Method for securing model context protocol and electronic device

Abstract

This application discloses a security hardening method and electronic device for Model Context Protocol (MCP), relating to the field of artificial intelligence technology. The method includes acquiring configuration information of each component of the MCP across multiple security dimensions; generating threat analysis results and corresponding hardening strategies for each component in different security dimensions based on the configuration information; generating a security requirements list based on the identification information of each component, the threat analysis results for each component in different security dimensions, and the corresponding hardening strategies; and then acquiring preset hardening templates corresponding to each hardening strategy in the security requirements list, and generating security configuration script information for each component based on these preset hardening templates. This application eliminates the need for expert manual operation and achieves accurate adaptation, thereby improving the efficiency of security risk identification and component hardening effect of MCP components.

Description

Technical Field

[0001] This application relates to the field of artificial intelligence technology, and in particular to a method for security hardening a model context protocol and an electronic device. Background Technology

[0002] With the rapid development of artificial intelligence technology, intelligent systems built on the Model Context Protocol (MCP) are widely used. While their multi-component architecture provides flexibility, it also brings significant security issues.

[0003] In related technologies, the identification and hardening of security risks in various components of an MCP typically relies on expert manual analysis of configuration vulnerabilities, assessment of security threats, and deployment of general security strategies. However, this approach is not only inefficient in identifying security risks, but also fails to accurately formulate hardening solutions for each component that match its specific security threats, resulting in poor hardening effectiveness. Summary of the Invention

[0004] This application provides a security hardening method and electronic device for Model Context Protocol (MCP) to at least solve the problems of low efficiency in identifying security risks of MCP components and poor hardening effect in related technologies.

[0005] This application provides a security hardening method for a model context protocol, including:

[0006] Obtain configuration information for each component of the model context protocol across multiple security dimensions;

[0007] For any component, based on the component's configuration information across multiple security dimensions, generate threat analysis results for the component in different security dimensions and corresponding hardening strategies.

[0008] Based on the component's identification information, the threat analysis results corresponding to the component in different security dimensions, and the hardening strategies corresponding to the threat analysis results, a security requirements list is generated.

[0009] Based on the security requirements list, obtain the preset reinforcement templates corresponding to each reinforcement strategy in the security requirements list;

[0010] Based on the preset reinforcement templates corresponding to each reinforcement strategy, generate security configuration script information for the components.

[0011] This application also provides an electronic device, including: a memory for storing a computer program; and a processor for implementing the security hardening method of any of the above-described model context protocols when executing the computer program.

[0012] This application obtains configuration information for each component of the Model Context Protocol (MCP) across multiple security dimensions. Based on this configuration information, it generates threat analysis results and corresponding hardening strategies for each component in different security dimensions. Furthermore, it generates a security requirements list based on the component's identification information, the threat analysis results, and the corresponding hardening strategies. Then, it obtains preset hardening templates for each hardening strategy within the security requirements list. Based on these templates, it generates security configuration scripts for each component, eliminating the need for manual expert intervention and achieving precise adaptation. Therefore, it addresses the technical problems of low security risk identification efficiency and poor hardening effectiveness due to a lack of specificity in hardening solutions in related technologies, thereby improving the efficiency of security risk identification for MCP components and enhancing the accuracy and effectiveness of hardening solutions. Attached Figure Description

[0013] To more clearly illustrate the embodiments of this application, the accompanying drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0014] Figure 1 A schematic diagram of the architecture of a model context protocol provided for an embodiment of this application;

[0015] Figure 2 A flowchart illustrating a security hardening method for a model context protocol provided in this application embodiment;

[0016] Figure 3 A flowchart illustrating a method for generating a security requirements list provided in an embodiment of this application;

[0017] Figure 4 A flowchart illustrating a method for generating threat analysis results and corresponding hardening strategies, provided in an embodiment of this application;

[0018] Figure 5 A flowchart illustrating a method for generating security configuration script information for a component, provided in an embodiment of this application;

[0019] Figure 6 An interactive diagram of an MCP security hardening server provided in an embodiment of this application;

[0020] Figure 7 A schematic diagram of the security hardening device for the model context protocol provided in this application embodiment;

[0021] Figure 8 A schematic structural diagram of an electronic device provided by an embodiment of the present application. Specific embodiments

[0022] Next, the technical solutions in the embodiments of the present application will be clearly and completely described in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts belong to the protection scope of the present application.

[0023] In the description of the present application, the terms "include", "comprise" or any other variant thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements but also includes other elements not expressly listed, or further includes elements inherent to such process, method, article or device. The terms "first", "second", etc. in the present application are used to distinguish similar objects and not to describe a specific order or sequence.

[0024] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) involved in the present application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with the relevant laws, regulations and standards of relevant countries and regions, and corresponding operation entrances are provided for the user to choose to authorize or refuse.

[0025] As the core bridge for the interaction between an artificial intelligence (AI) system and external tools, the security status of MCP directly affects the stable operation of the AI system. Once a security vulnerability appears, it will cause a serious impact on the entire system. The protocol itself has design defects in the implicit trust model and a weak permission control mechanism, which provides an opportunity for malicious intrusion. Means such as prompt injection can easily break through the protection, and then manipulate the AI behavior, ultimately leading to serious consequences such as data leakage and service interruption. In addition, MCP has the characteristic of cross-server linkage, which greatly expands the overall attack surface. After a low-privilege server is compromised, it is very likely to become a springboard for illegal access to a high-privilege system, triggering a chain of security risks.

[0026] The crucial role of MCP in AI system security further amplifies the impact of the aforementioned risks. As a universal calling interface for AI systems, MCP is widely used in various AI scenarios, making it a key target for security threats. With its deep integration with Retrieval-Augmented Generation (RAG) and multi-agent architectures, MCP extends security risks from single model servers to the entire interactive process, further expanding its scope. Therefore, without rigorous threat analysis and targeted protective measures for MCP, it is highly likely to become a core trigger for large-scale and significant information security incidents.

[0027] In related technologies, the identification and hardening of security risks for each component of MCP typically relies heavily on manual intervention by security experts. This process requires experts to thoroughly analyze the underlying configuration vulnerabilities of the components, investigate potential risks one by one, assess the possible security threats based on experience, and finally deploy general security strategies to complete the protection and hardening.

[0028] However, the above methods suffer from low efficiency in identifying security risks due to the multi-dimensional interactions involved in the MCP architecture and the time-consuming and labor-intensive nature of manual analysis. Furthermore, the lack of deep adaptation to component characteristics means that the deployed general strategies often fail to take into account the differences between components, making it impossible to accurately formulate differentiated hardening solutions for each component that match its specific security threats, resulting in poor component hardening effects.

[0029] Therefore, to address the problems in the aforementioned related technologies, this application proposes a security hardening method for Model Context Protocol (MCP). Specifically, it acquires the configuration information of each MCP component across multiple security dimensions, providing complete data support for subsequent analysis. For each component, based on its multi-security-dimensional configuration information, it generates threat analysis results and corresponding hardening strategies for each dimension, breaking the limitations of general strategies. Furthermore, by integrating component identification information, threat analysis results across dimensions, and corresponding hardening strategies, it generates a standardized security requirement list. Based on the security requirement list, it retrieves the preset hardening templates corresponding to each hardening strategy, and then generates dedicated security configuration scripts for each component based on the preset hardening templates. This achieves automated implementation of hardening measures, overcoming the problems in the aforementioned related technologies through full-process automation and precise adaptation.

[0030] To enable those skilled in the art to better understand the present application, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments.

[0031] The specific application environment architecture upon which the security hardening method based on the model context protocol depends is described here. Please refer to [link / reference]. Figure 1 , Figure 1This is a schematic diagram of the architecture of a model context protocol provided in an embodiment of this application.

[0032] like Figure 1 As shown in the diagram, the architecture of the Model Context Protocol includes multiple components, namely the host carrying the Model Context Protocol client, Model Context Protocol Server A (MCP Server A), Model Context Protocol Server B (MCP Server B), Model Context Protocol Server C (MCP Server C), local data source A, local data source B, and remote service C.

[0033] The host equipped with an MCP client establishes 1:1 connections with multiple lightweight MCP servers simultaneously via the MCP protocol. MCP Server A accesses local data source A, and MCP Server B accesses local data source B to obtain local data respectively. MCP Server C, on the other hand, uses the World Wide Web (Web) Application Programming Interface (API) to call a remote service C on the Internet to obtain external data. After processing by each server, the results are returned to the client host via the MCP protocol, ultimately delivering the data to the upper-layer application or user. The entire architecture achieves parallel access and efficient interaction between local and remote resources through functional decoupling and a unified protocol.

[0034] It is understood that the types and quantities of components in the above architecture are for illustrative purposes only and do not limit this application. The specific types and quantities can be determined based on the actual application.

[0035] Please see Figure 2 , Figure 2 This is a flowchart illustrating a security hardening method for a Model Context Protocol (MGP) provided in this application embodiment. The execution entity of this method can be a MGP security hardening device. This device can be implemented through a computer program, or through a medium storing the relevant computer program, such as an optical disc, or through a physical device integrating or installing the relevant computer program, such as an electronic device like a server, server cluster, or smart terminal. The method may include the following steps:

[0036] S201. Obtain the configuration information of each component of the model context protocol in multiple security dimensions.

[0037] In this embodiment, the execution entity is illustrated using an MCP security hardening server as an example.

[0038] Before obtaining the configuration information of each component of the Model Context Protocol (MCP) across multiple security dimensions, the MCP security hardening server needs to determine the dependencies and communication paths between the components based on the architecture topology of the MCP. Based on the dependencies and communication paths, it constructs a security threat modeling graph of the MCP and then determines the components in the MCP that need to be hardened based on the security threat modeling graph.

[0039] By analyzing the model context protocol architecture topology, the complex dependencies and communication paths between components can be identified, thereby constructing an accurate security threat modeling graph and enabling a structured analysis of the overall system security posture. This allows for the accurate identification of core objects and critical nodes for security hardening, providing necessary scope definition and logical basis for subsequent targeted threat analysis and hardening strategy generation based on multi-dimensional configuration information, thus reducing the blind spots and omissions in hardening work.

[0040] The MCP security hardening server uses a pre-defined security dimension list, which can cover multiple dimensions such as deployment, access, transmission, storage, and protection. By using security hardening agent plugins deployed on each component or by calling the standard configuration interface of the component, it collects raw data such as the native configuration files, runtime parameters, and environment variables of each component, thereby obtaining the configuration information of each component in multiple security dimensions.

[0041] Optionally, in this embodiment, the security dimensions include, but are not limited to: component deployment and scheduling, component access, component data transmission, component data storage, and component security protection dimensions.

[0042] Component deployment scheduling can include component deployment methods, resource constraint methods, file system types, and database types. Component access can include component access methods and access records. Component data transmission can include data transmission content, data transmission protocols, and data transmission mechanisms. Component data storage can include resource storage content, resource storage methods, and resource storage protocols. Component security protection can include component security vulnerabilities and resource storage security.

[0043] For details on the specific content of each security dimension, please refer to Tables 1-1, 1-2, and 1-3.

[0044] Table 1-1

[0045]

[0046] Table 1-2

[0047]

[0048] Table 1-3

[0049]

[0050] S202. For any component, based on the component's configuration information in multiple security dimensions, generate threat analysis results for the component in different security dimensions and hardening strategies corresponding to the threat analysis results.

[0051] The specific implementation process will be described in detail in the following embodiments. Please refer to the following embodiments.

[0052] Based on the multi-dimensional threat analysis results and corresponding hardening strategies generated in this step, this embodiment further constructs the MCP security threat knowledge base. This knowledge base systematically summarizes and archives the threat analysis results and suitable hardening solutions for various components. This knowledge base can be directly reused subsequently to provide a basis for threat assessment and hardening strategy matching for similar components, thereby improving the efficiency and consistency of overall security hardening.

[0053] S203. Generate a security requirements list based on the component's identification information, the threat analysis results corresponding to the component in different security dimensions, and the hardening strategies corresponding to the threat analysis results.

[0054] Please see Figure 3 , Figure 3 This application provides a flowchart illustrating a method for generating a security requirements list, which may include the following steps:

[0055] S301. Based on the component's identification information, establish the association between the identification information and each security dimension.

[0056] Using the unique identification information of the component, such as the component's identifier (ID), hostname, or Internet Protocol (IP) address as an index, a logical mapping table is constructed. All security dimensions collected by the component in S201 are uniformly attached to this identification information, establishing the association between the identification information and each security dimension, thereby establishing the attribution relationship between the component and the dimension.

[0057] S302. Based on the correlation, the threat analysis results and corresponding hardening strategies corresponding to each security dimension are bound with the identification information to obtain the correlation dataset.

[0058] Based on the established relationships in the above steps, the threat analysis results and matching hardening strategies generated in S202 are used as attribute values ​​and filled into the nodes of the corresponding component identifiers and dimensions to obtain the associated dataset, thereby determining the complete associated dataset containing {threat analysis results-components-hardening strategies}.

[0059] By establishing the correlation between component identification information and various security dimensions, scattered threat analysis results and corresponding hardening strategies are precisely bound to specific components, forming a structured, correlated dataset. Based on this, the correlated dataset is standardized and arranged using a pre-defined list format, thereby generating a clear, standardized, and logically rigorous list of security requirements. This process effectively eliminates information silos between component identities and security policies, achieving an organic aggregation from discrete data to structured requirements.

[0060] S303. Using a preset list format, structure the associated datasets to generate a security requirements list.

[0061] Using a preset list format, such as comma-separated values ​​(CSV) format which is easily processed by machines, the associated dataset is structured and outputs a structured security requirements list file for subsequent use.

[0062] S204. Based on the security requirements list, obtain the preset reinforcement templates corresponding to each reinforcement strategy in the security requirements list.

[0063] In this embodiment, a preset template library is pre-built. The standardized reinforcement templates in the template library are classified and archived according to the reinforcement scenarios corresponding to the security dimensions, and each template is bound with a unique policy identifier.

[0064] The MCP security hardening server parses the security requirement list obtained in the above steps and extracts the security dimension information of the target components and the identification information of the corresponding hardening strategies. Based on this security dimension information, it determines the classification path for template retrieval, and uses the identification information of the hardening strategies within this path to accurately match and retrieve the corresponding preset hardening templates.

[0065] S205. Based on the preset reinforcement templates corresponding to each reinforcement strategy, generate the security configuration script information of the component.

[0066] Then, the MCP security hardening server generates security configuration script information for each component based on the preset hardening templates corresponding to each hardening strategy.

[0067] In the above embodiments of this application, by obtaining the configuration information of each component of the Model Context Protocol (MCP) in multiple security dimensions, threat analysis results and corresponding hardening strategies for each component in different security dimensions are generated based on the configuration information of each component in multiple security dimensions. Furthermore, a security requirement list is generated based on the identification information of each component, the threat analysis results of each component in different security dimensions, and the corresponding hardening strategies. Then, based on the security requirement list, a preset hardening template corresponding to each hardening strategy in the security requirement list is obtained. Based on the preset hardening template corresponding to each hardening strategy, security configuration script information for each component is generated, eliminating the need for manual operation by experts and achieving accurate adaptation. Therefore, this addresses the technical problems of low security risk identification efficiency and poor hardening effect due to lack of specificity in hardening solutions in related technologies, achieving the technical effect of improving the security risk identification efficiency of MCP components and enhancing the accuracy and effectiveness of hardening solutions.

[0068] Furthermore, based on the above embodiments, the following embodiments illustrate the process of generating threat analysis results and corresponding hardening strategies for any component in different security dimensions, based on the component's configuration information in multiple security dimensions.

[0069] Please see Figure 4 , Figure 4 This application provides a flowchart illustrating a method for generating threat analysis results and corresponding hardening strategies, which may include the following steps:

[0070] S401. For any component, obtain the threat determination rules corresponding to each security dimension of the component.

[0071] The security dimension includes at least one of the following: component deployment and scheduling, component access, component data transmission, component data storage, and component security protection.

[0072] In this embodiment, a rule base is pre-set, in which different threat determination rules are set for each component and its corresponding security dimension. Therefore, for any component, the MCP security hardening server can obtain the threat determination rules corresponding to each security dimension of that component from the rule base based on the component's identification information.

[0073] S402. For any security dimension, identify the configuration information corresponding to the security dimension according to the threat determination rules corresponding to the security dimension, and determine the threat analysis results under the security dimension.

[0074] The MCP security hardening server iterates through each security dimension of the component. For any given security dimension, it uses the configuration information collected under that dimension as input and compares it one by one with the corresponding threat judgment rules retrieved in S401. If the configuration information triggers the risk conditions in the rules, it can generate threat analysis results containing threat type, risk level, and specific violation parameters.

[0075] S403. Based on the threat analysis results under the security dimension, match them in the preset mapping relationship library to obtain the hardening strategy corresponding to the threat analysis results under the security dimension.

[0076] The mapping database stores the mapping relationship between threat analysis results and hardening strategies.

[0077] The MCP security hardening server uses the threat analysis results obtained in the above steps as retrieval keys to search in a preset key-value pair mapping database. The "value" in the mapping database represents the hardening strategy.

[0078] The MCP security hardening server determines the specific hardening strategy that can eliminate a threat based on the key-value pair correspondence between threat type and hardening strategy.

[0079] Alternatively, in addition to the above methods, this embodiment can also utilize a pre-trained model to generate threat analysis results and corresponding hardening strategies.

[0080] Specifically, for any component, its configuration information across multiple security dimensions is input into a pre-trained security analysis model, which directly outputs the threat analysis results for the component across different security dimensions, along with corresponding hardening strategies. The security analysis model is trained by comprehensively reasoning and pattern recognition based on historical security vulnerability data and attack / defense knowledge it has learned.

[0081] For example, taking the MCP client as an example, the analysis content, threat analysis results, and corresponding hardening strategies for each security dimension are shown in Tables 2-1, 2-2, and 2-3.

[0082] Table 2-1

[0083]

[0084] Table 2-2

[0085]

[0086] Table 2-3

[0087]

[0088] It is understood that the above examples are for illustrative purposes only and do not limit this application.

[0089] In the above embodiments of this application, by constructing a multi-dimensional threat judgment rule system covering component deployment, access, transmission, storage and protection, and by using a preset mapping relationship library to achieve automated and accurate matching from threat analysis results to hardening strategies, the problem of single-dimensional hardening solutions, weak targeting and reliance on human experience in related technologies is effectively solved, and the comprehensiveness and efficiency of threat identification are significantly improved.

[0090] Furthermore, based on any of the above embodiments, the following embodiments illustrate the process of generating security configuration script information for components based on preset reinforcement templates corresponding to each reinforcement strategy.

[0091] Please see Figure 5 , Figure 5 A flowchart illustrating a method for generating security configuration script information for a component, provided in an embodiment of this application, may include the following steps:

[0092] S501. For any reinforcement strategy, call the preset reinforcement template corresponding to the reinforcement strategy.

[0093] For any hardening strategy, the MCP security hardening server calls the preset hardening template corresponding to that strategy.

[0094] S502. Based on the content in the preset reinforcement template, obtain the parameter information required for the preset reinforcement template.

[0095] The following will combine Figure 6 This step will be explained. Figure 6 This is an interactive diagram of an MCP security hardening server provided as an embodiment of this application. Figure 6 As shown, the MCP security hardening server sends parameter query commands to the security hardening agent plugins of each component to obtain the required parameter information.

[0096] Specifically, the MCP security hardening server sends a parameter query command to the component's security hardening proxy plugin based on the content in the preset hardening template. This parameter query command is used by the security hardening proxy plugin to collect environmental parameters of the main component.

[0097] After collecting the environmental parameters of the component, the security hardening proxy plugin sends them to the MCP security hardening server. The MCP security hardening server then receives the environmental parameters collected by the security hardening proxy plugin based on the parameter query command and obtains the parameter information required for the preset hardening template from the environmental parameters.

[0098] By using a security hardening proxy plugin to obtain the actual environmental parameters of the component in real time and upload them to the MCP security hardening server, the MCP security hardening server can accurately identify and extract the specific parameter information required by the preset hardening template from massive amounts of environmental data. This reduces the tediousness and error of manual parameter configuration and ensures that the subsequently generated hardening script matches the actual operating environment of the component.

[0099] S503. Substitute the obtained parameter information into the preset reinforcement template for instantiation processing to generate the component's security configuration script information.

[0100] One possible approach is to standardize the parameter information to obtain standardized parameter information.

[0101] Specifically, the MCP security hardening server performs operations such as cleaning and format conversion on the parameter information, corrects parameters that do not meet the input requirements of the hardening template, and obtains standardized parameter information.

[0102] Based on the parameter definition and placeholder distribution of the preset reinforcement template, the standardized parameter information is filled into the corresponding placeholders to obtain the filled reinforcement template.

[0103] Specifically, the MCP security hardening server parses the preset hardening template, clarifies the parameter definitions and placeholder distribution within the template, establishes a mapping relationship between standardized parameter key names and template placeholders, and batch replaces the corresponding placeholders in the template with standardized parameter values ​​according to the mapping relationship, outputting a hardening template with component-specific parameters.

[0104] Verify whether there are any unfilled placeholders in the filled reinforcement template and obtain the verification result. If the verification result indicates that there are unfilled placeholders, return to the step of sending a parameter query command to the component's security reinforcement proxy plugin according to the content in the preset reinforcement template.

[0105] Validation can promptly identify unfilled placeholders in the template, reducing the likelihood of subsequent script compilation failures or abnormal hardening operations due to missing critical parameters. Simultaneously, by triggering a rollback mechanism, a query command is resent to the security hardening proxy plugin to dynamically complete missing parameter information from the actual component runtime environment, rather than using default values ​​or null values. This ensures that the final generated hardening script accurately adapts to the specific configuration of the target component, guaranteeing the accuracy and effectiveness of the hardening strategy.

[0106] Then, the hardened template after being filled is instantiated, compiled, and transformed to generate the component's security configuration script information.

[0107] Specifically, the MCP security hardening server, based on the instantiation compilation and conversion rules preset in the hardening template, calls the corresponding compilation / conversion tools to perform syntax verification, format conversion, and environment adaptation processing on the filled hardening template, transforming the abstract syntax of the hardening template into executable syntax that meets the requirements of the component's runtime environment, and finally generating security configuration script information specific to the component.

[0108] Optionally, the security configuration script information may include security configuration script commands and command parameters.

[0109] For example, the security configuration script information generated based on the hardening template is shown in Tables 3-1, 3-2, 3-3, 3-4, 3-5, 3-6, 3-7, and 3-8:

[0110] Table 3-1

[0111]

[0112] Table 3-2

[0113]

[0114] Table 3-3

[0115]

[0116] Table 3-4

[0117]

[0118] Table 3-5

[0119]

[0120] Table 3-6

[0121]

[0122] Table 3-7

[0123]

[0124] Table 3-8

[0125]

[0126] After generating the security configuration script information for the component, the security configuration script information is sent to the component's security hardening proxy plugin, so that the security hardening proxy plugin can perform component hardening processing based on the security configuration script information.

[0127] The MCP security hardening server sends security configuration scripts to the security hardening agent plugin deployed on the target host via an encrypted communication channel. Upon receiving the script, the agent plugin parses it locally and executes it as a user with the appropriate permissions, modifying component configuration files or runtime parameters. After execution, the agent plugin collects the execution status and output logs and sends them back to the MCP security hardening server for status updates.

[0128] By automatically generating security configuration scripts adapted to component types and distributing them to dedicated hardening agent plugins for execution, intelligent component security hardening is achieved. This reduces the risk of oversights and misoperations in manual configuration and improves the efficiency and security of hardening operations.

[0129] In the above embodiments of this application, by matching a dedicated preset reinforcement template to each reinforcement strategy, first calling the corresponding template and extracting the required parameter information, and then substituting the parameters into the template to complete instantiation and generate a component security configuration script, intelligent generation of security configuration scripts is achieved. This not only reduces the repetitive work of writing scripts from scratch according to different reinforcement strategies, improving script generation efficiency, but also ensures that the script content strictly conforms to the requirements of the reinforcement strategy through templated parameter substitution, reducing the error rate of manually written scripts and improving the consistency and reliability of component security reinforcement.

[0130] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods according to the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method.

[0131] Figure 7 A schematic diagram of the security hardening device for the model context protocol provided in this application embodiment is shown below. Figure 7 As shown, it includes:

[0132] The acquisition module is used to obtain configuration information of each component of the model context protocol in multiple security dimensions.

[0133] The generation module is used to generate threat analysis results for any component in different security dimensions, as well as corresponding hardening strategies, based on the component's configuration information in multiple security dimensions.

[0134] The generation module is also used to generate a security requirements list based on the component's identification information, the threat analysis results corresponding to the component in different security dimensions, and the hardening strategies corresponding to the threat analysis results.

[0135] The acquisition module is also used to obtain the preset reinforcement templates corresponding to each reinforcement strategy in the security requirements list.

[0136] The generation module is also used to generate security configuration script information for components based on the preset reinforcement templates corresponding to each reinforcement strategy.

[0137] In one possible implementation, the generation module is specifically used for:

[0138] For any component, obtain the threat determination rules corresponding to each security dimension of the component. The security dimensions include at least one of the following: component deployment and scheduling, component access, component data transmission, component data storage, and component security protection.

[0139] For any security dimension, the configuration information corresponding to the security dimension is identified according to the threat determination rules corresponding to the security dimension, and the threat analysis results under the security dimension are determined.

[0140] Based on the threat analysis results under the security dimension, a matching is performed in a pre-set mapping relationship library to obtain the hardening strategy corresponding to the threat analysis results under the security dimension. The mapping relationship library stores the mapping relationship between threat analysis results and hardening strategies.

[0141] In one possible implementation, the generation module is specifically used for:

[0142] Based on the component's identification information, establish the association between the identification information and each security dimension.

[0143] Based on the correlation, the threat analysis results and corresponding hardening strategies for each security dimension are bound to the identification information to obtain the associated dataset.

[0144] Using a pre-defined list format, the associated datasets are structured and arranged to generate a security requirements list.

[0145] In one possible implementation, the generation module is specifically used for:

[0146] For any hardening strategy, the corresponding preset hardening template is invoked.

[0147] Based on the content of the preset reinforcement template, obtain the parameter information required for the preset reinforcement template.

[0148] The obtained parameter information is substituted into the preset reinforcement template for instantiation, generating the component's security configuration script information.

[0149] In one possible implementation, the acquisition module is specifically used for:

[0150] Based on the content in the preset hardening template, a parameter query command is sent to the component's security hardening proxy plugin. The parameter query command is used by the security hardening proxy plugin to collect the environmental parameters of the main component.

[0151] Receive environmental parameters collected by the security hardening agent plugin based on parameter query commands.

[0152] Obtain the parameter information required for the preset reinforcement template from the environmental parameters.

[0153] In one possible implementation, the generation module is specifically used for:

[0154] The parameter information is standardized to obtain the standardized parameter information.

[0155] Based on the parameter definition and placeholder distribution of the preset reinforcement template, the standardized parameter information is filled into the corresponding placeholders to obtain the filled reinforcement template.

[0156] The hardened template after being filled is instantiated, compiled, and transformed to generate the component's security configuration script information.

[0157] In one possible implementation, before performing an instantiation and compilation transformation on the filled hardened template to generate the component's security configuration script information, a module is generated, specifically for:

[0158] Verify whether there are any unfilled placeholders in the reinforced template after filling, and obtain the verification results.

[0159] If the verification result indicates the presence of unfilled placeholders, the process returns to the step of sending a parameter query command to the component's security hardening proxy plugin based on the content in the preset hardening template.

[0160] In one possible implementation, after generating the security configuration script information for the component, a module is generated, specifically for:

[0161] The security configuration script information is sent to the component's security hardening agent plugin, so that the security hardening agent plugin can perform component hardening processing based on the security configuration script information.

[0162] In one possible implementation, before obtaining the configuration information of each component of the model context protocol across multiple security dimensions, a generation module is prepared, specifically for:

[0163] Based on the model context protocol, the architectural topology determines the dependencies and communication paths between components.

[0164] Based on dependencies and communication paths, construct a security threat modeling graph for the model context protocol.

[0165] Based on the security threat modeling graph, the components in the model context protocol that need to be hardened are identified.

[0166] For a description of the features in the embodiment corresponding to the security hardening device of the model context protocol, please refer to the relevant description of the embodiment corresponding to the security hardening method of the model context protocol, which will not be repeated here.

[0167] Figure 8 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Figure 8 As shown, the electronic device provided in this embodiment includes at least one processor and a memory. Optionally, the electronic device further includes a communication component. The processor, memory, and communication component are connected via a bus.

[0168] In a specific implementation, at least one processor executes computer execution instructions stored in memory, causing at least one processor to execute the security hardening method embodiment of the above-described model context protocol.

[0169] The specific implementation process of the processor can be found in the above method embodiments, and its implementation principle and technical effect are similar, so it will not be repeated here.

[0170] In the above embodiments, it should be understood that the processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in the application can be directly manifested as being executed by a hardware processor, or executed by a combination of hardware and software modules within the processor.

[0171] The memory may include random access memory (RAM) and may also include non-volatile memory (NVM), such as at least one disk storage device.

[0172] The bus can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, the buses shown in the accompanying drawings are not limited to a single bus or a single type of bus.

[0173] Embodiments of this application also provide a computer-readable storage medium storing a computer program configured to execute the steps in any of the above-described security hardening method embodiments of the model context protocol at runtime.

[0174] In one exemplary embodiment, the aforementioned computer-readable storage medium may include, but is not limited to, various media capable of storing computer programs, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.

[0175] Embodiments of this application also provide a computer program product, which includes a computer program that, when executed by a processor, implements the steps in any of the above-described security hardening methods for model context protocols.

[0176] Embodiments of this application also provide another computer program product, including a non-volatile computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps in any of the above-described security hardening methods for model context protocols.

[0177] Any of the components, modules, units, parts, methods, and operations described herein can be implemented using software, firmware, hardware (e.g., fixed logic circuitry), manual processing, or any combination thereof. Alternatively or additionally, any functionality described herein can be executed at least in part by one or more hardware logic components, such as, but not limited to, a central processing unit (CPU), a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), an application-specific standard product (ASSP), a system-on-a-chip (SoC), a complex programmable logic device (CPLD), a microprocessor (MCU), etc. The terms "system," "computing device," or "apparatus" as used herein encompass various means, devices, and machines for processing data, including, for example, one or more programmable processors, computers, SoCs, or combinations thereof. The apparatus may also include code that creates an execution environment for the computer program in question, such as code constituting processor firmware, a protocol stack, a database management system, an operating system, a cross-platform runtime environment, a virtual machine, or one or more combinations thereof. The aforementioned computer program (also known as a program, software, software application, app, script, or code) can be written in any form of programming language, including compiled or interpreted languages, declarative or procedural languages, and can be deployed in any form, including as a standalone program or as a module, component, subroutine, object, or other unit suitable for a computing environment.

[0178] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0179] The foregoing has provided a detailed description of a security hardening method and electronic device for a model context protocol provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the embodiments above are merely for the purpose of helping to understand the method and its core ideas. It should be noted that those skilled in the art can make various improvements and modifications to this application without departing from its principles, and these improvements and modifications also fall within the protection scope of the claims of this application.

Claims

1. A method of securing a model context protocol, the method comprising: The method comprises the following steps: obtaining configuration information of each component of a model context protocol in multiple security dimensions; for any component, generating threat analysis results corresponding to different security dimensions of the component and reinforcement strategies corresponding to the threat analysis results according to the configuration information of the component in the multiple security dimensions; generating a security requirement list according to the identification information of the component, the threat analysis results corresponding to different security dimensions of the component and the reinforcement strategies corresponding to the threat analysis results; obtaining a preset reinforcement template corresponding to each reinforcement strategy in the security requirement list; generating security configuration script information of the component based on the preset reinforcement template corresponding to each reinforcement strategy.

2. The method of claim 1, wherein, The method comprises the following steps: for any component, obtaining threat judgment rules corresponding to each security dimension of the component, wherein the security dimensions include at least one of component deployment scheduling, component access, component data transmission, component data storage and component security protection dimensions; for any security dimension, identifying the configuration information corresponding to the security dimension according to the threat judgment rules corresponding to the security dimension to determine the threat analysis results under the security dimension; based on the threat analysis results under the security dimension, matching in a preset mapping relationship library to obtain the reinforcement strategies corresponding to the threat analysis results under the security dimension, wherein the mapping relationship library stores the mapping relationship between threat analysis results and reinforcement strategies.

3. The method of claim 1, wherein, The method comprises the following steps: establishing an association relationship between the identification information of the component and each security dimension according to the identification information of the component; based on the association relationship, binding the threat analysis results corresponding to each security dimension and the corresponding reinforcement strategies with the identification information to obtain an association data set; structuring the association data set in a preset list format to generate the security requirement list.

4. The method of claim 1, wherein, The method comprises the following steps: for any reinforcement strategy, calling the preset reinforcement template corresponding to the reinforcement strategy; obtaining parameter information required by the preset reinforcement template according to the content in the preset reinforcement template; substituting the obtained parameter information into the preset reinforcement template for instantiation processing to generate the security configuration script information of the component.

5. The method of claim 4, wherein, The method comprises the following steps: according to the content in the preset reinforcement template, sending a parameter query instruction to a security reinforcement agent plug-in of the component, wherein the parameter query instruction is used for the security reinforcement agent plug-in to collect environmental parameters of the component; Receive environmental parameters collected by the security hardening proxy plugin based on the parameter query command; Obtain the parameter information required for the preset reinforcement template from the environmental parameters.

6. The method of claim 4, wherein, The step of substituting the obtained parameter information into the preset reinforcement template for instantiation to generate the security configuration script information of the component includes: The parameter information is standardized to obtain standardized parameter information; Based on the parameter definition and placeholder distribution of the preset reinforcement template, the standardized parameter information is filled into the corresponding placeholders to obtain the filled reinforcement template; The filled hardened template is instantiated and compiled to generate the security configuration script information of the component.

7. The method of claim 6, wherein, Before performing instantiation, compilation, and transformation on the filled hardened template to generate the security configuration script information of the component, the method further includes: Verify whether there are any unfilled placeholders in the filled reinforced template, and obtain the verification result; If the verification result indicates the presence of an unfilled placeholder, then return to the step of sending a parameter query command to the security hardening proxy plugin of the component based on the content in the preset hardening template.

8. The method of claim 1, wherein, After generating the security configuration script information for the component, the method further includes: The security configuration script information is sent to the security hardening proxy plugin of the component, so that the security hardening proxy plugin performs component hardening processing according to the security configuration script information.

9. The method of claim 1, wherein, Before obtaining the configuration information of each component of the model context protocol in multiple security dimensions, the method further includes: Based on the architecture topology of the model context protocol, the dependencies and communication paths between components are determined; Based on the dependencies and communication paths, construct the security threat modeling graph of the model context protocol; Based on the security threat modeling graph, the components in the model context protocol that need to be hardened are identified.

10. An electronic device, comprising: include: Memory, used to store computer programs; A processor, configured to implement the steps of the security hardening method for the model context protocol as described in any one of claims 1 to 9 when executing the computer program.

Images