribute, and the unique identifier is SHA1, the unique identifier may be files/{ SHA1 }/stctic; if the attribute to be managed is a network behavior in the dynamic attribute, the unique identifier may be files/{ sha1 }/behavior/network.
Step S203, querying the tree structure by using the query path, and querying a node in the tree structure for setting the attribute to be managed by using the query path.
In this embodiment, the tree structure of the security entity may be determined by the query path, and then the nodes with the attributes to be managed may be set by continuously querying the tree structure by using the query path.
For example, the management instruction is to manage the network behavior of the dynamic attribute of the security entity 1 (such as files), and the query path is files/{ sha1 }/behavior/network. The tree structure 1 corresponding to the security entity 1, the tree structure 2 corresponding to the security entity 2, and the tree structure 3 corresponding to the security entity 3. Firstly, determining a tree structure 1 through a query path, then determining a node for setting a dynamic attribute in the tree structure 1, and further querying nodes for setting a network behavior in all child nodes of the node for setting the dynamic attribute.
And step S204, managing the attribute to be managed according to the query result.
The management may include searching, adding, deleting and modifying, and the query result may be a node for which the attribute to be managed is set by query, or a node for which the attribute to be managed is set by query.
Optionally, when the management instruction is a new adding instruction, the attribute to be managed is an attribute to be added, and step S104 may include: if the query result is that the node with the attribute to be newly added is queried, error reporting processing is carried out; and if the query result indicates that the node with the attribute to be newly added is not queried, newly adding a node in the tree structure, and storing the attribute to be newly added at the newly added node.
In this embodiment, when an attribute is added, if a node for setting the attribute to be added is found in the tree structure, it is inevitable that an error exists at a certain position, and the system can report the error. If the node for setting the attribute to be newly added is not queried in the tree structure, a node can be newly added in the tree structure, which specifically can be: deleting the last layer in the query path to obtain a deleted query path; locating the corresponding node in the tree structure by using the deleted query path; and creating a child node for the positioned node, and storing the attribute to be added at the created child node. The last layer of the query path is deleted to determine the attribute of the previous level of the attribute to be newly added, then the node of the attribute of the previous level of the attribute to be newly added is positioned and set in the tree structure by utilizing the deleted query path, child nodes are further created for the positioned nodes, then the attribute to be newly added is stored at the created child nodes, and the purpose of adding the attribute can be achieved.
Optionally, when the management instruction is a delete instruction, the attribute to be managed is an attribute to be deleted, and managing the attribute to be managed according to the query result includes: and if the query result is that the node with the attribute to be deleted is queried, deleting the attribute to be deleted at the node with the attribute to be deleted.
In this embodiment, after deleting the attribute to be deleted at the node where the attribute to be deleted is set, the node where the attribute to be deleted is set may be further deleted. And if the query result is that the node with the attribute to be deleted is not queried, an error is inevitably generated at a certain position, and the system can report the error.
Optionally, when the management instruction is a modification instruction, the attribute to be managed is an attribute to be modified, and the method further includes: determining an attribute used for modifying the attribute to be modified from the modification instruction, wherein the attribute is called a substitute attribute; managing the attributes to be managed according to the query result comprises: and if the query result is that the node with the attribute to be modified is queried, modifying the attribute to be modified by using the alternative attribute at the node with the attribute to be modified.
In this embodiment, when the management instruction is a modification instruction, the management instruction necessarily indicates the attribute to be modified and a substitute attribute for modifying the attribute to be modified. If the management instruction is to modify the network behavior 1 of the dynamic attribute in the PDF file into the network behavior 2, the attribute to be modified is the network behavior 1, and the alternate attribute is the network behavior 2. Furthermore, when the query result is that the node with the attribute to be modified is queried, the attribute to be modified can be modified by using the alternative attribute. In addition, if the query result is that the node with the attribute to be modified is not queried, an error is inevitably generated at a certain position, and the system can report the error.
Optionally, the setting modification policy is as follows:
modifying the attribute to be modified by using the substitute attribute may include:
when the alternate attribute carries a preset identifier, modifying the attribute to be modified by using the alternate attribute;
when the alternate attribute does not carry the preset identifier and the attribute to be modified carries the preset identifier, forbidding to modify the attribute to be modified by using the alternate attribute;
and when the alternate attribute and the attribute to be modified do not carry the preset identifier, comparing the priorities of the alternate attribute and the attribute to be modified, wherein when the priority of the alternate attribute is greater than or equal to the priority of the attribute to be modified, the attribute to be modified is modified by using the alternate attribute, and when the priority of the alternate attribute is smaller than the priority of the attribute to be modified, the attribute to be modified is forbidden to be modified by using the alternate attribute.
In this embodiment, the predetermined identifier has a mandatory meaning, and when the alternate attribute carries the predetermined identifier, because the alternate attribute is used to modify the attribute to be modified, the alternate attribute carrying the predetermined identifier has a mandatory modification right, and at this time, it is not necessary to consider whether the attribute to be modified has the predetermined identifier, but the alternate attribute is directly used to modify the attribute to be modified. When the alternate attribute does not carry the predetermined identifier and the attribute to be modified carries the predetermined identifier, the attribute to be modified originally exists in the tree structure, and the alternate attribute does not have the mandatory right, and the attribute to be modified carrying the predetermined identifier has the mandatory place-occupying right, so that the system can prohibit a user from modifying the attribute to be modified by using the alternate attribute. When the alternate attribute and the attribute to be modified do not carry the preset identification, the mandatory significance is not required to be considered, only the priority of the alternate attribute and the priority of the attribute to be modified need to be compared, and in order to ensure that the system can be updated in time, the modification operation can be realized as long as the priority of the alternate attribute is not lower than the priority of the attribute to be modified.
Alternatively, the modification policy described above may be employed when the attribute to be modified and the alternate attribute belong to the broad class of security attributes. In this case, the priorities of the attributes are ranked from high to low as: attributes collected by the white list (the attributes collected by the white list belong to safe attributes), attributes belonging to safety are confirmed in a retrace or other mode, attributes which are not reported after scanning by antivirus software, unknown attributes, attributes with a false alarm rate larger than or equal to a preset threshold value, attributes with a false alarm rate smaller than the preset threshold value, and attributes belonging to viruses or trojans are reported by the antivirus software.
By the management method of the security entity provided by the invention, each attribute of the security entity is stored on one node, so that the storage structure of the security entity integrally forms a layered tree structure, the structure is clear, the management is convenient, and the child nodes can share the attribute definition of the father node, thereby reducing the repeated definition. When the attributes of the security entity are managed, a query path suitable for the tree structure is constructed, for example, the query path comprises a plurality of layers with progressive relations, then nodes of the tree structure are positioned layer by layer through the query path, and a query result is accurately and quickly obtained, for example, the query result is the node which is inquired to set the attribute to be managed, or the query result is the node which is not inquired to set the attribute to be managed, further, the attribute to be managed can be managed according to the query result.
The embodiment of the present invention further provides a management device for a security entity, where the management device for a security entity corresponds to the management method for a security entity provided in the above embodiment, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference may be made to the above embodiment for relevant points. Specifically, the storage structure of the security entity is a tree structure, the tree structure includes a plurality of nodes, each node sets an attribute of the security entity, fig. 3 schematically illustrates a block diagram of a management apparatus of the security entity according to an embodiment of the present invention, and as shown in fig. 3, the management apparatus 300 of the security entity may include a determining module 301, a constructing module 302, a querying module 303, and a managing module 304, where:
a determining module 301, configured to determine, in response to a management instruction for the secure entity, an attribute to be managed of the secure entity from the management instruction;
a constructing module 302, configured to construct a query path for querying the attribute to be managed, where the query path includes a plurality of layers having a progressive relationship;
a query module 303, configured to query the tree structure by using the query path, and query a node in the tree structure for setting the attribute to be managed by using the query path;
and the management module 304 is configured to manage the attribute to be managed according to the query result.
The management method of the security entity stores each attribute of the security entity on one node, so that the storage structure of the security entity integrally forms a layered tree structure, the structure is clear, the management is convenient, and the child nodes can share the attribute definition of the father node, thereby reducing the repeated definition. When the attributes of the security entity are managed, a query path suitable for the tree structure is constructed, for example, the query path comprises a plurality of layers with progressive relations, then nodes of the tree structure are positioned layer by layer through the query path, and a query result is accurately and quickly obtained, for example, the query result is the node which is inquired to set the attribute to be managed, or the query result is the node which is not inquired to set the attribute to be managed, further, the attribute to be managed can be managed according to the query result.
Optionally, the secure entity has a unique identifier, and the secure entity associates the tree structure with the unique identifier, and the construction module is further configured to: obtaining the unique identifier; constructing the query path using the unique identifier.
Optionally, the construction module, when obtaining the unique identifier, is further configured to: judging whether the management instruction carries the unique identifier or not; if the management instruction carries the unique identifier, acquiring the unique identifier from the management instruction; and if the management instruction does not carry the unique identifier, acquiring the unique identifier from the index relationship of the secure entity, wherein the index relationship of the secure entity comprises the relationship between the secure entity and the unique identifier.
Optionally, when the management instruction is a new instruction, the attribute to be managed is an attribute to be added, and the management module is further configured to: if the query result is that the node with the attribute to be newly added is queried, error reporting processing is carried out; and if the query result indicates that the node with the attribute to be newly added is not queried, newly adding a node in the tree structure, and storing the attribute to be newly added at the newly added node.
Optionally, when the management instruction is a delete instruction, the attribute to be managed is an attribute to be deleted, and the management module is further configured to: and if the query result is that the node with the attribute to be deleted is queried, deleting the attribute to be deleted at the node with the attribute to be deleted.
Optionally, when the management instruction is a modification instruction, the attribute to be managed is an attribute to be modified, and the apparatus further includes: the processing module is used for determining an attribute used for modifying the attribute to be modified from the modification instruction, and the attribute is called a substitute attribute; the management module is further configured to: and if the query result is that the node with the attribute to be modified is queried, modifying the attribute to be modified by using the alternative attribute at the node with the attribute to be modified.
Optionally, when the attribute to be modified is modified by using the substitute attribute, the management module is further configured to: when the alternate attribute carries a preset identifier, modifying the attribute to be modified by using the alternate attribute; when the alternate attribute does not carry the preset identifier and the attribute to be modified carries the preset identifier, forbidding to modify the attribute to be modified by using the alternate attribute; and when the alternate attribute and the attribute to be modified do not carry the preset identifier, comparing the priorities of the alternate attribute and the attribute to be modified, wherein when the priority of the alternate attribute is greater than or equal to the priority of the attribute to be modified, the attribute to be modified is modified by using the alternate attribute, and when the priority of the alternate attribute is smaller than the priority of the attribute to be modified, the attribute to be modified is forbidden to be modified by using the alternate attribute.
Fig. 4 schematically shows a block diagram of a computer device adapted to implement a method of management of a security entity according to an embodiment of the present invention. In this embodiment, the computer device 400 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server, or a rack server (including an independent server or a server cluster composed of a plurality of servers), and the like that execute programs. As shown in fig. 4, the computer device 400 of the present embodiment includes at least, but is not limited to: a memory 401, a processor 402, a network interface 403 communicatively coupled to each other via a system bus. It is noted that FIG. 4 only shows the computer device 400 having components 401 and 403, but it is understood that not all of the shown components are required and that more or fewer components may be implemented instead.
In this embodiment, the memory 403 includes at least one type of computer-readable storage medium, which includes flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 401 may be an internal storage unit of the computer device 400, such as a hard disk or a memory of the computer device 400. In other embodiments, the memory 401 may also be an external storage device of the computer device 400, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 400. Of course, the memory 401 may also include both internal and external storage devices for the computer device 400. In this embodiment, the memory 401 is generally used for storing an operating system installed in the computer device 400 and various kinds of application software, such as program codes of a management method of a secure entity, and the like. Further, the memory 401 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 402 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 402 is generally used to control the overall operation of the computer device 400. Such as program code for performing a method of managing secure entities for data interaction or communication related control and processing with computer device 400.
In this embodiment, the method for managing the security entity stored in the memory 401 may be further divided into one or more program modules and executed by one or more processors (in this embodiment, the processor 402) to complete the present invention.
The network interface 403 may comprise a wireless network interface or a wired network interface, the network interface 403 typically being used to establish communication links between the computer device 400 and other computer devices. For example, the network interface 403 is used to connect the computer apparatus 400 with an external terminal through a network, establish a data transmission channel and a communication link between the computer apparatus 400 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a Global System of Mobile communication (GSM), Wideband Code Division Multiple Access (WCDMA), a 4G network, a 5G network, Bluetooth (Bluetooth), or Wi-Fi.
