技术领域technical field
本发明涉及通信领域中的安全信息技术,尤其涉及一种安全策略更新方法及装置。The invention relates to security information technology in the communication field, in particular to a method and device for updating a security strategy.
背景技术Background technique
SEAndroid是谷歌(Google)在Android 4.4上正式推出的一套以SELinux(Security-Enhanced Linux)为基础与核心的系统安全机制,目前已经广泛应用于Android操作系统。国际上知名的终端操作厂商都在推出内置SEAndroid的相关终端产品。目前,对SEAndroid安全策略的更新方法主要有如下三种:SEAndroid is a set of system security mechanisms based on SELinux (Security-Enhanced Linux) and its core that Google officially launched on Android 4.4. It has been widely used in the Android operating system. Internationally well-known terminal operation manufacturers are launching related terminal products with built-in SEAndroid. At present, there are three main ways to update the SEAndroid security policy:
第一,先在现有SEAndroid系统增加新的安全策略加载子系统,然后在负责安全策略编译的主机上编译好所需要的安全策略,并下载到安全Trans-flashCard(TF卡)上的安全存储区内,再将带有安全策略的安全TF卡插入所述的SEAndroid系统中供随后使用调用。但是,该方法更新SEAndroid安全策略的效率太低。First, add a new security policy loading subsystem to the existing SEAndroid system, then compile the required security policy on the host responsible for compiling the security policy, and download it to the secure storage on the secure Trans-flashCard (TF card) In the zone, insert the security TF card with the security policy into the SEAndroid system for subsequent calls. However, the efficiency of this method for updating the SEAndroid security policy is too low.
第二,通过内置自学习模块记录LSM(Linux安全模块)拦截的主、客体访问记录,通过自动生成和手动微调等方式生成基本的安全策略,并供之后系统使用。但是,该方法无法保证安全策略的准确性和全面性,无法满足大规模用户集体更新安全策略的需求。Second, record the subject and object access records intercepted by LSM (Linux Security Module) through the built-in self-learning module, generate basic security policies through automatic generation and manual fine-tuning, and use them for subsequent systems. However, this method cannot guarantee the accuracy and comprehensiveness of security policies, and cannot meet the needs of large-scale users to collectively update security policies.
第三,由技术人员在现在安全策略基础上,通过分析软件功能,主、客体访问关系,以及文件存储关系等自行编写相关安全策略,写入手机内核,更新手机操作系统安全策略。但是,该方法实施起来对技术人员要求较高,人力成本高,容易出错。Thirdly, on the basis of the current security policy, technicians write relevant security policies by themselves by analyzing software functions, subject-object access relationships, and file storage relationships, write them into the mobile phone kernel, and update the security policies of the mobile phone operating system. However, the implementation of this method has high requirements for technical personnel, high labor costs, and is prone to errors.
发明内容Contents of the invention
有鉴于此,本发明期望提供一种安全策略更新方法及装置,能提高安全策略更新的效率,提升安全策略的正确性和可靠性。In view of this, the present invention expects to provide a security policy update method and device, which can improve the efficiency of security policy update, and improve the correctness and reliability of the security policy.
为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:
本发明提供了一种安全策略更新方法,所述方法包括:The present invention provides a method for updating a security policy, the method comprising:
获取Linux安全模块(LSM,Linux Security Module)的拦截信息;其中,所述拦截信息包括主体与客体之间的访问数据;Obtain the interception information of the Linux Security Module (LSM, Linux Security Module); wherein, the interception information includes access data between the subject and the object;
按照预设策略对所述拦截信息进行处理,并生成拦截数据;processing the interception information according to a preset policy, and generating interception data;
将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并在所述安全策略通过审核后发送至终端。The interception data is sent to the server, so that the server generates a corresponding security policy based on the interception data, and the security policy is sent to the terminal after the security policy is approved.
上述方案中,优选地,所述按照预设策略对所述拦截信息进行处理,包括:In the above solution, preferably, the processing of the interception information according to a preset policy includes:
对拦截信息进行整理;Organize interception information;
将相同的拦截信息合并为一个拦截信息。Merge identical intercept information into one intercept information.
上述方案中,优选地,所述生成拦截数据,包括:In the above solution, preferably, said generating interception data includes:
确定拦截信息的翻译格式;Determine the translation format of intercepted information;
按照所述翻译格式将拦截信息翻译成拦截数据;translating interception information into interception data according to said translation format;
其中,所述拦截信息的格式为<主体,客体,访问类型,…,内容S>;拦截数据的格式为<软件包名1,软件包名2,软件包名3,…,软件包名s>。Wherein, the format of the interception information is <subject, object, access type, ..., content S>; the format of the interception data is <package name 1, package name 2, package name 3, ..., package name s >.
上述方案中,优选地,所述方法还包括:In the above scheme, preferably, the method further includes:
接收服务器侧返回的第一安全策略;其中,所述第一安全策略是在服务器侧经审核而确定的安全策略;receiving the first security policy returned by the server side; wherein, the first security policy is a security policy determined on the server side through audit;
将所述第一安全策略与本地的安全策略进行集成;integrating the first security policy with a local security policy;
基于集成后的安全策略完成安全策略的更新。Update the security policy based on the integrated security policy.
本发明还提供了一种安全策略更新方法,应用于服务器侧,所述方法包括:The present invention also provides a method for updating a security policy, which is applied to the server side, and the method includes:
接收终端发送的拦截数据;其中,所述拦截数据由终端将通过LSM获取的拦截信息按照预设策略进行处理而生成的;receiving the interception data sent by the terminal; wherein, the interception data is generated by the terminal by processing the interception information obtained through the LSM according to a preset policy;
基于所述拦截数据生成相应的安全策略;generating a corresponding security policy based on the interception data;
在所述安全策略通过审核后发送至终端。After the security policy is approved, it is sent to the terminal.
上述方案中,优选地,所述基于所述拦截数据生成相应的安全策略,包括:In the above solution, preferably, generating a corresponding security policy based on the interception data includes:
对接收的拦截数据进行整理,并统计相同客体的拦截次数;Organize the interception data received and count the number of interceptions of the same object;
如果访问同一客体的拦截次数大于等于预设阈值,根据与所述同一客体相关的拦截数据生成对应的安全策略语句。If the number of times of interception for accessing the same object is greater than or equal to the preset threshold, a corresponding security policy statement is generated according to the interception data related to the same object.
上述方案中,优选地,所述基于所述拦截数据生成相应的安全策略,还包括:In the above solution, preferably, generating a corresponding security policy based on the interception data further includes:
对各安全策略语句进行同类项合并;Merge similar items for each security policy statement;
根据合并后的安全策略语句生成相应的安全策略。A corresponding security policy is generated according to the combined security policy statement.
上述方案中,优选地,所述方法还包括:In the above scheme, preferably, the method further includes:
通过审核人员对所述安全策略进行进行审核,并在满足预设条件时对所述安全策略进行微调;Audit the security policy by auditors, and fine-tune the security policy when the preset conditions are met;
将经审核而确定的安全策略生成第一安全策略。Generate the first security policy from the security policy determined through audit.
本发明还提供了一种安全策略更新装置,所述装置包括:The present invention also provides a device for updating a security policy, the device comprising:
获取模块,用于获取LSM的拦截信息;其中,所述拦截信息包括主体与客体之间的访问数据;An acquisition module, configured to acquire interception information of the LSM; wherein, the interception information includes access data between the subject and the object;
处理模块,用于按照预设策略对所述拦截信息进行处理,并生成拦截数据;A processing module, configured to process the interception information according to a preset policy, and generate interception data;
第一发送模块,用于将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并在所述安全策略通过审核后发送至终端。The first sending module is configured to send the interception data to the server, so that the server generates a corresponding security policy based on the interception data, and sends the security policy to the terminal after the security policy is approved.
上述方案中,优选地,所述处理模块,包括:In the above scheme, preferably, the processing module includes:
整理子模块,用于对拦截信息进行整理;Arranging sub-modules, used to organize interception information;
第一合并子模块,用于将相同的拦截信息合并为一个拦截信息。The first merging submodule is used for merging the same interception information into one interception information.
上述方案中,优选地,所述处理模块,还包括:In the above solution, preferably, the processing module further includes:
确定子模块,用于确定拦截信息的翻译格式;Determine the sub-module, used to determine the translation format of the interception information;
翻译子模块,用于按照所述翻译格式将拦截信息翻译成拦截数据;The translation submodule is used to translate the interception information into interception data according to the translation format;
其中,所述拦截信息的格式为<主体,客体,访问类型,…,内容S>;拦截数据的格式为<软件包名1,软件包名2,软件包名3,…,软件包名s>。Wherein, the format of the interception information is <subject, object, access type, ..., content S>; the format of the interception data is <package name 1, package name 2, package name 3, ..., package name s >.
上述方案中,优选地,所述装置还包括:In the above solution, preferably, the device further includes:
第一接收模块,用于接收服务器侧返回的第一安全策略;其中,所述第一安全策略是在服务器侧经审核而确定的安全策略;The first receiving module is configured to receive the first security policy returned by the server side; wherein, the first security policy is a security policy determined on the server side through audit;
集成模块,用于将所述第一安全策略与本地的安全策略进行集成;an integration module, configured to integrate the first security policy with a local security policy;
更新模块,用于基于集成后的安全策略完成安全策略的更新。The update module is used to update the security policy based on the integrated security policy.
本发明还提供了一种安全策略更新装置,应用于服务器侧,所述装置包括:The present invention also provides a device for updating security policies, which is applied to the server side, and the device includes:
第二接收模块,用于接收终端发送的拦截数据;其中,所述拦截数据由终端将通过LSM获取的拦截信息按照预设策略进行处理而生成的;The second receiving module is configured to receive the interception data sent by the terminal; wherein, the interception data is generated by the terminal by processing the interception information obtained through the LSM according to a preset policy;
生成模块,用于基于所述拦截数据生成相应的安全策略;A generation module, configured to generate a corresponding security policy based on the interception data;
第二发送模块,用于在所述安全策略通过审核后发送至终端。The second sending module is configured to send the security policy to the terminal after the security policy is approved.
上述方案中,优选地,所述生成模块,包括:In the above scheme, preferably, the generating module includes:
统计子模块,用于对接收的拦截数据进行整理,并统计相同客体的拦截次数;The statistical sub-module is used to organize the received interception data and count the number of interceptions of the same object;
第一生成子模块,用于如果访问同一客体的拦截次数大于等于预设阈值,根据与所述同一客体相关的拦截数据生成对应的安全策略语句。The first generation sub-module is used to generate corresponding security policy statements according to the interception data related to the same object if the number of times of interception for accessing the same object is greater than or equal to a preset threshold.
上述方案中,优选地,所述生成模块,还包括:In the above solution, preferably, the generating module further includes:
第二合并子模块,用于对各安全策略语句进行同类项合并;The second merging submodule is used for merging similar items of each security policy statement;
第二生成子模块,用于根据合并后的安全策略语句生成相应的安全策略。The second generating submodule is used to generate corresponding security policies according to the combined security policy statements.
上述方案中,优选地,所述装置还包括:In the above solution, preferably, the device further includes:
审核模块,用于通过审核人员对所述安全策略进行进行审核,并在满足预设条件时对所述安全策略进行微调;An audit module, configured to audit the security policy by auditors, and fine-tune the security policy when preset conditions are met;
相应地,所述生成模块,还用于将经审核而确定的安全策略生成第一安全策略。Correspondingly, the generating module is further configured to generate the first security policy from the security policy determined through audit.
本发明所提供的安全策略更新方法及装置,获取LSM的拦截信息;其中,所述拦截信息包括主体与客体之间的访问数据;按照预设策略对所述拦截信息进行处理,并生成拦截数据;将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并在所述安全策略通过审核后发送至终端,以由终端进行安全策略的更新;如此,能为多个用户同时更新安全策略,有效提高了安全策略更新的效率;同时,提升了安全策略的正确性和可靠性,提升了用户的使用体验。The security policy updating method and device provided by the present invention acquire the interception information of the LSM; wherein, the interception information includes access data between the subject and the object; the interception information is processed according to a preset strategy, and interception data is generated ; Send the interception data to the server, so that the server generates a corresponding security policy based on the interception data, and sends it to the terminal after the security policy is approved, so that the terminal can update the security policy; thus, it can be Multiple users update security policies at the same time, effectively improving the efficiency of security policy updates; at the same time, improving the correctness and reliability of security policies and improving user experience.
附图说明Description of drawings
图1为本发明提供的一种安全策略更新方法的实现流程图;Fig. 1 is the realization flowchart of a kind of security policy updating method provided by the present invention;
图2为本发明提供的另一种安全策略更新方法的实现流程图;Fig. 2 is the implementation flowchart of another security policy update method provided by the present invention;
图3为本发明提供的一种安全策略更新装置的组成结构示意图;FIG. 3 is a schematic diagram of the composition and structure of a security policy update device provided by the present invention;
图4为本发明提供的另一种安全策略更新装置的组成结构示意图;FIG. 4 is a schematic diagram of the composition and structure of another security policy update device provided by the present invention;
图5为本发明提供的一种安全策略更新系统的示意图;FIG. 5 is a schematic diagram of a security policy update system provided by the present invention;
图6为本发明提供的进行安全策略更新的一种具体实现流程图。FIG. 6 is a specific implementation flow chart of updating security policies provided by the present invention.
具体实施方式detailed description
为了能够更加详尽地了解本发明的特点与技术内容,下面结合附图对本发明的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本发明。In order to understand the characteristics and technical content of the present invention in more detail, the implementation of the present invention will be described in detail below in conjunction with the accompanying drawings. The attached drawings are only for reference and description, and are not intended to limit the present invention.
实施例一Embodiment one
图1为本发明提供的一种安全策略更新方法的实现流程图,所述安全策略更新方法应用于终端侧,如图1所示,所述安全策略更新方法主要包括以下步骤:Fig. 1 is a flow chart of implementing a method for updating a security policy provided by the present invention. The method for updating a security policy is applied to the terminal side. As shown in Fig. 1, the method for updating a security policy mainly includes the following steps:
步骤101:获取Linux安全模块的拦截信息;其中,所述拦截信息包括主体与客体之间的访问数据。Step 101: Obtain interception information of a Linux security module; wherein, the interception information includes access data between a subject and an object.
具体地,所述拦截信息的格式可以为<主体,客体,访问类型,…,内容S>。Specifically, the format of the interception information may be <subject, object, access type, ..., content S>.
例如,所述拦截信息的格式可以是<主体,客体>,还可以是<主体,客体,访问类型>。For example, the format of the interception information may be <subject, object>, or <subject, object, access type>.
例如,应用A访问B文件,那么,A为主体,B为客体。For example, if application A accesses file B, then A is the subject and B is the object.
步骤102:按照预设策略对所述拦截信息进行处理,并生成拦截数据。Step 102: Process the interception information according to a preset policy, and generate interception data.
优选地,所述按照预设策略对所述拦截信息进行处理,可以包括:Preferably, the processing of the interception information according to a preset strategy may include:
对拦截信息进行整理;Organize interception information;
将相同的拦截信息合并为一个拦截信息。Merge identical intercept information into one intercept information.
例如,在某一时间段内,应用A访问了B文件5次,且每次都被B文件所拒绝;那么,需要将这5次关于B文件拒绝应用A访问的拦截信息进行合并,合并为一个拦截信息。For example, within a certain period of time, application A accessed file B 5 times, and was rejected by file B each time; then, it is necessary to combine the interception information about file B's rejection of application A's access to these 5 times, and merge them into An intercept message.
优选地,所述生成拦截数据,可以包括:Preferably, said generating interception data may include:
确定拦截信息的翻译格式;Determine the translation format of intercepted information;
按照所述翻译格式将拦截信息翻译成拦截数据;translating interception information into interception data according to said translation format;
其中,当所述拦截信息的格式可以为<主体,客体,访问类型,…,内容S>时,拦截数据的格式可以是<软件包名1,软件包名2,软件包名3,…,软件包名s>。Wherein, when the format of the interception information can be <subject, object, access type, ..., content S>, the format of the interception data can be <package name 1, package name 2, package name 3, ..., Package name s>.
例如,所述拦截信息的格式可以为<主体,客体,访问类型>时,拦截数据的格式可以是<软件包名1,软件包名2,软件包名3>。For example, when the format of the interception information may be <subject, object, access type>, the format of the interception data may be <package name 1, package name 2, package name 3>.
步骤103:将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并在所述安全策略通过审核后发送至终端。Step 103: Send the interception data to the server, so that the server generates a corresponding security policy based on the interception data, and sends the security policy to the terminal after the security policy is approved.
具体地,终端可以在满足触发条件时,向服务器发送拦截数据;其中,所述触发条件可以是周期性触发,也可以是事件触发。Specifically, the terminal may send interception data to the server when a trigger condition is met; wherein, the trigger condition may be a periodic trigger or an event trigger.
上述步骤101~步骤103的执行主体可以是终端或安装在终端中的能够执行上述步骤的功能的装置。The execution subject of the above steps 101 to 103 may be a terminal or a device installed in the terminal and capable of executing the functions of the above steps.
上述方案中、优选地,所述方法还可以包括:In the above scheme, preferably, the method may also include:
终端接收服务器侧返回的第一安全策略;其中,所述第一安全策略是在服务器侧经审核而确定的安全策略;The terminal receives the first security policy returned by the server side; wherein, the first security policy is a security policy determined on the server side through audit;
将所述第一安全策略与本地的安全策略进行集成;integrating the first security policy with a local security policy;
基于集成后的安全策略完成安全策略的更新。Update the security policy based on the integrated security policy.
具体地,在服务器生成第一安全策略后,将第一安全策略文件下发各个终端客户端,各个终端客户端将第一安全策略与在本地所存储的安全策略文件进行集成;集成完毕后,终端通过可以重启来完成策略的更新。Specifically, after the server generates the first security policy, it sends the first security policy file to each terminal client, and each terminal client integrates the first security policy with the locally stored security policy file; after the integration is completed, The terminal can be restarted to complete the policy update.
具体地,终端可以按照现有技术中的更新方法基于集成后的安全策略完成安全策略的更新,在此不再赘述。Specifically, the terminal can update the security policy based on the integrated security policy according to the update method in the prior art, and details will not be repeated here.
本实施例中,所述终端可以是可以安装应用程序的设备,如手机、平板电脑、笔记本电脑、电视等。In this embodiment, the terminal may be a device capable of installing application programs, such as a mobile phone, a tablet computer, a notebook computer, a TV, and the like.
本实施例所述安全策略更新方法,获取LSM的拦截信息;其中,所述拦截信息包括主体与客体之间的访问数据;按照预设策略对所述拦截信息进行处理,并生成拦截数据;将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并在所述安全策略通过审核后发送至终端,以由终端进行安全策略的更新;如此,能为多个用户同时更新安全策略,有效提高了安全策略更新的效率;同时,提升了安全策略的正确性和可靠性,提升了用户的使用体验。The method for updating the security policy in this embodiment is to obtain interception information of the LSM; wherein, the interception information includes access data between the subject and the object; the interception information is processed according to a preset policy, and interception data is generated; The interception data is sent to the server, so that the server generates a corresponding security policy based on the interception data, and sends it to the terminal after the security policy has passed the review, so that the terminal can update the security policy; thus, multiple Users update security policies at the same time, effectively improving the efficiency of security policy updates; at the same time, improving the correctness and reliability of security policies and improving user experience.
实施例二Embodiment two
图2为本发明提供的另一种安全策略更新方法的实现流程图,所述安全策略更新方法应用于服务器侧,如图1所示,所述安全策略更新方法主要包括以下步骤:Fig. 2 is the implementation flowchart of another security policy update method provided by the present invention, the security policy update method is applied to the server side, as shown in Fig. 1, the security policy update method mainly includes the following steps:
步骤201:接收终端发送的拦截数据;其中,所述拦截数据由终端将通过LSM获取的拦截信息按照预设策略进行处理而生成的。Step 201: Receive interception data sent by the terminal; wherein, the interception data is generated by the terminal by processing the interception information obtained through the LSM according to a preset strategy.
这里,所述LSM是指Linux安全模块。Here, the LSM refers to the Linux Security Module.
其中,所述拦截信息包括主体与客体之间的访问数据。具体地,所述拦截信息的格式可以为<主体,客体,访问类型,…,内容S>。Wherein, the interception information includes access data between the subject and the object. Specifically, the format of the interception information may be <subject, object, access type, ..., content S>.
例如,所述拦截信息的格式可以是<主体,客体>,还可以是<主体,客体,访问类型>。For example, the format of the interception information may be <subject, object>, or <subject, object, access type>.
优选地,接收终端发送的拦截数据之后,所述方法还可以包括:Preferably, after receiving the interception data sent by the terminal, the method may further include:
存储所述拦截数据。The interception data is stored.
当然,可以在服务器本地存储所述拦截数据,还将所述拦截数据存储在第一设备中,其中,所述第一设备是能够与服务器连接的设备。Of course, the interception data may be stored locally on the server, and the interception data may also be stored in the first device, where the first device is a device that can be connected to the server.
这里,服务器可以接收各个终端所发送的拦截数据。Here, the server may receive interception data sent by each terminal.
步骤202:基于所述拦截数据生成相应的安全策略。Step 202: Generate a corresponding security policy based on the interception data.
具体地,服务器对各终端发送的拦截数据进行分析时,可以采用大数据分析方法。Specifically, when the server analyzes the intercepted data sent by each terminal, a big data analysis method may be used.
优选地,所述基于所述拦截数据生成相应的安全策略,可以包括:Preferably, said generating a corresponding security policy based on said interception data may include:
对接收的拦截数据进行整理,并统计相同客体的拦截次数;Organize the interception data received and count the number of interceptions of the same object;
如果访问同一客体的拦截次数大于等于预设阈值,根据与所述同一客体相关的拦截数据生成对应的安全策略语句。If the number of times of interception for accessing the same object is greater than or equal to the preset threshold, a corresponding security policy statement is generated according to the interception data related to the same object.
当然,不同类型的访问可对应不同的预设阈值。Of course, different types of access may correspond to different preset thresholds.
例如,假设服务器根据终端1上传的拦截数据分析可知,应用A访问B文件被拒绝,应用C访问B文件被拒绝,应用D访问B文件被拒绝;那么,A、C、D为主体,B为客体;假设预设阈值为10,那么,当应用A访问B文件的次数Na+应用C访问B文件的次数Nc+应用D访问B文件的次数Nd≥10时,则服务器分别生成应用A访问B文件的安全策略语句a、应用C访问B文件的安全策略语句c、应用D访问B文件的安全策略语句d。For example, assuming that the server analyzes the intercepted data uploaded by terminal 1, it can be known that application A’s access to B’s file is rejected, application C’s access to B’s file is rejected, and application D’s access to B’s file is rejected; then, A, C, and D are subjects, and B is Object; assuming that the preset threshold is 10, then when the number of times Na of application A accessing B file + the number Nc of application C accessing B file + the number Nd of application D accessing B file ≥ 10, the server generates application Security policy statement a for A to access file B, security policy statement c for application C to access file B, and security policy statement d for application D to access file B.
优选地,所述基于所述拦截数据生成相应的安全策略,还可以包括:Preferably, said generating a corresponding security policy based on said interception data may also include:
对各安全策略语句进行同类项合并;Merge similar items for each security policy statement;
根据合并后的安全策略语句生成相应的安全策略。A corresponding security policy is generated according to the combined security policy statement.
例如,假设服务器根据终端2上传的拦截数据分析可知,应用E访问B文件被拒绝,应用F访问B文件被拒绝,应用G访问B文件被拒绝;那么,E、F、G为主体,B为客体;服务器分别生成应用E访问B文件的安全策略语句e、应用F访问B文件的安全策略语句f、应用G访问B文件的安全策略语句g。服务器将比较终端1与终端2所上传的拦截数据,假设A、E属于第一大类,C、F属于第二大类,D、G属于第三大类;那么,应当将安全策略语句a、e进行合并,将安全策略语句c、f进行合并,将安全策略语句d、g进行合并。For example, assuming that the server analyzes the intercepted data uploaded by terminal 2, it can be known that application E’s access to B file is rejected, application F’s access to B file is rejected, and application G’s access to B file is rejected; then, E, F, G are the subjects, and B is Object: the server respectively generates a security policy statement e for application E to access B file, a security policy statement f for application F to access B file, and a security policy statement g for application G to access B file. The server will compare the intercepted data uploaded by terminal 1 and terminal 2, assuming that A and E belong to the first category, C and F belong to the second category, and D and G belong to the third category; then, the security policy statement a , e are combined, the security policy statements c and f are combined, and the security policy statements d and g are combined.
如此,能够将属于同一类型的安全策略语句进行合并,从而更好地应对不同应用类型对相同客体的访问。In this way, the security policy statements belonging to the same type can be combined, so as to better deal with the access of different application types to the same object.
步骤203:在所述安全策略通过审核后发送至终端。Step 203: Send the security policy to the terminal after the security policy is approved.
优选地,所述方法还可以包括:Preferably, the method may also include:
通过审核人员对所述安全策略进行进行审核,并在满足预设条件时对所述安全策略进行微调;Audit the security policy by auditors, and fine-tune the security policy when the preset conditions are met;
将经审核而确定的安全策略生成第一安全策略。Generate the first security policy from the security policy determined through audit.
例如,当审核人员人为的补充新的安全策略时,需要进行微调。For example, fine-tuning is required when auditors artificially supplement new security policies.
优选地,在生成第一安全策略之后,所述方法还可以包括:Preferably, after generating the first security policy, the method may further include:
向各个终端主动推送第一安全策略文件。Actively push the first security policy file to each terminal.
具体地,在服务器生成第一安全策略后,将第一安全策略文件下发各个终端客户端,各个终端客户端将第一安全策略与在本地所存储的安全策略文件进行集成;集成完毕后,终端通过可以通过重启来完成策略的更新。Specifically, after the server generates the first security policy, it sends the first security policy file to each terminal client, and each terminal client integrates the first security policy with the locally stored security policy file; after the integration is completed, The terminal can complete the policy update by restarting.
具体地,终端可以按照现有技术中的更新方法基于集成后的安全策略完成安全策略的更新,在此不再赘述。Specifically, the terminal can update the security policy based on the integrated security policy according to the update method in the prior art, and details will not be repeated here.
本实施例中,所述终端可以是可以安装应用程序的设备,如手机、平板电脑、笔记本电脑、电视等。In this embodiment, the terminal may be a device capable of installing application programs, such as a mobile phone, a tablet computer, a notebook computer, a TV, and the like.
优选地,在生成第一安全策略之后,所述方法还可以包括:Preferably, after generating the first security policy, the method may further include:
向各个终端推送关于第一安全策略的通知信息。Push notification information about the first security policy to each terminal.
如此,能够使各个终端主动或接收到控制指令之后从服务器侧获取所述第一安全策略文件。In this way, each terminal can obtain the first security policy file from the server side actively or after receiving a control instruction.
本实施例所述安全策略更新方法,接收终端发送的拦截数据;其中,所述拦截数据由终端将通过LSM获取的拦截信息按照预设策略进行处理而生成的;基于所述拦截数据生成相应的安全策略;并在所述安全策略通过审核后发送至终端,以由终端进行安全策略的更新;如此,能为多个用户同时更新安全策略,有效提高了安全策略更新的效率;同时,提升了安全策略的正确性和可靠性,提升了用户的使用体验。The method for updating the security policy in this embodiment receives the interception data sent by the terminal; wherein, the interception data is generated by the terminal by processing the interception information obtained through the LSM according to a preset strategy; and generating corresponding information based on the interception data security policy; and after the security policy is approved, it is sent to the terminal to update the security policy by the terminal; in this way, the security policy can be updated for multiple users at the same time, which effectively improves the efficiency of the security policy update; at the same time, the The correctness and reliability of the security policy improves the user experience.
实施例三Embodiment Three
图3为本发明提供的一种安全策略更新装置的组成结构示意图,应用于终端侧;如图3所示,所述安全策略更新装置包括:Figure 3 is a schematic diagram of the composition and structure of a security policy update device provided by the present invention, which is applied to the terminal side; as shown in Figure 3, the security policy update device includes:
获取模块31,用于获取LSM的拦截信息;其中,所述拦截信息包括主体与客体之间的访问数据;An acquisition module 31, configured to acquire interception information of the LSM; wherein, the interception information includes access data between the subject and the object;
处理模块32,用于按照预设策略对所述拦截信息进行处理,并生成拦截数据;A processing module 32, configured to process the interception information according to a preset policy, and generate interception data;
第一发送模块33,用于将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并在所述安全策略通过审核后发送至终端。The first sending module 33 is configured to send the interception data to the server, so that the server generates a corresponding security policy based on the interception data, and sends the security policy to the terminal after the security policy is approved.
优选地,所述处理模块32,包括:Preferably, the processing module 32 includes:
整理子模块321,用于对拦截信息进行整理;The sorting sub-module 321 is used to sort out the interception information;
第一合并子模块322,用于将相同的拦截信息合并为一个拦截信息。The first merging submodule 322 is configured to combine the same interception information into one interception information.
优选地,所述处理模块32,还包括:Preferably, the processing module 32 also includes:
确定子模块323,用于确定拦截信息的翻译格式;Determine the sub-module 323, used to determine the translation format of the interception information;
翻译子模块324,用于按照所述翻译格式将拦截信息翻译成拦截数据;The translation submodule 324 is configured to translate the interception information into interception data according to the translation format;
其中,所述拦截信息的格式为<主体,客体,访问类型,…,内容S>;拦截数据的格式为<软件包名1,软件包名2,软件包名3,…,软件包名s>。Wherein, the format of the interception information is <subject, object, access type, ..., content S>; the format of the interception data is <package name 1, package name 2, package name 3, ..., package name s >.
优选地,所述装置还包括:Preferably, the device also includes:
第一接收模块34,用于接收服务器侧返回的第一安全策略;其中,所述第一安全策略是在服务器侧经审核而确定的安全策略;The first receiving module 34 is configured to receive the first security policy returned by the server side; wherein, the first security policy is a security policy determined by auditing on the server side;
集成模块35,用于将所述第一安全策略与本地的安全策略进行集成;An integration module 35, configured to integrate the first security policy with a local security policy;
更新模块36,用于基于集成后的安全策略完成安全策略的更新。The update module 36 is configured to update the security policy based on the integrated security policy.
实际应用中,所述获取模块31、处理模块32、第一发送模块33、第一接收模块34、集成模块35、更新模块36、以及所述处理模块32的各个子模块,均可由安全策略更新装置或安全策略更新装置所属终端中的中央处理器(CPU,Central Processing Unit)、微处理器(MPU,Micro Processor Unit)、数字信号处理器(DSP,Digital Signal Processor)或现场可编程门阵列(FPGA,FieldProgrammable Gate Array)等实现。In practical applications, the acquisition module 31, the processing module 32, the first sending module 33, the first receiving module 34, the integration module 35, the updating module 36, and each submodule of the processing module 32 can all be updated by a security policy The central processing unit (CPU, Central Processing Unit), microprocessor (MPU, Micro Processor Unit), digital signal processor (DSP, Digital Signal Processor) or field programmable gate array ( FPGA, Field Programmable Gate Array) and other implementations.
本实施例所述安全策略更新装置,将拦截数据发送至服务器,以由所述服务器基于所述拦截数据生成相应的安全策略,并根据服务器返回的第一安全策略文件进行安全策略的更新;如此,能有效提高了安全策略更新的效率;同时,提升了安全策略的正确性和可靠性,提升了用户的使用体验。The device for updating the security policy in this embodiment sends the interception data to the server, so that the server generates a corresponding security policy based on the interception data, and updates the security policy according to the first security policy file returned by the server; , can effectively improve the efficiency of updating the security policy; at the same time, improve the correctness and reliability of the security policy, and improve the user experience.
实施例四Embodiment Four
图4为本发明提供的另一种安全策略更新装置的组成结构示意图,应用于服务器侧;如图4所示,所述安全策略更新装置包括:Figure 4 is a schematic diagram of the composition and structure of another security policy update device provided by the present invention, which is applied to the server side; as shown in Figure 4, the security policy update device includes:
第二接收模块41,用于接收终端发送的拦截数据;其中,所述拦截数据由终端将通过LSM获取的拦截信息按照预设策略进行处理而生成的;The second receiving module 41 is configured to receive the interception data sent by the terminal; wherein, the interception data is generated by the terminal by processing the interception information obtained through the LSM according to a preset strategy;
生成模块42,用于基于所述拦截数据生成相应的安全策略;A generation module 42, configured to generate a corresponding security policy based on the interception data;
第二发送模块43,用于在所述安全策略通过审核后发送至终端。The second sending module 43 is configured to send the security policy to the terminal after the security policy is approved.
优选地,所述生成模块42,包括:Preferably, the generating module 42 includes:
统计子模块421,用于对接收的拦截数据进行整理,并统计相同客体的拦截次数;The statistics sub-module 421 is used to organize the received interception data and count the number of times of interception of the same object;
第一生成子模块422,用于如果访问同一客体的拦截次数大于等于预设阈值,根据与所述同一客体相关的拦截数据生成对应的安全策略语句。The first generation sub-module 422 is configured to generate a corresponding security policy statement according to the interception data related to the same object if the number of times of interception for accessing the same object is greater than or equal to a preset threshold.
优选地,所述生成模块42,还包括:Preferably, the generating module 42 also includes:
第二合并子模块423,用于对各安全策略语句进行同类项合并;The second merging sub-module 423 is used for merging similar items of each security policy statement;
第二生成子模块424,用于根据合并后的安全策略语句生成相应的安全策略。The second generating submodule 424 is configured to generate a corresponding security policy according to the combined security policy statement.
优选地,所述装置还包括:Preferably, the device also includes:
审核模块44,用于通过审核人员对所述安全策略进行进行审核,并在满足预设条件时对所述安全策略进行微调;An audit module 44, configured to audit the security policy by auditors, and fine-tune the security policy when preset conditions are met;
相应地,所述生成模块43,还用于将经审核而确定的安全策略生成第一安全策略。Correspondingly, the generating module 43 is further configured to generate a first security policy from the security policy determined through review.
实际应用中,所述获取模块31、处理模块32、第一发送模块33、第一接收模块34、集成模块35、更新模块36、以及所述处理模块32的各个子模块,均可由安全策略更新装置或安全策略更新装置所属服务器中的CPU、MPU、DSP或FPGA等实现。In practical applications, the acquisition module 31, the processing module 32, the first sending module 33, the first receiving module 34, the integration module 35, the updating module 36, and each submodule of the processing module 32 can all be updated by a security policy The device or security policy is updated by the CPU, MPU, DSP or FPGA in the server to which the device belongs.
本实施例所述安全策略更新装置,能为多个用户同时更新安全策略,有效提高了安全策略更新的效率;同时,提升了安全策略的正确性和可靠性,提升了用户的使用体验。The security policy updating device described in this embodiment can simultaneously update security policies for multiple users, effectively improving the efficiency of security policy updating; at the same time, improving the correctness and reliability of security policies and improving user experience.
实施例五Embodiment five
图5为本发明提供的一种安全策略更新系统的示意图,如图5所示,在该安全策略更新系统中,包括:终端和服务器;FIG. 5 is a schematic diagram of a security policy update system provided by the present invention. As shown in FIG. 5, the security policy update system includes: a terminal and a server;
终端中包括第一安全策略更新装置,所述第一安全策略更新装置位于终端的第一客户端中;The terminal includes a first security policy update device, and the first security policy update device is located in the first client of the terminal;
具体地,第一安全策略更新装置的具体组成机构示意图可以如图3所示。Specifically, a schematic diagram of a specific constituent mechanism of the first security policy updating apparatus may be shown in FIG. 3 .
具体地,所述第一安全策略更新装置,主要负责:获取LSM的拦截信息;对拦截信息进行整理,将相同的拦截信息合并为一个拦截信息;将拦截信息翻译成拦截数据;将整理好的拦截数据上传服务器。Specifically, the first security policy update device is mainly responsible for: obtaining the interception information of the LSM; sorting out the interception information, merging the same interception information into one interception information; translating the interception information into interception data; Intercept data upload server.
优选地,所述第一安全策略更新装置,可以通过管理应用程序包(PM,Package Manager)等应用程序编程接口(API,Application Programming Interface)接口获取LSM的拦截信息。Preferably, the first device for updating security policies can obtain the interception information of the LSM through an Application Programming Interface (API, Application Programming Interface) interface such as PM (Package Manager).
服务器中包括第二安全策略更新装置,具体地,第二安全策略更新装置的具体组成机构示意图可以如图4所示。The server includes a second security policy updating device. Specifically, a schematic diagram of a specific composition of the second security policy updating device may be shown in FIG. 4 .
具体地,第二安全策略更新装置,主要负责:接收各个终端上传的拦截数据并存储;将所有拦截数据整理并统计;依据整理后的拦截数据按预设规则生成相关安全策略;生成的安全策略经审核人员审核并微调后下发到各个终端。Specifically, the second security policy update device is mainly responsible for: receiving and storing interception data uploaded by each terminal; sorting and counting all interception data; generating relevant security policies according to preset rules according to the sorted interception data; generating security policies After being reviewed and fine-tuned by the auditors, it is sent to each terminal.
具体地,依据整理后的拦截数据按预设规则生成相关安全策略,可以包括:Specifically, generate relevant security policies according to preset rules based on the sorted interception data, which may include:
对接收的拦截数据进行整理,并统计相同客体的拦截次数;Organize the interception data received and count the number of interceptions of the same object;
如果访问同一客体的拦截次数大于等于预设阈值,根据与所述同一客体相关的拦截数据生成对应的安全策略语句;If the number of interceptions for accessing the same object is greater than or equal to a preset threshold, generate a corresponding security policy statement according to the interception data related to the same object;
具体地,依据整理后的拦截数据按预设规则生成相关安全策略,还可以包括:Specifically, generating related security policies based on the sorted interception data according to preset rules may also include:
对各安全策略语句进行同类项合并;Merge similar items for each security policy statement;
根据合并后的安全策略语句生成相应的安全策略。A corresponding security policy is generated according to the combined security policy statement.
实施例六Embodiment six
图6为本发明提供的进行安全策略更新的一种具体实现流程图,如图6所示,该流程主要包括:Fig. 6 is a kind of specific realization flow chart that carries out security policy update provided by the present invention, as shown in Fig. 6, this flow mainly includes:
步骤601:位于终端客户端的第一安全策略更新装置读取SEAndroid LMS模块拦截的拦截信息;Step 601: The first security policy update device located at the terminal client reads the interception information intercepted by the SEAndroid LMS module;
其中,所述拦截信息包括主体与客体之间的访问数据。Wherein, the interception information includes access data between the subject and the object.
其中,拦截信息的格式为<主体,客体,访问类型>,该拦截信息存储于终端系统/data/data目录下**.txt文件中。Wherein, the format of the interception information is <subject, object, access type>, and the interception information is stored in **.txt file under the /data/data directory of the terminal system.
步骤602:第一安全策略更新装置对轮询读取的拦截信息进行整理,并对相同的拦截信息进行合并;Step 602: the first security policy update device organizes the interception information read by polling, and merges the same interception information;
步骤603:第一安全策略更新装置通过PM接口和相应API接口,根据主体、客体的身份标识号ID值,读出主体、客体的包名数据;Step 603: The first security policy updating device reads out the package name data of the subject and the object according to the ID values of the subject and the object through the PM interface and the corresponding API interface;
步骤604:第一安全策略更新装置将步骤603整理好的数据上传服务器;Step 604: The first security policy update device uploads the data organized in step 603 to the server;
步骤605:服务器接收各个终端中第一安全策略更新装置上传的数据并存储;Step 605: The server receives and stores the data uploaded by the first security policy updating device in each terminal;
步骤606:服务器端的第二安全策略更新装置对接收的数据进行整理,并统计相同客体的拦截次数;Step 606: The second security policy updating device on the server side organizes the received data, and counts the number of interceptions of the same object;
步骤607:如果访问同一客体的拦截次数大于等于预设阈值,根据与所述同一客体相关的拦截数据生成对应的安全策略语句;Step 607: If the number of interceptions for accessing the same object is greater than or equal to the preset threshold, generate a corresponding security policy statement according to the interception data related to the same object;
步骤608:第二安全策略更新装置对步骤607生成的安全策略语句进行同类项合并,并交由审核人员进行审核、微调;Step 608: The second security policy updating device merges similar items of the security policy statement generated in step 607, and submits it to reviewers for review and fine-tuning;
步骤609:第二安全策略更新装置将审核通过的安全策略文件下发各个终端客户端,以使得各个终端客户端将新接收到的安全策略与与之前存储的安全策略文件进行集成。Step 609: The second security policy update device delivers the approved security policy file to each terminal client, so that each terminal client integrates the newly received security policy with the previously stored security policy file.
具体地,各终端可以通过重启来完成策略的更新。Specifically, each terminal can update the policy by restarting.
在本发明所提供的几个实施例中,应该理解到,所揭露的方法、装置和电子设备,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present invention, it should be understood that the disclosed methods, devices and electronic equipment can be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, such as: multiple units or components can be combined, or May be integrated into another system, or some features may be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed to multiple network units; Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本发明各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention can be integrated into one processing unit, or each unit can be used as a single unit, or two or more units can be integrated into one unit; the above-mentioned integration The unit can be realized in the form of hardware or in the form of hardware plus software functional unit.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the Including the steps of the foregoing method embodiments; and the foregoing storage medium includes: a removable storage device, a read-only memory (ROM, Read-Only Memory), a random access memory (RAM, Random Access Memory), a magnetic disk or an optical disk, etc. A medium on which program code can be stored.
或者,本发明实施例上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated units in the embodiments of the present invention are implemented in the form of software function modules and sold or used as independent products, they may also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: various media capable of storing program codes such as removable storage devices, ROM, RAM, magnetic disks or optical disks.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510927454.8ACN106878239A (en) | 2015-12-14 | 2015-12-14 | A security policy update method and device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510927454.8ACN106878239A (en) | 2015-12-14 | 2015-12-14 | A security policy update method and device |
| Publication Number | Publication Date |
|---|---|
| CN106878239Atrue CN106878239A (en) | 2017-06-20 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510927454.8APendingCN106878239A (en) | 2015-12-14 | 2015-12-14 | A security policy update method and device |
| Country | Link |
|---|---|
| CN (1) | CN106878239A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109964227A (en)* | 2017-10-30 | 2019-07-02 | 华为技术有限公司 | Update the method and terminal of SELinux security strategy |
| CN111800408A (en)* | 2020-06-30 | 2020-10-20 | 深信服科技股份有限公司 | Policy configuration device, security policy configuration method of terminal, and readable storage medium |
| CN112217770A (en)* | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | A security detection method, device, computer equipment and storage medium |
| CN115481421A (en)* | 2022-09-30 | 2022-12-16 | 湖北天融信网络安全技术有限公司 | SELinux strategy construction method and device, electronic equipment and readable storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592092A (en)* | 2012-01-09 | 2012-07-18 | 中标软件有限公司 | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem |
| CN103176817A (en)* | 2012-12-21 | 2013-06-26 | 中国电力科学研究院 | Linux security policy configuration method based on self-learning |
| CN103198253A (en)* | 2013-03-29 | 2013-07-10 | 北京奇虎科技有限公司 | Method and system of file operation |
| CN103905464A (en)* | 2014-04-21 | 2014-07-02 | 西安电子科技大学 | Network security strategy verification system and method on basis of formalizing method |
| CN105094996A (en)* | 2015-07-21 | 2015-11-25 | 电子科技大学 | Security-enhancing method and system of Android system based on dynamic authority verification |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592092A (en)* | 2012-01-09 | 2012-07-18 | 中标软件有限公司 | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem |
| CN103176817A (en)* | 2012-12-21 | 2013-06-26 | 中国电力科学研究院 | Linux security policy configuration method based on self-learning |
| CN103198253A (en)* | 2013-03-29 | 2013-07-10 | 北京奇虎科技有限公司 | Method and system of file operation |
| CN103905464A (en)* | 2014-04-21 | 2014-07-02 | 西安电子科技大学 | Network security strategy verification system and method on basis of formalizing method |
| CN105094996A (en)* | 2015-07-21 | 2015-11-25 | 电子科技大学 | Security-enhancing method and system of Android system based on dynamic authority verification |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109964227A (en)* | 2017-10-30 | 2019-07-02 | 华为技术有限公司 | Update the method and terminal of SELinux security strategy |
| CN109964227B (en)* | 2017-10-30 | 2021-08-13 | 华为技术有限公司 | Method and terminal for updating SELinux security policy |
| US11222118B2 (en) | 2017-10-30 | 2022-01-11 | Huawei Technologies Co., Ltd. | Method for updating selinux security policy and terminal |
| CN112217770A (en)* | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | A security detection method, device, computer equipment and storage medium |
| CN112217770B (en)* | 2019-07-11 | 2023-10-13 | 奇安信科技集团股份有限公司 | Security detection method, security detection device, computer equipment and storage medium |
| CN111800408A (en)* | 2020-06-30 | 2020-10-20 | 深信服科技股份有限公司 | Policy configuration device, security policy configuration method of terminal, and readable storage medium |
| CN111800408B (en)* | 2020-06-30 | 2022-09-30 | 深信服科技股份有限公司 | Policy configuration device, security policy configuration method of terminal, and readable storage medium |
| CN115481421A (en)* | 2022-09-30 | 2022-12-16 | 湖北天融信网络安全技术有限公司 | SELinux strategy construction method and device, electronic equipment and readable storage medium |
| CN115481421B (en)* | 2022-09-30 | 2025-08-26 | 湖北天融信网络安全技术有限公司 | SELinux policy construction method, device, electronic device and readable storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| US12277201B2 (en) | Secure deployment of a software package | |
| CN110716910B (en) | Log management method, device, equipment and storage medium | |
| Oliner et al. | Carat: Collaborative energy diagnosis for mobile devices | |
| US10565077B2 (en) | Using cognitive technologies to identify and resolve issues in a distributed infrastructure | |
| CN112040429B (en) | Short message management system and method based on distributed storage | |
| US8250138B2 (en) | File transfer security system and method | |
| CN112711518B (en) | Log uploading method and device | |
| CN107436844A (en) | A kind of generation method and device of interface use-case intersection | |
| WO2019199769A1 (en) | Cyber chaff using spatial voting | |
| CN106878239A (en) | A security policy update method and device | |
| US20170123887A1 (en) | Automatic filing of a task for application crashes | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| US10346281B2 (en) | Obtaining and analyzing a reduced metric data set | |
| CN111400170A (en) | Data permission testing method and device | |
| CN112799925A (en) | Data acquisition method, apparatus, electronic device and readable storage medium | |
| US10609206B1 (en) | Auto-repairing mobile communication device data streaming architecture | |
| KR102726549B1 (en) | Maintaining System Security | |
| US10749772B1 (en) | Data reconciliation in a distributed data storage network | |
| US11550692B2 (en) | Integrated event processing and policy enforcement | |
| CN108833962A (en) | Display information processing method and device and storage medium | |
| EP3924851B1 (en) | Detecting second-order security vulnerabilities via modelling information flow through persistent storage | |
| CN110162982B (en) | Method and device for detecting illegal rights, storage medium and electronic equipment | |
| US9240968B1 (en) | Autogenerated email summarization process | |
| CN105608381A (en) | Application test method and system | |
| EP4300339A1 (en) | Data desensitization method and device |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20170620 | |
| RJ01 | Rejection of invention patent application after publication |