Search

CN-120811669-B - Cloud platform security analysis method and device based on dynamic rights graph modeling

CN120811669BCN 120811669 BCN120811669 BCN 120811669BCN-120811669-B

Abstract

The embodiment of the disclosure provides a cloud platform security analysis method and device based on dynamic authority map modeling, wherein the method comprises the steps of collecting and analyzing role and authority information in an Azure AD, constructing a map structure of authority mapping to executable operation, generating an executable attack chain through a map search algorithm based on the map structure of the authority mapping to the executable operation, simulating an execution process of the attack chain, detecting whether a platform triggers a corresponding defense strategy, recording relevant responses, generating a strategy response matrix, identifying strategy configuration vulnerability points in the attack chain according to the strategy response matrix, and outputting optimization suggestions.

Inventors

  • JIA JIA
  • LIU YANG
  • YANG TIANCHANG
  • ZHANG PENG
  • XU YAOLING
  • Zhai Yunjiao
  • WANG ZHAOYANG
  • XU MINGYE
  • YIN YUHENG
  • ZHAO XINYU

Assignees

  • 中国电子科技集团公司第十五研究所

Dates

Publication Date
20260512
Application Date
20250715

Claims (9)

  1. 1. A cloud platform security analysis method based on dynamic rights graph modeling is characterized by comprising the following steps: Collecting and analyzing role and authority information in an Azure AD, constructing an authority mapping to an executable operation map structure, wherein the method comprises the steps of acquiring tenant IDs and authentication tokens through the Azure AD for identity authentication, extracting all accounts, roles, strategies, resources and authority configuration mapping thereof through an Azure API, a UI Portal or a CLI tool after authentication is successful, constructing an original authority map, carrying out semantic modeling on authority behaviors of each role based on the original authority map, aggregating authority items to specified operation classifications to form the authority mapping to the executable operation map structure, identifying potential attack paths according to the operation classifications and resource calling paths of each authority item, listing potential attack points corresponding to each role and the authority items, marking risk grades for each operation according to the property of the authority operation and the potential influence on a system, and analyzing whether the possibility of bypassing a security strategy exists or not; generating an executable attack chain through a graph search algorithm based on the mapping of the rights to a graph structure of the executable operation; Simulating the execution process of the attack chain, detecting whether the platform triggers the corresponding defense strategy, recording the related response, generating a strategy response matrix, and And identifying strategy configuration vulnerability points in an attack chain according to the strategy response matrix, and outputting optimization suggestions.
  2. 2. The cloud platform security analysis method based on dynamic rights graph modeling of claim 1, wherein the operation classification comprises an information reconnaissance type operation for collecting information of a target resource, a lateral movement type operation for allowing an attacker or user to laterally move inside a system from one account or resource to another account or resource, a rights manipulation type operation for extracting sensitive information from the resource, a rights manipulation type operation for creating a long-term efficient modification or automation task in the system, a persistent deployment behavior for bypassing or disabling a logging and monitoring mechanism, and a log bypass/attenuation behavior for helping the attacker to mask own behavior.
  3. 3. The cloud platform security analysis method based on dynamic rights graph modeling of claim 1, wherein the generating an executable attack chain by a graph search algorithm based on the rights mapping to a graph structure of executable operations comprises: Taking the identity of an attacker in the map structure as a starting point of an attack path, and exploring all possible paths from the starting point to other system resources or operation targets through a graph searching algorithm; Clipping paths based on branch execution likelihood, operational hazard, policy penetration for each branch path in a graph search process, and And taking the path which meets the condition of legal authority chain executable, strong destructiveness and possibly large alarm penetration as an attack chain after path cutting, wherein each step in the attack chain is described as a certain attack operation.
  4. 4. The cloud platform security analysis method based on dynamic rights graph modeling of claim 3, wherein said tailoring paths based on branch execution likelihood, operational jeopardy, policy penetrability for each branch path in the graph search process comprises: evaluating the actual execution possibility of each branch path, and cutting off a certain path if the path depends on the authority or the operation point which cannot be acquired by an attacker; Evaluating whether the path can cause data leakage or service interruption, whether the system can suffer unrecoverable loss, whether the availability of a certain key service can be destroyed, and if not, cutting off the path; Evaluate whether the path can bypass security policies, monitoring mechanisms, or other protective layers, and if not, crop the path.
  5. 5. The cloud platform security analysis method based on dynamic rights graph modeling according to claim 1, wherein simulating the execution process of the attack chain, detecting whether the platform triggers a corresponding defense strategy, and recording the relevant response, generating a strategy response matrix includes: Extracting a current Azure security policy, defender opening rules and SIEM interface settings, and identifying response conditions, trigger mechanisms and interception capacities of different policies from the extracted security policies and rules; Initializing a monitoring cache, wherein the monitoring cache is used for collecting and recording the reaction of each step in the simulated attack chain process and the defense strategy in real time; When each attack chain step is simulated and executed, judging whether expected resources exist or not and whether an attacker has the authority required for executing the operation, and when a certain attack chain step cannot be continued due to resource deficiency or insufficient authority, marking the step as a potential blocking point; Sending a listener query request, analyzing whether the log, alarm and limit of the platform are triggered, if the related log record, alarm or limit is triggered, recording the event and analyzing whether the defense system makes a proper response; If the attack chain step is fully responded and accords with the expected defending effect, successful defending measures are recorded, and a strategy response matrix is generated.
  6. 6. The cloud platform security analysis method based on dynamic rights graph modeling according to claim 1, wherein the identifying policy configuration vulnerability points in an attack chain according to the policy response matrix, outputting optimization suggestions comprises: If frequent penetration or miss defenses occur in a path, it is recommended to add a new interception policy on the path; If some interfaces in the attack chain have permission problems or are abused by an attacker, fine role division is suggested for the interfaces; if certain execution behaviors bypass conventional defensive measures, it is suggested to add operating whitelist auditing and security information event management system bypass channels for these behaviors.
  7. 7. The cloud platform safety analysis device based on dynamic authority map modeling is characterized by comprising a map construction module, an attack chain generation module, a simulation execution module and a feedback optimization module; The map construction module is used for collecting and analyzing role and authority information in the Azure AD, constructing a map structure of authority mapping to executable operations, wherein the map construction module comprises the steps of acquiring tenant IDs and authentication tokens through the Azure AD, carrying out identity authentication, extracting all accounts, roles, strategies, resources and authority configuration mapping thereof through an Azure API, a UI Portal or a CLI tool after the authentication is successful, constructing an original authority map, carrying out semantic modeling on the authority behavior of each role based on the original authority map, aggregating the authority items to specified operation classifications to form the authority mapping to the map structure of the executable operations, identifying potential attack paths according to the operation classifications and resource calling paths of each authority item, listing potential attack points corresponding to each role and the authority items, marking risk levels for each operation according to the property of the authority operation and the potential influence on the system, and analyzing whether the possibility of bypassing the security strategy exists; The attack chain generation module is used for generating an executable attack chain through a graph search algorithm based on the map structure of the executable operation mapped by the authority; The simulation execution module is used for simulating the execution process of the attack chain, detecting whether the platform triggers a corresponding defense strategy, recording the related response and generating a strategy response matrix; And the feedback optimization module is used for identifying strategy configuration vulnerability points in an attack chain according to the strategy response matrix and outputting an optimization suggestion report.
  8. 8. A computing device comprising at least one processor and a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-6.
  9. 9. A computer readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-6.

Description

Cloud platform security analysis method and device based on dynamic rights graph modeling Technical Field The embodiment of the disclosure relates to the field of software design, in particular to a cloud platform security analysis method and device based on dynamic rights graph modeling. Background With the widespread use of Cloud computing, the operation of enterprises and organizations is increasingly dependent on mainstream Cloud service platforms such as Microsoft Azure, AWS, google Cloud, and the like. The security management of identity and rights has become a key hub for cloud computing security governance. Microsoft Azure Active Directory (hereinafter referred to as Azure AD) is used as the most core identity access control infrastructure in microsoft cloud ecology, and is not only responsible for managing identity relationships among users, devices, applications and services, but also is a main platform for realizing role-based access control, managing access policies and executing authentication and authorization mechanisms. This also means that once an attacker penetrates the Azure AD and successfully controls the critical roles or interface rights associated with it, the attacks that they can implement will not just be rights promotion or data access, but an integrated whole-process attack chain of core resource scheduling, lateral movement, persistence survival and cloud alert bypass. The existing system lacks an effective tool to systematically map roles, rights and operations, so that potential risks of different roles cannot be evaluated, real-time verification and feedback of effectiveness of strategies cannot be performed, and automatic evaluation and optimization closed loop aiming at strategies are lacking. The attack simulation system cannot identify the penetrability of different strategies and the mode rules among attack chains, and cannot effectively evaluate and optimize the protection effect of the strategies. Disclosure of Invention Embodiments described herein provide a cloud platform security analysis method, apparatus, computing device and computer readable storage medium storing program instructions based on dynamic rights graph modeling, aiming to ensure closed loop effects from attack chain construction to policy optimization through real-time simulation, monitoring and feedback, so that security protection is more efficient and comprehensive. According to the first aspect of the disclosure, a cloud platform security analysis method based on dynamic authority map modeling is provided, and the cloud platform security analysis method comprises the steps of collecting and analyzing role and authority information in an Azure AD, constructing a map structure of authority mapping to executable operations, generating an executable attack chain through a map search algorithm based on the map structure of the authority mapping to the executable operations, simulating an execution process of the attack chain, detecting whether a platform triggers a corresponding defense strategy or not, recording relevant responses, generating a strategy response matrix, identifying strategy configuration vulnerability points in the attack chain according to the strategy response matrix, and outputting an optimization suggestion report. In some embodiments of the disclosure, collecting and analyzing role and authority information in an Azure AD, constructing a spectrum structure of authority mapping to executable operations comprises acquiring tenant IDs and authentication tokens through the Azure AD for identity authentication, extracting all accounts, roles, strategies, resources and authority configuration mappings thereof through an Azure API, UIPortal or a CLI tool after authentication is successful, constructing an original authority spectrum, carrying out semantic modeling on authority behaviors of each role based on the original authority spectrum, aggregating authority items to specified operation classifications to form an authority mapping to executable operation spectrum structure, displaying the constructed authority mapping to the executable operation spectrum structure through a visualization tool, identifying potential attack paths according to the operation classifications and resource calling paths of each authority item, listing potential attack points corresponding to each role and authority item, marking risk grades for each operation according to the property of authority operation and potential influence on a system, and analyzing whether possibility of bypassing a security strategy exists. In some embodiments of the present disclosure, the operation classification includes an information reconnaissance type operation for collecting information of a target resource, a lateral movement type operation for allowing an attacker or user to move laterally inside the system, jumping from one account or resource to another account or resource, a rights manipulation type operation for a