The present embodiment also provides a computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., on which a computer program is stored, which when executed by a processor implements a management method of a secure entity.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for managing a security entity, wherein a storage structure of the security entity is a tree structure, the tree structure includes a plurality of nodes, each node sets an attribute of the security entity, and the method includes:
in response to a management instruction for the security entity, determining an attribute to be managed of the security entity from the management instruction;
constructing a query path for querying the attribute to be managed, wherein the query path comprises a plurality of layers with progressive relation;
inquiring the tree structure by using the inquiry path, and inquiring nodes for setting the attributes to be managed in the tree structure by using the inquiry path;
and managing the attribute to be managed according to the query result.
2. The method according to claim 1, wherein the secure entity has a unique identifier, and the secure entity associates the tree structure with the unique identifier, and constructing a query path for querying the attribute to be managed comprises:
obtaining the unique identifier;
constructing the query path using the unique identifier.
3. The method of claim 2, wherein obtaining the unique identifier comprises:
judging whether the management instruction carries the unique identifier or not;
if the management instruction carries the unique identifier, acquiring the unique identifier from the management instruction;
and if the management instruction does not carry the unique identifier, acquiring the unique identifier from the index relationship of the secure entity, wherein the index relationship of the secure entity comprises the relationship between the secure entity and the unique identifier.
4. The method according to claim 1, wherein when the management instruction is a new addition instruction, the attribute to be managed is an attribute to be added, and managing the attribute to be managed according to the query result comprises:
if the query result is that the node with the attribute to be newly added is queried, error reporting processing is carried out;
and if the query result indicates that the node with the attribute to be newly added is not queried, newly adding a node in the tree structure, and storing the attribute to be newly added at the newly added node.
5. The method according to claim 1, wherein when the management instruction is a delete instruction, the attribute to be managed is an attribute to be deleted, and managing the attribute to be managed according to the query result comprises:
and if the query result is that the node with the attribute to be deleted is queried, deleting the attribute to be deleted at the node with the attribute to be deleted.
6. The method according to claim 1, wherein when the management instruction is a modification instruction, the attribute to be managed is an attribute to be modified, the method further comprising:
determining an attribute used for modifying the attribute to be modified from the modification instruction, wherein the attribute is called a substitute attribute;
managing the attributes to be managed according to the query result comprises: and if the query result is that the node with the attribute to be modified is queried, modifying the attribute to be modified by using the alternative attribute at the node with the attribute to be modified.
7. The method of claim 6, wherein modifying the attribute to be modified using the alternate attribute comprises:
when the alternate attribute carries a preset identifier, modifying the attribute to be modified by using the alternate attribute;
when the alternate attribute does not carry the preset identifier and the attribute to be modified carries the preset identifier, forbidding to modify the attribute to be modified by using the alternate attribute;
and when the alternate attribute and the attribute to be modified do not carry the preset identifier, comparing the priorities of the alternate attribute and the attribute to be modified, wherein when the priority of the alternate attribute is greater than or equal to the priority of the attribute to be modified, the attribute to be modified is modified by using the alternate attribute, and when the priority of the alternate attribute is smaller than the priority of the attribute to be modified, the attribute to be modified is forbidden to be modified by using the alternate attribute.
8. An apparatus for managing a security entity, wherein a storage structure of the security entity is a tree structure, the tree structure includes a plurality of nodes, each node sets an attribute of the security entity, the apparatus includes:
the determining module is used for responding to a management instruction aiming at the safety entity and determining the attribute to be managed of the safety entity from the management instruction;
the building module is used for building a query path for querying the attribute to be managed, wherein the query path comprises a plurality of layers with progressive relation;
the query module is used for querying the tree structure by using the query path and querying the node for setting the attribute to be managed in the tree structure by using the query path;
and the management module is used for managing the attribute to be managed according to the query result.
9. A computer device, the computer device comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910925864.7A CN112583761B (en) | 2019-09-27 | 2019-09-27 | Management method and device of security entity, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910925864.7A CN112583761B (en) | 2019-09-27 | 2019-09-27 | Management method and device of security entity, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112583761A true CN112583761A (en) | 2021-03-30 |
| CN112583761B CN112583761B (en) | 2023-03-28 |
Family
ID=75109947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910925864.7A Active CN112583761B (en) | 2019-09-27 | 2019-09-27 | Management method and device of security entity, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112583761B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656438A (en) * | 2021-08-06 | 2021-11-16 | 北京数码大方科技股份有限公司 | Data query method and device of data tree |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101083608A (en) * | 2006-05-30 | 2007-12-05 | 华为技术有限公司 | Method for enquiring node information of equipment management tree and its terminal equipment |
| CN101283542A (en) * | 2005-10-01 | 2008-10-08 | Lg电子株式会社 | Device management system using log management object and method for generating and controlling logging data therein |
| CN101854343A (en) * | 2009-04-01 | 2010-10-06 | 华为终端有限公司 | Method for providing node information, method and device for obtaining node information |
| CN102130779A (en) * | 2010-01-13 | 2011-07-20 | 宏达国际电子股份有限公司 | Method and device management system for addressing management objects in management tree |
| CN106446256A (en) * | 2016-10-17 | 2017-02-22 | 鞍钢集团矿业有限公司 | Real-time industrial production information sensation system based on context calculation |
| US10044522B1 (en) * | 2012-08-21 | 2018-08-07 | Amazon Technologies Inc. | Tree-oriented configuration management service |
| CN110134681A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Data storage and querying method, device, computer equipment and storage medium |
-
2019
- 2019-09-27 CN CN201910925864.7A patent/CN112583761B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101283542A (en) * | 2005-10-01 | 2008-10-08 | Lg电子株式会社 | Device management system using log management object and method for generating and controlling logging data therein |
| CN101083608A (en) * | 2006-05-30 | 2007-12-05 | 华为技术有限公司 | Method for enquiring node information of equipment management tree and its terminal equipment |
| CN101854343A (en) * | 2009-04-01 | 2010-10-06 | 华为终端有限公司 | Method for providing node information, method and device for obtaining node information |
| CN102130779A (en) * | 2010-01-13 | 2011-07-20 | 宏达国际电子股份有限公司 | Method and device management system for addressing management objects in management tree |
| US10044522B1 (en) * | 2012-08-21 | 2018-08-07 | Amazon Technologies Inc. | Tree-oriented configuration management service |
| CN106446256A (en) * | 2016-10-17 | 2017-02-22 | 鞍钢集团矿业有限公司 | Real-time industrial production information sensation system based on context calculation |
| CN110134681A (en) * | 2019-04-15 | 2019-08-16 | 平安科技(深圳)有限公司 | Data storage and querying method, device, computer equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656438A (en) * | 2021-08-06 | 2021-11-16 | 北京数码大方科技股份有限公司 | Data query method and device of data tree |
| CN113656438B (en) * | 2021-08-06 | 2023-12-12 | 北京数码大方科技股份有限公司 | Data query method and device for data tree |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112583761B (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108446407B (en) | Database auditing method and device based on block chain | |
| US9256765B2 (en) | System and method for identifying software changes | |
| CN106897072B (en) | Service engineering calling method and device and electronic equipment | |
| CN109936571A (en) | Mass data sharing method, open sharing platform and electronic device | |
| US9665732B2 (en) | Secure Download from internet marketplace | |
| CN109522751B (en) | Access right control method and device, electronic equipment and computer readable medium | |
| CN111181975A (en) | Account management method, device, equipment and storage medium | |
| US20150213272A1 (en) | Conjoint vulnerability identifiers | |
| CN111159595A (en) | Page loading method, system, computer device, and computer-readable storage medium | |
| CN104767761B (en) | A kind of cloud storage platform access control method and device | |
| CN113946837A (en) | Data access and data access authority configuration method, device and storage medium | |
| US20150039759A1 (en) | Apparatus, method, and non-transitory computer readable storage medium thereof for controlling access of a resource | |
| CN112583761B (en) | Management method and device of security entity, computer equipment and storage medium | |
| CN111125721A (en) | Control method for process starting, computer equipment and readable storage medium | |
| CN112748931B (en) | Compiled file management method, calling method and device and electronic equipment | |
| CN105843809B (en) | Data processing method and device | |
| CN112199200B (en) | Resource scheduling method and device, computer equipment and storage medium | |
| CN114416641A (en) | File data processing method and device, electronic equipment and storage medium | |
| CN110866007B (en) | Information management method, system and computer equipment for big data application and table | |
| CN112487497A (en) | Method and device for managing off-link files based on intelligent contracts and electronic equipment | |
| CN110209347B (en) | Traceable data storage method | |
| CN114491653B (en) | Data content tamper-proof system, method and device | |
| CN113468528A (en) | Malicious device identification method and device, server and storage medium | |
| US20150373088A1 (en) | Information processing apparatus and non-transitory computer readable medium | |
| CN113259154A (en) | Method and device for informing middle station data verification, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |