SELinux strategy optimization method based on knowledge base

An optimization method and knowledge base technology, applied in the field of information security, can solve the problems of manual writing and maintenance of policy files, such as difficulty, error-prone, harmful access, etc., to achieve the effect of improving access control capabilities, reducing writing and maintenance, and improving security.

Pending Publication Date: 2022-02-18
HARBIN ENG UNIV
View PDF0 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The purpose of the present invention is to solve that existing SELinux policy file contains a large amount of rules, manual writing and maintenance policy file are very difficult and error-prone, and incompl

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SELinux strategy optimization method based on knowledge base
  • SELinux strategy optimization method based on knowledge base
  • SELinux strategy optimization method based on knowledge base

Examples

Experimental program
Comparison scheme
Effect test

specific Embodiment approach 1

[0028] Specific implementation mode one: the specific process of a kind of SELinux policy optimization method based on knowledge base in this embodiment is:

[0029] Step 1. Obtain data files such as policy collection, audit log, mapping relationship between attributes and types, and mapping relationship between types and full file paths from the SELinux system, and obtain policy collections, audit logs, mapping relationships and types between attributes and types. Data files such as the mapping relationship with the full path of the file are preprocessed to obtain data files such as the policy set after preprocessing, the audit log, the mapping relationship between attributes and types, and the mapping relationship between types and full paths of files;

[0030] Since the format of the data in the file cannot be directly used by subsequent algorithms, data preprocessing is required.

[0031] Step 2. Build a knowledge base based on Step 1;

[0032] Step 3. Classify the list o...

specific Embodiment approach 2

[0037] Specific embodiment 2: The difference between this embodiment and specific embodiment 1 is that in the step 1, data files such as the obtained policy set, audit log, mapping relationship between attributes and types, and mapping relationships between types and full paths of files are processed. The specific process of preprocessing is:

[0038] Step 11, data cleaning;

[0039] Step 12, extracting the TE rules of the strategy set based on step 1;

[0040] Step 13, processing the mapping relationship based on step 12;

[0041] Step 14: Generate an access pattern based on Step 13.

[0042] Other steps and parameters are the same as those in Embodiment 1.

specific Embodiment approach 3

[0043] Specific implementation mode three: the difference between this implementation mode and specific implementation mode one or two is that the data cleaning in the step one by one; the specific process is:

[0044]The policy sets, audit logs, and mapping files directly exported from the SELinux system contain a large amount of data irrelevant to policy analysis and optimization. In order to eliminate the impact of these data on subsequent policy classification, the data irrelevant to this algorithm will be cleaned up. For deleting data with missing values ​​in the audit log, removing log entries whose type (type) in the audit log is not equal to the access vector cache (AVC, Access Vector Cache) type (indicating that the AVC (Access Vector Cache, access vector cache) Cache rejected system requests), remove type transition rules (type_transition) related in the policy set (the relevant ones are the rules starting with type_transition, such as: type_transition user_t passwd_e...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an SELinux strategy optimization method based on a knowledge base, and relates to the SELinux strategy optimization method based on the knowledge base. The invention aims to solve the problem that the existing SELinux strategy file can cause low security of the system. The method comprises the following steps of: 1, obtaining a preprocessed strategy set, an audit log, a mapping relationship between attributes and types and a mapping relationship data file between the types and a file full path; 2, constructing a knowledge base; 3, obtaining a classification result of the unknown access mode; 4, converting the newly identified access mode into a strategy rule form of an SELinux system strategy set, and performing conflict detection with a known access mode or rule; when the conflict does not occur, merging the newly identified access mode into the database, and executing the step 3 again; and when a conflict occurs, resolving the conflict, merging the resolved newly identified access mode into the database, and executing the step 3 again. The method is applied to the technical field of information security.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a knowledge base-based SELinux policy optimization method. Background technique [0002] SELinux (Security Enhance Linux) is a security module integrated in the Linux kernel, which can be enabled or disabled as needed. It is different from the traditional DAC idea: the process theoretically has the same authority as the user who executes it. SELinux is a security model based on the MAC mandatory access mechanism, that is, a process's access to specific files is defined in the SELinux security policy library file. When a user runs a program to access file system resources, it is done through the context of system resources. This resource can only be accessed when the context of the process subject matches the context of the access object. It is suitable for Linux environments with high application service requirements, and can prevent hackers from destroying the oper...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/57G06K9/62
CPCG06F21/577G06F18/24143
Inventor 李晋王世强王涵钰于爱民肖丽芳白玉程建华
Owner HARBIN ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap