Method and device for testing password security of cloud platform access of power monitoring system
By constructing a time-weighted permission coupling evolution structure and system evolution factors, a permission-time joint security test signal is generated, which solves the problem of inaccurate password security assessment in the power monitoring system cloud platform and realizes accurate identification and management of high-risk passwords.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA ELECTRIC POWER RESEARCH INSTITUTE CO LTD
- Filing Date
- 2026-02-10
- Publication Date
- 2026-06-23
Smart Images

Figure CN122263084A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of cryptographic security testing technology, specifically to a method and apparatus for testing the cryptographic security of a cloud platform access for a power monitoring system. Background Technology
[0002] As a crucial core for operation and maintenance management in the power industry, the security of access passwords for power monitoring system cloud platforms directly impacts the stable operation and data security of the power system. With the extended lifecycle of power monitoring systems and the increasing demand for cross-system collaboration, cloud platforms commonly employ multi-role, multi-level permission management models, and configurations such as permission inheritance, temporary authorization, and implicit interface extensions have become standard practice.
[0003] Currently, access password security faces a dual hidden risk: on the one hand, the coupling relationship of permissions leads to the risk being exponentially amplified after some compliant and complex passwords are breached; on the other hand, during the long-term operation of the system, evolutionary factors such as fine-tuning of authentication policies, expansion of the scope of open interfaces, and changes in computing resource configuration cause the originally secure passwords to gradually degrade in security, and the security margin to continue to decrease.
[0004] Existing cryptographic security testing methods mostly focus on the complexity or reuse of the password itself, employing static and transient evaluation logic. They fail to consider the amplifying effect of permission coupling structures on cryptographic risks, ignore the cumulative impact of system evolution on cryptographic security, and fail to identify the coupling relationship between the two. This makes it difficult to accurately identify implicit high-risk passwords within specific roles and time windows, and thus cannot meet the power industry's dual requirements for high system reliability and high security. Therefore, there is an urgent need for an access password security testing scheme that can simultaneously perceive permission coupling relationships and system evolution processes. Summary of the Invention
[0005] The purpose of this application is to provide a method and apparatus for testing the security of cloud platform access passwords in a power monitoring system, so as to solve the problems mentioned in the background art.
[0006] According to one aspect of this application, a method for testing the security of access passwords for a cloud platform of a power monitoring system is provided, comprising the following steps:
[0007] Obtain access password records, extract the password metadata corresponding to each access password and its bound role information, and generate a password-role mapping table; the password metadata includes at least password length, character set type, hash algorithm type, setting time, and most recent change time;
[0008] Based on permission configuration data, a permission coupling structure is constructed with roles and interfaces as nodes and permission relationships as directed edges;
[0009] Obtain historical change records of each permission relationship in the permission coupling structure, and add time weights to each directed edge based on the historical change records to obtain a permission coupling evolution structure with time weights; the time weights are positively correlated with the change frequency of the corresponding permission relationships.
[0010] The system evolution factor data generated during the operation of the cloud platform is collected, and the system evolution factor data is normalized into security erosion parameters to form a system evolution factor set; the system evolution factor data includes at least the history of authentication failure policy changes, login rate limiting threshold adjustment records, and interface access policy change records;
[0011] Starting with the access password in the password-role mapping table, and based on the time-weighted permission coupling evolution structure and the system evolution factor set, a permission-aware security degradation model is constructed. This includes traversing a path in the permission coupling evolution structure, starting with the role node bound to the access password, superimposing the relevant security erosion parameters on the nodes of the traversed path, and calculating the degradation amplification coefficient corresponding to the path based on the time weight of the directed edge.
[0012] Based on the degradation amplification coefficients of each path output by the permission-aware security degradation model, a permission-time joint security test signal is generated; the permission-time joint security test signal contains at least a comprehensive risk value.
[0013] The overall risk value is compared with a preset security threshold to determine the security status of the corresponding access password.
[0014] Preferably, the permission configuration data includes role permission configuration data, interface call relationship data, and temporary authorization records; the permission relationships include permission inheritance relationships, interface call relationships, and authorization relationships.
[0015] Preferably, a time weight is added to each directed edge based on historical change records. Specifically, the number of times the permission relationship changes within a preset time period is counted, and the time weight is calculated based on the number of changes. The more changes there are, the greater the time weight.
[0016] Preferably, the system evolution factor data is normalized into security erosion parameters. Specifically, for each type of system evolution factor data, it is converted into initial erosion parameters according to a preset conversion rule, and then the initial erosion parameters are normalized so that all security erosion parameters are within the same numerical range.
[0017] Preferably, relevant security erosion parameters are superimposed on the nodes of the traversal path. Specifically, according to the type of the node, the security erosion parameters of the corresponding type are selected from the system evolution factor set and weighted and summed. The node types include role nodes, interface nodes, and system subdomain nodes.
[0018] Preferably, calculating the degradation amplification coefficient corresponding to the path specifically includes: calculating the product of the time weights of all directed edges on the traversal path to obtain the overall path weight; accumulating the security erosion parameter after superimposing all nodes on the traversal path, and combining it with the path length coefficient to calculate the degradation amplification coefficient.
[0019] Preferably, generating a permission-time joint security test signal specifically includes: calculating the permission path risk value based on the degradation amplification coefficient of each path, counting the number of high-risk paths and the average degradation amplification coefficient; predicting the evolution trend within a future time window based on the time series of the system evolution factor data, and calculating the time degradation trend value; and weighting and fusing the permission path risk value, the time degradation trend value, the node sensitivity weighted value, and the historical pattern matching similarity to obtain the comprehensive risk value.
[0020] Preferably, the preset security thresholds include a security threshold, a warning threshold, and a high-risk threshold; the determination of the security status of the corresponding access password specifically involves: if the comprehensive risk value is less than or equal to the security threshold, it is determined to be a secure state; if the comprehensive risk value is greater than the security threshold and less than or equal to the warning threshold, it is determined to be a warning state; if the comprehensive risk value is greater than the warning threshold, it is determined to be a high-risk state.
[0021] In another aspect, this application also provides a cloud platform access password security testing device for a power monitoring system, comprising:
[0022] The password-role mapping table generation module is used to obtain access password records, extract the password metadata corresponding to each access password and its bound role information, and generate a password-role mapping table; the password metadata includes at least password length, character set type, hash algorithm type, setting time, and last change time;
[0023] The permission coupling structure construction module is used to build a permission coupling structure based on permission configuration data, with roles and interfaces as nodes and permission relationships as directed edges.
[0024] The permission coupling evolution structure generation module is used to obtain historical change records of each permission relationship in the permission coupling structure, and add time weights to each directed edge based on the historical change records to obtain a permission coupling evolution structure with time weights; the time weights are positively correlated with the change frequency of the corresponding permission relationships.
[0025] The system evolution factor set generation module is used to collect system evolution factor data generated by the cloud platform during operation, normalize the system evolution factor data into security erosion parameters, and form a system evolution factor set; the system evolution factor data includes at least the authentication failure policy change history, login rate limiting threshold adjustment record, and interface access policy change record;
[0026] The security degradation model construction module is used to construct a permission-aware security degradation model based on the access password in the password-role mapping table, the permission coupling evolution structure with time weights, and the system evolution factor set. The module includes traversing a path in the permission coupling evolution structure starting from the role node bound to the access password, superimposing the relevant security erosion parameters on the nodes of the traversed path, and calculating the degradation amplification coefficient corresponding to the path based on the time weights of the directed edges.
[0027] The security test signal generation module is used to generate a permission-time joint security test signal based on the degradation amplification coefficients of each path output by the permission-aware security degradation model; the permission-time joint security test signal includes at least a comprehensive risk value.
[0028] The security status determination module is used to compare the comprehensive risk value with a preset security threshold to determine the security status of the corresponding access password.
[0029] In another aspect, this application also provides an electronic device comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the cloud platform access password security testing method for the power monitoring system as described above.
[0030] In another aspect, this application provides a storage medium storing computer program instructions that can be executed by a processor to implement the cloud platform access password security testing method for the power monitoring system as described above.
[0031] Another aspect of this application provides a computer program product, including a computer program that, when executed by a processor, implements the cloud platform access password security testing method for a power monitoring system as described above.
[0032] This application achieves accurate testing of the access password security of a power monitoring system cloud platform by acquiring access password and role information, constructing a time-weighted permission coupling evolution structure, collecting normalized system evolution factors, constructing a permission-aware security degradation model, generating permission-time joint security test signals, and determining the security status. This method can simultaneously perceive the permission coupling structure and the system evolution process, overcoming the shortcomings of static and instantaneous assessments in existing technologies. It can accurately identify high-risk passwords for specific roles within specific time windows without launching real attacks, changing the existing permission model, or affecting normal system operation, and clearly define the sources and evolution trends of risks. This provides a scientific basis for cloud platform security management, meets the power industry's dual requirements for high reliability and high security, and effectively improves the password security protection capabilities of the power monitoring system cloud platform. Attached Figure Description
[0033] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0034] Other features, objects, and advantages of this application will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings:
[0035] Figure 1 A schematic diagram illustrating a cloud platform access password security testing method for a power monitoring system provided in this application embodiment;
[0036] Figure 2 This is a schematic diagram illustrating the process of forming the evolutionary factor set provided in an embodiment of this application;
[0037] Figure 3 This is a schematic diagram of the security degradation model construction process provided in the embodiments of this application;
[0038] Figure 4 This is a schematic diagram of the security test signal generation process provided in an embodiment of this application;
[0039] Figure 5 A schematic diagram of a cloud platform access password security testing device for a power monitoring system provided in this application embodiment;
[0040] Figure 6 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0041] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0042] It should be noted that all user information (including but not limited to user device information, user personal information, object information corresponding to device usage data, etc.) and data (including but not limited to data used for analysis, stored data, displayed data, device usage data, etc.) involved in all embodiments of this application are information and data authorized by the user or fully authorized by all parties.
[0043] This method is applicable to security management servers or security control nodes deployed on power monitoring system cloud platforms and can be executed by the cloud platform itself or its affiliated security management system. Its application scenarios cover security detection of internal system accounts and interface accounts on the power monitoring master station cloud platform; access authentication security management between the cloud platform and substations, distribution automation terminals, and edge nodes; and periodic and policy-based security testing of existing access passwords during long-term operation of the cloud platform. Implementing this method typically requires the cloud platform to have complete basic data storage modules such as account management tables, password policy tables, role and permission tables, interface call configurations, and authorization logs. The data in each module must be normally readable and accessible by the security management server. Simultaneously, the testing process must not initiate real login requests, change existing permission models, or affect the operation of the production system.
[0044] The following detailed description, in conjunction with specific embodiments, illustrates the implementation process of the cloud platform access password security testing method for the power monitoring system described in this application. It should be noted that this embodiment is merely for explaining this application and not for limiting the scope of protection of this application. Any conventional adjustments or substitutions made by those skilled in the art to the steps without departing from the concept of this application should be included within the scope of protection of this application.
[0045] like Figure 1 As shown in the figure, this application discloses a schematic diagram of a cloud platform access password security testing method for a power monitoring system, including the following method steps:
[0046] S1: Obtain access password records, extract the password metadata corresponding to each access password and its bound role information, and generate a password-role mapping table; the password metadata includes at least the password length, character set type, hash algorithm type, setting time, and most recent change time;
[0047] S2: Based on permission configuration data, construct a permission coupling structure with roles and interfaces as nodes and permission relationships as directed edges;
[0048] S3: Obtain the historical change records of each permission relationship in the permission coupling structure, and add a time weight to each directed edge based on the historical change records to obtain a permission coupling evolution structure with time weight; the time weight is positively correlated with the change frequency of the corresponding permission relationship;
[0049] S4: Collect system evolution factor data generated by the cloud platform during operation, normalize the system evolution factor data into security erosion parameters, and form a system evolution factor set; the system evolution factor data includes at least the history of authentication failure policy changes, login rate limiting threshold adjustment records, and interface access policy change records;
[0050] S5: Starting from the access password in the password-role mapping table, construct an access-aware security degradation model based on the time-weighted permission coupling evolution structure and the system evolution factor set. This includes traversing a path in the permission coupling evolution structure, starting from the role node bound to the access password, superimposing the relevant security erosion parameters on the nodes of the traversed path, and calculating the degradation amplification coefficient corresponding to the path based on the time weight of the directed edge.
[0051] S6: Based on the degradation amplification coefficients of each path output by the permission-aware security degradation model, generate a permission-time joint security test signal; the permission-time joint security test signal includes at least a comprehensive risk value;
[0052] S7: Compare the comprehensive risk value with the preset security threshold to determine the security status of the corresponding access password.
[0053] In some embodiments, for step S1, access password records and related information are obtained and a mapping table is generated. The core of this step is to obtain the basic data required for subsequent processes, providing data support for subsequent permission analysis and security modeling.
[0054] Specifically, the cloud platform's security management server reads all currently stored access password records from the password management module through an authorized data access interface within the cloud platform. The reading process adheres to the rule of not reading or recovering plaintext passwords to avoid the risk of password leakage. The extracted information includes password metadata for each access password and its associated role information. The password metadata at least covers password length, character set type, hash algorithm type, setup time, and most recent change time; this data reflects the basic attributes and historical changes of the password. Role information includes account identifier, role name, and role type, used to identify the account and corresponding role to which the access password belongs. All of the above data originates from the cloud platform's internal account management table and password policy table, ensuring the security and legality of data acquisition.
[0055] For each extracted password record and its corresponding information, a structured data item is generated according to preset data structuring rules. The fields of the structured data item correspond one-to-one with the extracted information type, ensuring a consistent data format for easy processing in subsequent steps. This step ultimately generates a password-role mapping table. This table establishes a clear association between each access password and its corresponding password metadata and role information, providing foundational data support for subsequent processes such as constructing permission coupling structures and security degradation modeling.
[0056] In some embodiments, step S2 mainly involves constructing a static structure that reflects the permission relationship between roles and interfaces, laying the foundation for the subsequent introduction of time weights and risk propagation modeling.
[0057] The permission coupling structure is built based on the existing permission configuration data of the cloud platform. The permission configuration data it relies on includes role permission configuration data, interface call relationship data and temporary authorization records. The role permission configuration data comes from the role permission table of the cloud platform, the interface call relationship data comes from the interface call configuration or call whitelist, and the temporary authorization records come from the authorization log or authorization configuration table.
[0058] During data processing, each role or interface is abstracted as a node in the permission coupling structure. Simultaneously, the permission inheritance relationships, interface call relationships, and authorization relationships between roles and between roles and interfaces are abstracted as directed edges in the permission coupling structure. For each directed edge, its corresponding permission relationship type is explicitly recorded to ensure a clear representation of the permission association between roles and interfaces, generating a static permission coupling structure that intuitively reflects the permission propagation path between roles and interfaces.
[0059] In some embodiments, this step addresses the deficiency in prior art that treats the permission structure as a static background. By adding time weights to the directed edges in the permission coupling structure, the permission structure can reflect the dynamic changes in permission relationships during system evolution, providing support for subsequent accurate assessment of the amplification effect of permissions on cryptographic risks. The principle is that the frequency of changes in permission relationships directly affects the speed and scope of risk propagation. By setting time weights, the evolutionary activity of permission relationships can be quantified, making the permission coupling structure more closely reflect the actual operation of the system.
[0060] In practice, the first step is to obtain the historical change records of each permission relationship in the permission coupling structure. These historical change records include permission change history, interface configuration change records, and authorization relationship change records, which come from the system log module and configuration management module of the cloud platform. They can be obtained by reading historical operation logs and configuration change records.
[0061] Based on the acquired historical change records, a time weight is assigned to each directed edge. Specifically, the number of changes to each permission relationship within a preset time period is first counted. The preset time period can be configured according to the cloud platform's operating characteristics and actual needs, such as one year or three years, to ensure that the changes in permission relationships are fully reflected. The time weight is positively correlated with the frequency of changes to the corresponding permission relationship. The more changes, the greater the time weight, indicating a higher degree of evolution and activity in the permission relationship, and a stronger ability to act as a risk propagation channel. Conversely, the fewer changes, the smaller the time weight, indicating a higher stability and relatively weaker risk propagation ability in the permission relationship.
[0062] The specific calculation of time weights can be achieved using the following formula:
[0063]
[0064] in, The time weight of the directed edge corresponding to a certain permission relationship; This is the change frequency impact coefficient, which can be configured to a value between 0 and 1, and is used to adjust the degree of influence of change frequency on time weight. This represents the number of times the permission relationship can be changed within a preset time period. The duration of the preset time period, in years; The base weight value can be configured to a value between 0 and 0.5 to ensure that the base weight is maintained even if the permission relationship remains unchanged, thus preventing the permission relationship from being ignored in subsequent risk propagation modeling due to a weight of zero.
[0065] This step transforms the static permission coupling structure into a time-weighted permission coupling evolution structure. This structure not only retains the associated paths of permission relationships but also incorporates evolutionary information in the time dimension, enabling the permission structure to dynamically reflect changes in permission relationships during system operation. This provides a crucial structural foundation for subsequent security degradation modeling in conjunction with system evolution factors.
[0066] In some embodiments, for step S4, system evolution factor data is collected and normalized. This step addresses the problem in existing technologies that neglect the cumulative impact of system evolution on cryptographic security. By collecting evolution factors directly related to cryptographic security degradation and normalizing them, quantitative evolution-driven data is provided for subsequent security degradation modeling. The principle is that during long-term system operation, evolutionary factors such as authentication strategies and interface scope gradually erode the security margin of cryptography. Transforming these evolutionary factors into unified, quantitative security erosion parameters allows for accurate assessment of their impact on cryptographic security.
[0067] Please see Figure 2 , Figure 2This is a schematic diagram illustrating the process of forming the evolutionary factor set provided in this application embodiment. In specific implementation, in S201, system evolutionary factor data generated by the cloud platform during operation is collected; this system evolutionary factor data is directly related to password security degradation, and includes at least the history of authentication failure policy changes, login rate limiting threshold adjustment records, and interface access policy change records, and may also include data such as changes in cloud platform computing resource configuration, log and alarm policy adjustments, etc.
[0068] For example, the data sources and methods for collecting various system evolution factors are as follows: The history of authentication failure policy changes comes from the cloud platform's security policy configuration module, recording the handling policies after authentication failures at different times, such as changes in parameters like failure count thresholds and lockout durations; the login rate limiting threshold adjustment records come from the cloud platform's access control module, recording adjustments to login request rate limiting thresholds at different times; the interface access policy change records come from the interface management module, including changes to policies such as interface open scope and access permission requirements; the cloud platform computing resource configuration change data comes from the resource management module, recording changes in the number of computing nodes, computing power allocation, and storage resource configuration; and the log and alarm policy adjustment data come from the log management module and alarm management module, including changes in log recording detail, alarm trigger thresholds, and alarm response mechanisms.
[0069] In S202, after data acquisition is completed, the system evolution factor data is normalized into safety erosion parameters. This involves two steps: First, for each type of system evolution factor data, it is converted into initial erosion parameters according to a preset conversion rule. Second, the initial erosion parameters are normalized to ensure that all safety erosion parameters are within the same numerical range.
[0070] The conversion rules for different types of system evolution factor data are as follows:
[0071] For the history of authentication failure policy changes, if the lockout duration is shortened and the failure count threshold is increased after authentication failure, it indicates that the policy change has eroded password security. The degree of erosion is positively correlated with the proportion of shortened lockout duration and increased failure count threshold. The conversion formula is:
[0072]
[0073] in, The initial erosion parameters corresponding to the history of changes in the authentication failure strategy; This is the initial lock duration; The current lock duration; This is the initial failure count threshold. This is the current failure count threshold. and These are the weighting coefficients, and This can be configured according to the actual situation, for example, all can be configured to 0.5; if and ,but This indicates that the policy change has not compromised cryptographic security.
[0074] For login rate limiting threshold adjustment records, increasing the login rate limiting threshold means increasing the number of login attempts allowed per unit time, raising the risk of password brute-force attacks and eroding password security. The conversion formula is:
[0075]
[0076] in, Adjust the initial erosion parameters corresponding to the login rate limiting threshold; This is the initial login rate limiting threshold; This is the current login rate limiting threshold; This is the scaling factor, which can be configured to a value between 0 and 1, for example, 0.8; if ,but .
[0077] For records of changes in interface access policies, expanding the scope of open interfaces and lowering access permission requirements increases the risk of password misuse and erodes password security. The conversion formula is:
[0078]
[0079] in, Record the corresponding initial erosion parameters for changes in interface access strategies; Expand the scope of open interfaces; To reduce the access permission requirement, the value can be 0-1; and These are the weighting coefficients, and For example, all are configured to 0.5.
[0080] Changes in cloud platform computing resource configuration increase the likelihood of passwords being cracked by computing power, thus eroding password security. The degree of erosion is positively correlated with the proportion of increased computing power. The conversion formula is:
[0081]
[0082] in, The initial erosion parameters corresponding to changes in cloud platform computing resource configuration; This is the initial computing power value; This represents the current computing power value. This is the scaling factor, which can be configured to a value between 0 and 1, for example, 0.7; if ,but .
[0083] Adjustments to logging and alerting policies, such as reduced log detail, increased alert trigger thresholds, and increased alert response delays, will reduce the efficiency of detecting and handling password security incidents, indirectly eroding password security. The conversion formula is:
[0084]
[0085] in, Adjust the initial erosion parameters for the log and alarm policies; The initial log entries are scored on their level of detail, with a value of 0-1. Rate the level of detail in the current log entries; The initial alarm trigger threshold; This is the current alarm trigger threshold; This is the initial alarm response time; This is the current alarm response time; , , These are the weighting coefficients, and It can be configured according to the actual situation; if the level of detail in log recording is increased, the alarm trigger threshold is reduced, and the alarm response time is shortened, the corresponding sub-item value is 0.
[0086] In S203, the initial erosion parameters are obtained by converting the data of the above-mentioned system evolution factors. Normalization is performed using the following formula:
[0087]
[0088] in, The normalized safety erosion parameter; This represents the minimum initial erosion parameter corresponding to the evolution factor data of this type of system; This represents the maximum initial erosion parameter value corresponding to this type of system evolution factor data. Through normalization, the security erosion parameters corresponding to all evolution factors are made to be of the same order of magnitude and within a comparable range, ultimately forming a system evolution factor set. Each element in this set is a normalized security erosion parameter, used for subsequent permission-aware security degradation modeling.
[0089] In some embodiments, step S5 addresses the problem that existing technologies fail to identify the coupling relationship between permission coupling and cryptographic security degradation. By modeling risk propagation within the permission coupling evolution structure, it accurately assesses the amplification effect of cryptographic security degradation under specific permission paths. The principle is that cryptographic security degradation does not occur independently but is gradually amplified and propagated along the permission coupling path. The degradation speed and impact of the same cryptography differ under different roles and permission paths. By superimposing system evolution factors to calculate the degradation amplification coefficient, high-risk cryptography and corresponding risk paths can be accurately identified.
[0090] In practical implementation, starting with the access password in the password-role mapping table, and based on the time-weighted permission coupling evolution structure and the system evolution factor set, a permission-aware security degradation model is constructed. The construction process includes path traversal, security erosion parameter superposition, and degradation amplification coefficient calculation. Please refer to [link to relevant documentation]. Figure 3 , Figure 3 This is a schematic diagram illustrating the security degradation model construction process provided in this embodiment. Specific implementation details are as follows:
[0091] In S301, starting with the access password-bound role node, path traversal is performed within a time-weighted permission coupling evolution structure. To ensure the orderliness and effectiveness of the traversal process, traversal rules and constraints are first defined: a maximum depth threshold for risk propagation is set. The maximum depth threshold is used to limit the scope of risk propagation and avoid excessive computation or distorted risk assessment caused by unrestricted propagation. For example, it can be configured to a value between 5 and 10, depending on the complexity of the cloud platform's permission coupling structure. The traversal method can be breadth-first traversal or depth-first traversal. In this embodiment, breadth-first traversal is preferred, which can prioritize traversing nodes that are closer to the starting point, and is more in line with the actual situation of permission propagation.
[0092] During the traversal, at each node reached, the type of the node (role node, interface node, system subdomain node), the time weight and change frequency of the corresponding permission relationship edge are recorded; when the traversal depth reaches the preset maximum depth threshold... If the path is not accessed, the propagation of that path will be stopped. If a node that has already been visited is encountered during the traversal, the node and subsequent paths will not be traversed again to avoid circular propagation. Each permission path is uniquely identified, and the identification information includes all nodes on the path, the relationship type of the edges, and the time weight, which facilitates subsequent result analysis and risk path location.
[0093] In S302, during path traversal, relevant security erosion parameters are superimposed on the nodes of the traversed path; specifically, based on the node type, security erosion parameters corresponding to the system evolution factor set are selected and weighted for summation. The security erosion parameters and weighting rules corresponding to different types of nodes are as follows:
[0094] For role nodes, the normalized security erosion parameters corresponding to the authentication failure policy change history and login rate limiting threshold adjustment records associated with that role are superimposed. The summation method is weighted summation:
[0095]
[0096] in, The security erosion parameter is the result of overlapping character nodes; These are the weighting coefficients, and This can be adjusted according to the character's permission level; the higher the permission level, the more permissions are available. The larger the value, for example, for high-privilege roles, All values can be configured to 0.5. For low-privilege roles, It can be configured to 0.3. It can be configured to 0.2.
[0097] For interface nodes, overlay the interface access policy change records related to that interface, as well as the normalized security erosion parameters corresponding to the log and alarm policy adjustments. The summation method is weighted summation:
[0098]
[0099] in, The security erosion parameters are those obtained by overlaying interface nodes; These are the weighting coefficients, and This can be adjusted according to the importance of the interfaces, especially the core interfaces. The values can be relatively large, for example, all configured to 0.5, for a normal interface. It can be configured to 0.3. It can be configured to 0.2.
[0100] For system subdomain nodes, normalized security erosion parameters corresponding to changes in cloud platform computing resource configuration and adjustments to log and alarm policies related to that subdomain are overlaid. The summation method is weighted summation:
[0101]
[0102] in, The security erosion parameters are the result of stacking subdomain nodes in the system. These are the weighting coefficients, and It can be adjusted according to the coreness of the subdomain, with the core subdomain being... The values can be relatively large, for example, all configured to 0.5, for non-core subdomains. It can be configured to 0.3. It can be configured to 0.2.
[0103] During the propagation of each permission path, the evolution factor resulting from the superposition of all nodes on the path is accumulated. The accumulation formula is as follows:
[0104]
[0105] in, This is the cumulative evolution factor corresponding to a certain permission path; This represents the number of nodes on the path. For the first The sensitivity weight of each node varies depending on its type. The higher the permission level of a role node, the wider the access scope of an interface node, and the higher the core status of a system subdomain node, the greater the corresponding sensitivity weight. For example, the sensitivity weight of a role node can be configured to 0.6, that of an interface node to 0.3, and that of a system subdomain node to 0.1. The specific weight values can be determined through expert evaluation or statistical analysis. For the first The evolutionary factor resulting from the superposition of nodes.
[0106] In S303, the degradation amplification factor is calculated. The degradation amplification factor quantifies the degree of security degradation amplification of the cryptography under a specific permission path. Its calculation incorporates factors such as the time weight of the permission path, the cumulative evolution factor, and the path length. The specific calculation steps are as follows:
[0107] The first step is to calculate the overall weight of the permission paths. The overall weight reflects the risk propagation capability of this permission path, and the calculation formula is as follows:
[0108]
[0109] in, This represents the number of edges on the authorized path. For the first Time weights of the edges.
[0110] The second step is to calculate the path length coefficient. The path length coefficient is used to correct the impact of path length on risk propagation, and the calculation formula is as follows:
[0111]
[0112] in, The length of the permission path, i.e., the number of edges on the path. ; This is the preset maximum depth threshold for risk propagation. The longer the path length, the smaller the path length coefficient, indicating a greater degree of attenuation during risk propagation.
[0113] The third step is to calculate the degradation amplification factor. The degradation amplification factor is the product of the comprehensive weight, the cumulative evolution factor, and the path length factor, and is calculated using the following formula:
[0114]
[0115] in, The overall weight of the permission path; This is the cumulative evolution factor for the permission path; This is the path length coefficient.
[0116] For each access password, iterate through all accessible permission paths corresponding to its bound role and calculate the degradation amplification factor for each path. It records the identification information of each path and the corresponding degradation amplification coefficient, thus completing the construction of an access-aware security degradation model.
[0117] In some embodiments, for step S6, a permission-time joint security test signal is generated by fusing multiple algorithms, avoiding the one-sidedness of evaluation caused by independent scoring in existing technologies, and can more comprehensively and accurately reflect the security status and evolution trend of cryptography. The principle is to combine multi-dimensional information such as permission path risk, time series trends, node sensitivity, and historical weakening patterns, and perform fusion calculations in a unified risk space. The generated test signal can simultaneously reflect the impact of permission coupling and time evolution on cryptographic security.
[0118] Please see Figure 4 , Figure 4 This is a schematic diagram of the security test signal generation process provided in an embodiment of this application. In specific implementation, based on the degradation amplification coefficients of each path output by the permission-aware security degradation model, a permission-time joint security test signal is generated. This test signal at least includes a comprehensive risk value. The generation process includes calculating the permission path risk value, calculating the time degradation trend value, calculating the node sensitivity weighted value, calculating the historical pattern matching similarity, and fusing multiple algorithms. Specific implementation details are as follows:
[0119] In S401, the risk value of the authorized path is calculated. Based on the degradation amplification coefficient of each path, the number of high-risk paths and the average degradation amplification coefficient are counted, and the risk value of the authorized path is calculated. First, a threshold for the degradation amplification coefficient is set. The degradation amplification factor threshold is used to distinguish between high-risk paths and ordinary paths. It can be determined based on the cloud platform's security level requirements, historical security event data, and expert experience; for example, it can be configured to a value between 1.5 and 3.0. The degradation amplification factor for each permissioned path is then set. With threshold If a comparison is made, If so, the path is determined to be a high-risk path.
[0120] The number of high-risk routes and the corresponding average degradation amplification factor Calculate the access control path risk value of this password. The calculation formula is:
[0121]
[0122] in, This represents the total number of all accessible paths corresponding to this password. and These are the weighting coefficients, and For example, they can be configured to 0.3 and 0.7 respectively to adjust the impact of the number of high-risk paths and the average degradation amplification coefficient on the risk value of authorized paths; The value range is 0-1.
[0123] In S402, the time degradation trend value is calculated. Based on the time series of system evolution factor data, the evolution trend within future time windows is predicted, and the time degradation trend value is calculated. The values of system evolution factor data at different time points are extracted to construct a time series dataset. ,in As a time node, The comprehensive value of the system evolution factor corresponding to this time point is the weighted sum of all parameters in the system evolution factor set.
[0124] A time series forecasting algorithm is used to predict the comprehensive values of system evolution factors over a future period. This embodiment employs an LSTM neural network model, with the following structure: the input layer dimension corresponds to the number of system evolution factors, for example, 5; 2-3 hidden layers are set, with 32-128 neurons per layer, using the ReLU activation function; the output layer dimension is 1, corresponding to the predicted comprehensive values of system evolution factors; the loss function is mean squared error, and the optimizer is the Adam optimizer. The model is trained using historical time series datasets, with 100-500 training iterations and a batch size of 16-64. After training, the model's prediction accuracy is verified using validation set data to ensure the prediction error remains within an acceptable range.
[0125] The evolutionary factor trend curve within the prediction time window is obtained using an LSTM neural network model. Based on this trend curve, the time degradation trend value of cryptographic security is calculated. The calculation formula is:
[0126]
[0127] in, This refers to the current time point; To predict the end time of the time window, it can be set to 6 months, 1 year, or other times after the current time. This is the time degradation trend value, ranging from 0 to 1. The larger the value, the faster the password security will degrade in the future.
[0128] In S403, based on preset sensitivity weights for permission nodes, a sensitivity weighted calculation is performed on all nodes along the password-bound role and permission path. The sum of the sensitivity weights of all nodes along the password permission path is then calculated. Calculate the node sensitivity weighted value The calculation formula is:
[0129]
[0130] in, This represents the total number of nodes on the password permission path. This represents the maximum sensitivity weight value corresponding to all node types. The value ranges from 0 to 1. The larger the value, the higher the sensitivity of the permission node corresponding to the password, and the greater the security risk.
[0131] In S404, historical pattern matching similarity calculation is performed. A historical weakening pattern library is constructed, containing pattern features corresponding to password security weakening events that have occurred during the operation of the cloud platform. These pattern features include permission path characteristics during the weakening process, changes in system evolution factors, and trends in degradation amplification coefficients. The current password security degradation description data is then matched with the pattern features in the historical weakening pattern library to calculate the matching similarity. .
[0132] In this embodiment, the cosine similarity algorithm is used to calculate the matching similarity. The calculation formula is as follows:
[0133]
[0134] in, This is the current password security degradation feature vector. The dimensions of the feature vector include permission path risk value, time degradation trend value, node sensitivity weighting value, degradation amplification coefficient, etc. This is the feature vector of a specific pattern in the historical weakened pattern library; The value ranges from 0 to 1. The larger the value, the more similar the current password security degradation pattern is to the historical weakening pattern, and the higher the probability of security problems occurring in the future.
[0135] In S405, the permission path risk values obtained from the above four steps are... Time degradation trend value Node sensitivity weighting Historical pattern matching similarity A weighted fusion is performed within a unified risk space to obtain a comprehensive risk value. The fusion formula is as follows:
[0136]
[0137] in, To integrate the weighting coefficients, and The fusion weight coefficients can be determined by the analytic hierarchy process or machine learning algorithms, for example, by assigning weights based on the evaluation accuracy of each algorithm in historical data. This represents the overall risk value after fusion.
[0138] Based on comprehensive risk value Using the core parameters and combining the password's corresponding permission path information and time window information, a permission-time joint security test signal is generated. The parameter set of the test signal includes a comprehensive risk value, permission path risk value, time degradation trend value, node sensitivity weighted value, historical pattern matching similarity, high-risk path identifier, and prediction time window; the risk weight information includes the weight coefficients corresponding to each fusion algorithm, as well as the time weight of the permission path and the node sensitivity weight. The generated test signal does not involve real attack requests and is only used for internal evaluation calculations for subsequent access password security determination, ensuring that the testing process does not affect the normal operation of the cloud platform.
[0139] In some embodiments, step S7 mainly involves determining the security status of the access password based on the generated permission-time joint security test signal, providing a basis for subsequent output of test results.
[0140] In practice, three security thresholds can be preset: a security threshold, an early warning threshold, and a high-risk threshold, with the security threshold < early warning threshold < high-risk threshold. For example, the security threshold can be configured as 0.3, the early warning threshold as 0.6, and the high-risk threshold as 0.8. The specific thresholds can be adjusted according to the security requirements of the cloud platform and the actual operating conditions.
[0141] Extracting a comprehensive risk value from the permission-time joint security test signal. The password's security status is determined by comparing it with a preset security threshold: If the overall risk value is less than or equal to the security threshold, the access password is considered secure, meaning it is less affected by system evolution factors under the current role and permission path, has a low degree of security degradation, and does not require password replacement or permission adjustment in the short term; if the overall risk value is greater than the security threshold but less than or equal to the warning threshold, the access password is considered to be in a warning state, meaning its security has deteriorated to some extent and may further worsen in the future, requiring close monitoring of its evolution trend and, if necessary, a password replacement plan should be developed in advance; if the overall risk value is greater than the warning threshold, the access password is considered to be in a high-risk state, meaning its security degradation under the current permission path is quite serious, posing a significant risk of security leakage, requiring immediate security measures such as password replacement and permission restrictions.
[0142] During the judgment process, if a password is in a warning or high-risk state, its corresponding high-risk path identifier and the proportion of its comprehensive risk value (i.e., the proportion of each fusion algorithm's output value) are recorded to provide data support for subsequent risk source explanations. This step generates a security judgment result for each access password, clarifying its security status and related risk parameters.
[0143] In some embodiments, the method further includes outputting and recording the security assessment results to support security management decisions of the cloud platform and to provide a historical data basis for the next cycle of testing.
[0144] In practice, the security status assessment results of access passwords are output to the security management module of the cloud platform. The output includes three parts: First, the security level of each access password, which is divided into three categories: secure, warning, and high risk, corresponding one-to-one with the security assessment results; Second, a description of the main risk sources, explaining the main risk sources for passwords in the warning and high risk states, including high-risk permission path identifiers, factors with significant impact in system evolution factors, and historical weakening pattern matching, etc. For example, the main risk source of a high-risk password is the risk propagation through the system administrator-core data interface permission path, coupled with the evolutionary factors of relaxed authentication failure policies and increased computing resources; Third, management policy recommendation identifiers, providing corresponding management policy recommendations based on the password's security level and risk source, such as maintaining the existing configuration and monitoring regularly for secure passwords, changing passwords in the warning state within 3 months and restricting access to related interfaces for passwords in the high risk state, changing passwords immediately, temporarily freezing related high-privilege paths, and reassessing role permissions.
[0145] Simultaneously, all results of this test, including basic information about the access password, security degradation description data, permission-time joint test signal parameters, security judgment results, risk source explanations, and management strategy suggestions, will be recorded in the cloud platform's test history database, forming a historical test result archive. This archive can not only be used to trace the evolution of password security but also provide historical data support for the next testing cycle. For example, it can provide a reference for subsequent processes such as building a historical weakening pattern library, adjusting security thresholds, and optimizing algorithm fusion weights.
[0146] This method is executed repeatedly at a preset period, which can be configured according to the cloud platform's operation and security requirements, such as 1 month, 3 months, etc. The judgment results and historical data generated in each execution serve as the input for the next execution, realizing periodic and continuous testing of the security of the cloud platform's access password.
[0147] This method achieves accurate testing of the access password security of a power monitoring system cloud platform by acquiring access password and role information, constructing a time-weighted permission coupling evolution structure, collecting normalized system evolution factors, building a permission-aware security degradation model, generating permission-time joint security test signals, and determining the security status. This method can simultaneously perceive the permission coupling structure and the system evolution process, overcoming the shortcomings of existing static and instantaneous assessments. It can accurately identify high-risk passwords for specific roles within specific time windows without launching real attacks, changing the existing permission model, or affecting normal system operation, and clearly define the sources and evolution trends of risks. This provides a scientific basis for cloud platform security management, meets the power industry's dual requirements of high reliability and high security, and effectively improves the password security protection capabilities of the power monitoring system cloud platform.
[0148] It should be noted that although the operations of the method of this application are described in a specific order in the accompanying drawings, this does not require or imply that these operations must be performed in that specific order, or that all the operations shown must be performed to achieve the desired result. On the contrary, the steps depicted in the flowchart can be performed in a different order. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step, and / or one step may be broken down into multiple steps.
[0149] Please see Figure 5 , Figure 5 This application provides a cloud platform access password security testing device for a power monitoring system, as part of an embodiment of the present application. This device embodiment is similar to... Figure 1 Corresponding to the illustrated method embodiment, this device can be specifically applied to various electronic devices. The device specifically includes:
[0150] The password-role mapping table generation module 501 is used to obtain access password records, extract the password metadata corresponding to each access password and its bound role information, and generate a password-role mapping table; the password metadata includes at least password length, character set type, hash algorithm type, setting time, and last change time;
[0151] The permission coupling structure construction module 502 is used to construct a permission coupling structure based on permission configuration data, with roles and interfaces as nodes and permission relationships as directed edges.
[0152] The permission coupling evolution structure generation module 503 is used to obtain historical change records of each permission relationship in the permission coupling structure, and add time weights to each directed edge based on the historical change records to obtain a permission coupling evolution structure with time weights; the time weights are positively correlated with the change frequency of the corresponding permission relationships.
[0153] The system evolution factor set generation module 504 is used to collect system evolution factor data generated by the cloud platform during operation, normalize the system evolution factor data into security erosion parameters, and form a system evolution factor set; the system evolution factor data includes at least the authentication failure policy change history, login rate limiting threshold adjustment record, and interface access policy change record;
[0154] The security degradation model construction module 505 is used to construct an access-aware security degradation model based on the access password in the password-role mapping table, the time-weighted permission coupling evolution structure, and the system evolution factor set. The model includes traversing a path in the permission coupling evolution structure, starting from the role node bound to the access password, superimposing the relevant security erosion parameters on the nodes of the traversed path, and calculating the degradation amplification coefficient corresponding to the path based on the time weight of the directed edge.
[0155] The security test signal generation module 506 is used to generate a permission-time joint security test signal based on the path degradation amplification coefficients output by the permission-aware security degradation model; the permission-time joint security test signal includes at least a comprehensive risk value.
[0156] The security status determination module 507 is used to compare the comprehensive risk value with a preset security threshold to determine the security status of the corresponding access password.
[0157] Those skilled in the art will clearly understand that the technical solutions of the embodiments of this application can be implemented by means of software and / or hardware. In this specification, "unit" and "module" refer to software and / or hardware that can independently complete or cooperate with other components to complete a specific function, wherein the hardware may be, for example, a field-programmable gate array (FPGA), an integrated circuit (IC), etc.
[0158] Each processing unit and / or module in the embodiments of this application can be implemented by an analog circuit that implements the functions described in the embodiments of this application, or by software that executes the functions described in the embodiments of this application.
[0159] Based on the same inventive concept, this application also provides an electronic device. The method corresponding to the electronic device can be the method in the foregoing embodiments, and its problem-solving principle is similar to that method. The device provided in this application includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the methods and / or technical solutions of the foregoing embodiments of this application.
[0160] Figure 6 The diagram illustrates the structure of an electronic device suitable for implementing the methods and / or technical solutions in the embodiments of this application. The device includes a central processing unit (CPU) 601, which can perform various appropriate actions and processes based on a program stored in a read-only memory (ROM) 602 or a program loaded from a storage section 608 into a random access memory (RAM) 603. The RAM 603 also stores various programs and data required for system operation. The CPU 601, ROM 602, and RAM 603 are interconnected via a bus 604. An input section 606, an output section 607, a communication section 609, and an input / output (I / O) interface 605 are also connected to the bus 604.
[0161] In particular, the methods and / or embodiments in this application can be implemented as computer software programs. For example, the embodiments disclosed in this application include a computer program product comprising a computer program carried on a storage medium, the computer program containing program code for performing the methods shown in the flowchart. When the computer program is executed by the central processing unit (CPU) 601, it performs the functions defined in the methods of this application.
[0162] Another embodiment of this application provides a computer-readable storage medium having computer program instructions stored thereon, which can be executed by a processor to implement the methods and / or technical solutions of any one or more embodiments of this application described above.
[0163] The flowcharts or block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of devices, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-specific system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0164] Furthermore, the inclusion of a single word does not exclude other units or steps, and the singular does not exclude the plural. Multiple units or devices recited in a device claim may also be implemented by a single unit or device through software or hardware. Terms such as "first," "second," etc., are used to indicate names and do not indicate any particular order.
Claims
1. A method for testing the security of access passwords to a cloud platform in a power monitoring system, characterized in that, Includes the following steps: Obtain access password records, extract the password metadata corresponding to each access password and its bound role information, and generate a password-role mapping table; the password metadata includes at least password length, character set type, hash algorithm type, setting time, and most recent change time; Based on permission configuration data, a permission coupling structure is constructed with roles and interfaces as nodes and permission relationships as directed edges; Obtain historical change records of each permission relationship in the permission coupling structure, and add time weights to each directed edge based on the historical change records to obtain a permission coupling evolution structure with time weights; the time weights are positively correlated with the change frequency of the corresponding permission relationships. The system evolution factor data generated during the operation of the cloud platform is collected, and the system evolution factor data is normalized into security erosion parameters to form a system evolution factor set; the system evolution factor data includes at least the history of authentication failure policy changes, login rate limiting threshold adjustment records, and interface access policy change records; Starting with the access password in the password-role mapping table, and based on the time-weighted permission coupling evolution structure and the system evolution factor set, a permission-aware security degradation model is constructed. This includes traversing a path in the permission coupling evolution structure, starting with the role node bound to the access password, superimposing the relevant security erosion parameters on the nodes of the traversed path, and calculating the degradation amplification coefficient corresponding to the path based on the time weight of the directed edge. Based on the degradation amplification coefficients of each path output by the permission-aware security degradation model, a permission-time joint security test signal is generated. The permission-time joint security test signal shall include at least a comprehensive risk value; The overall risk value is compared with a preset security threshold to determine the security status of the corresponding access password.
2. The cloud platform access password security testing method for a power monitoring system according to claim 1, characterized in that, The permission configuration data includes role permission configuration data, interface call relationship data, and temporary authorization records; the permission relationships include permission inheritance relationships, interface call relationships, and authorization relationships.
3. The cloud platform access password security testing method for a power monitoring system according to claim 1, characterized in that, Each directed edge is assigned a time weight based on historical change records. Specifically, the number of times the permission relationship changes within a preset time period is counted, and the time weight is calculated based on the number of changes. The more changes, the greater the time weight.
4. The cloud platform access password security testing method for a power monitoring system according to claim 1, characterized in that, The system evolution factor data is normalized into security erosion parameters. Specifically, for each type of system evolution factor data, it is converted into initial erosion parameters according to a preset conversion rule, and then the initial erosion parameters are normalized to make all security erosion parameters fall within the same numerical range.
5. The cloud platform access password security testing method for a power monitoring system according to claim 1, characterized in that, The relevant security erosion parameters are superimposed on the nodes of the traversal path. Specifically, the security erosion parameters of the corresponding type are selected from the system evolution factor set according to the node type and weighted summation is performed. The node types include role nodes, interface nodes and system subdomain nodes.
6. The cloud platform access password security testing method for a power monitoring system according to claim 5, characterized in that, The degradation amplification factor corresponding to the path is calculated by: calculating the product of the time weights of all directed edges on the traversal path to obtain the overall path weight; accumulating the security erosion parameter after superimposing all nodes on the traversal path, and combining it with the path length coefficient to calculate the degradation amplification factor.
7. The method according to claim 1, characterized in that, Generate a permission-time joint security test signal, specifically including, based on the degradation amplification coefficient of each path, count the number of high-risk paths and the average degradation amplification coefficient, and calculate the permission path risk value; Based on the time series of the system evolution factor data, predict the evolution trend within the future time window and calculate the time degradation trend value; The comprehensive risk value is obtained by weighting and fusing the permission path risk value, the time degradation trend value, the node sensitivity weighted value, and the historical pattern matching similarity.
8. The method according to claim 1, characterized in that, The preset security thresholds include a security threshold, a warning threshold, and a high-risk threshold; the determination of the security status of the corresponding access password specifically means that if the comprehensive risk value is less than or equal to the security threshold, it is determined to be a secure status. If the overall risk value is greater than the safety threshold and less than or equal to the warning threshold, then it is determined to be a warning state; If the overall risk value is greater than the warning threshold, it is determined to be a high-risk state.
9. A cloud platform access password security testing device for a power monitoring system, characterized in that, include: The password-role mapping table generation module is used to obtain access password records, extract the password metadata corresponding to each access password and its bound role information, and generate a password-role mapping table. The password metadata includes at least the password length, character set type, hash algorithm type, setting time, and last change time; The permission coupling structure construction module is used to build a permission coupling structure based on permission configuration data, with roles and interfaces as nodes and permission relationships as directed edges. The permission coupling evolution structure generation module is used to obtain historical change records of each permission relationship in the permission coupling structure, and add time weights to each directed edge based on the historical change records to obtain a permission coupling evolution structure with time weights; the time weights are positively correlated with the change frequency of the corresponding permission relationships. The system evolution factor set generation module is used to collect system evolution factor data generated by the cloud platform during operation, normalize the system evolution factor data into security erosion parameters, and form a system evolution factor set; the system evolution factor data includes at least the authentication failure policy change history, login rate limiting threshold adjustment record, and interface access policy change record; The security degradation model construction module is used to construct a permission-aware security degradation model based on the access password in the password-role mapping table, the permission coupling evolution structure with time weights, and the system evolution factor set. The module includes traversing a path in the permission coupling evolution structure starting from the role node bound to the access password, superimposing the relevant security erosion parameters on the nodes of the traversed path, and calculating the degradation amplification coefficient corresponding to the path based on the time weights of the directed edges. The security test signal generation module is used to generate a permission-time joint security test signal based on the path degradation amplification coefficients output by the permission-aware security degradation model. The permission-time joint security test signal shall include at least a comprehensive risk value; The security status determination module is used to compare the comprehensive risk value with a preset security threshold to determine the security status of the corresponding access password.
10. An electronic device, characterized in that, include: At least one processor; and a memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.