Search

CN-121261900-B - Automatic exception digital certificate revocation method, device, equipment, storage medium and program product based on CT log

CN121261900BCN 121261900 BCN121261900 BCN 121261900BCN-121261900-B

Abstract

The invention relates to the technical field of network security, and discloses an automatic exception digital certificate revocation method, device, electronic equipment, readable storage medium and program product based on CT (computed tomography) logs, which are used for solving the technical problem that in the prior art, the exception digital certificate cannot be detected in time, so that the security risk is high when a website is accessed or identity verification is performed. The method comprises the steps of obtaining CT logs from a plurality of CT log servers, screening newly-added issuing certificate records related to a target domain name from the obtained CT logs, carrying out multidimensional anomaly detection on the newly-added issuing certificate records based on a fusion detection algorithm, judging whether the certificate issuing records with anomalies exist according to anomaly detection results of a plurality of dimensions, submitting a certificate revocation request to a CA corresponding to the certificate issuing records with anomalies when the certificate issuing records with anomalies are detected, and revoke digital certificates corresponding to the certificate issuing records with anomalies. The method can timely identify the abnormal digital certificate and cancel the abnormal digital certificate.

Inventors

  • Meng Panting
  • ZHU TINGTING
  • YU NING
  • Bei Huali

Assignees

  • 亚数信息科技(上海)有限公司

Dates

Publication Date
20260505
Application Date
20250928

Claims (8)

  1. 1. An automatic cancellation method of an abnormal digital certificate based on CT logs is characterized by comprising the following steps: Acquiring CT logs from a plurality of CT log servers, and screening newly added issuing certificate records related to a target domain name from the acquired CT logs; invoking a plurality of sub-models of the fusion detection model to execute multidimensional parallel detection to respectively obtain an abnormal probability score, a reconstruction error score, a Boolean detection score and a confidence coefficient of each score, wherein the sub-models comprise an isolated forest model, a time sequence self-coding model and a rule engine model; Acquiring historical accuracy information of each sub-model in the fusion detection model, and evaluating scene characteristics and correlation among models by current abnormality; invoking a strategy adjustment algorithm to calculate importance information of each sub-model in the current scene through a multi-head attention mechanism based on the historical accuracy information, the current abnormal evaluation scene characteristics and the correlation among models of each sub-model, and dynamically adjusting fusion weight according to the importance information; Based on the fusion weight, carrying out evaluation result fusion on the abnormal probability score, the reconstruction error score, the Boolean detection score and the confidence coefficient of each score to obtain an abnormal risk evaluation result and an evaluation result confidence coefficient; judging whether a certificate issuing record with abnormality exists or not based on the abnormality risk assessment result and the assessment result confidence coefficient; When detecting that the abnormal certificate issue record exists, submitting a revocation certificate request to a CA corresponding to the abnormal certificate issue record, and revoke a digital certificate corresponding to the abnormal certificate issue record.
  2. 2. The method for automatically revoked abnormal digital certificates based on CT logs according to claim 1, wherein the steps of obtaining CT logs from a plurality of CT log servers, and screening newly added certificate issuing records related to the target domain name from the obtained CT logs include: CT log information from a plurality of log servers is obtained through a continuous subscription CT real-time streaming mechanism; Judging whether the corresponding newly-added issuing certificate information in the CT log information is the certificate information subjected to abnormality detection; If the certificate information of the anomaly detection is not executed, carrying out integrity check on the certificate information, and determining whether the certificate information is tampered data or not; And if the certificate information is not tampered, receiving a preset domain name screening requirement, and screening to obtain a newly-added issuing certificate record related to the target domain name based on the domain name screening requirement.
  3. 3. The automatic revocation method of an abnormal digital certificate based on a CT log according to claim 1, further comprising, after said revoked digital certificate corresponding to said certificate issuing record in which an abnormality exists: Based on the certificate revocation data information statistics and evaluation false alarm rate, failure report rate and revocation success rate in a preset time, and performing normalization to obtain a state vector of the revocation behavior; And generating an adjustment strategy based on the state vector of the suspension behavior, and modifying configuration parameters of the fusion detection model based on the adjustment strategy.
  4. 4. The automatic revocation method of an abnormal digital certificate based on a CT log according to claim 3, further comprising, after said revoked digital certificate corresponding to the certificate issuing record in which the abnormality exists: packaging the certificate details, the abnormal risk assessment result and the adjustment strategy of the revoked digital certificate to obtain risk early warning information; pushing the risk early warning information to a preset risk early warning platform, and displaying and warning in real time.
  5. 5. The automatic exception digital certificate revocation device based on the CT log is characterized by comprising: the certificate record acquisition module is used for acquiring CT logs from a plurality of CT log servers and screening newly-added issuing certificate records related to the target domain name from the acquired CT logs; The system comprises an anomaly detection module, a strategy adjustment algorithm, an intelligent agent, an anomaly risk assessment result and an assessment confidence degree, wherein the anomaly detection module is used for calling a plurality of sub-models of a fusion detection model to execute multidimensional parallel detection to respectively obtain an anomaly probability score, a reconstruction error score, a Boolean detection score and confidence degrees of all the scores, the sub-models comprise an isolated forest model, a time sequence self-coding model and a rule engine model, acquiring historical accuracy information of all the sub-models in the fusion detection model, current anomaly assessment scene characteristics and inter-model correlation, calling a strategy adjustment algorithm to calculate importance information of all the sub-models under the current scene through a multi-head attention mechanism based on the historical accuracy information, the current anomaly assessment scene characteristics and the inter-model correlation of all the sub-models, and dynamically adjusting fusion weights according to the importance information, and adjusting the fusion weights, wherein the strategy adjustment algorithm is realized based on an intelligent agent of deep learning; And the certificate revocation module is used for submitting a revocation certificate request to a CA corresponding to the certificate issuing record with the abnormality when the certificate issuing record with the abnormality is detected, and revokes the digital certificate corresponding to the certificate issuing record with the abnormality.
  6. 6. The automatic exception digital certificate revocation equipment based on the CT log is characterized by comprising a memory and at least one processor, wherein the memory stores instructions; The at least one processor invokes the instructions in the memory to cause the CT log based abnormal digital certificate auto-revocation apparatus to perform the steps of the CT log based abnormal digital certificate auto-revocation method of any of claims 1-4.
  7. 7. A computer readable storage medium having stored thereon a computer program/instructions, which when executed by a processor, implements the steps of the CT log based automatic revocation method of abnormal digital certificates as claimed in any of claims 1-4.
  8. 8. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the CT log based automatic revocation method of abnormal digital certificates as claimed in any of claims 1 to 4.

Description

Automatic exception digital certificate revocation method, device, equipment, storage medium and program product based on CT log Technical Field The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, an electronic device, a computer storage medium, and a computer program product for automatically revoked an abnormal digital certificate based on a CT log. Background In the current internet environment, digital certificates are widely used for website encryption and authentication, and are an important basis for guaranteeing network security. To prevent someone from forging or misusing digital certificates, the industry introduces certificate transparent logs (CT logs). The CT log records all issued certificates, and any person can view the certificates, so as to improve the transparency of certificate issue and help find suspicious certificates issued without authorization. However, in the existing practical application, various problems often exist, such as that after an abnormal certificate appears, the abnormal certificate is usually required to be checked and analyzed manually and then processed manually, the process of canceling the certificate is not automatic enough, the middle is easy to delay, the certificate can only be recorded, an alarm mechanism is lacking, an operation and maintenance person cannot find risks in time, and the automatic linkage is lacking among links, so that the overall response efficiency is low. Therefore, a more automatic and efficient manner is urgently needed, and after an abnormal certificate is found, the CT log can be utilized to automatically carry out the cancellation and timely send out the early warning, so that the system is helped to cope with potential safety problems more quickly, and the overall response speed and safety protection capability are improved. Disclosure of Invention The invention mainly aims to solve the technical problems that whether unauthorized or abnormal certificate issuing records exist or not cannot be automatically detected in real time in the prior art, so that abnormal digital certificates cannot be timely detected, and the security risk is high when a website is accessed or identity verification is performed. The first aspect of the invention provides an abnormal digital certificate automatic suspension method based on CT logs, which comprises the following steps: Acquiring CT logs from a plurality of CT log servers, and screening newly added issuing certificate records related to a target domain name from the acquired CT logs; Based on a fusion detection algorithm, carrying out multidimensional anomaly detection on the newly-added issuing certificate record, and judging whether the newly-added issuing certificate record contains the certificate issuing record with anomalies according to anomaly detection results of multiple dimensions; When detecting that the abnormal certificate issue record exists, submitting a revocation certificate request to a CA corresponding to the abnormal certificate issue record, and revoke a digital certificate corresponding to the abnormal certificate issue record. Optionally, in a first implementation manner of the first aspect of the present invention, the acquiring CT logs from the plurality of CT log servers, and screening the newly added certificate records related to the target domain name from the acquired CT logs includes: CT log information from a plurality of log servers is obtained through a continuous subscription CT real-time streaming mechanism; Judging whether the corresponding newly-added issuing certificate information in the CT log information is the certificate information subjected to abnormality detection; If the certificate information of the anomaly detection is not executed, carrying out integrity check on the certificate information, and determining whether the certificate information is tampered data or not; And if the certificate information is not tampered, receiving a preset domain name screening requirement, and screening to obtain a newly-added issuing certificate record related to the target domain name based on the domain name screening requirement. Optionally, in a second implementation manner of the first aspect of the present invention, the performing multi-dimensional anomaly detection on the newly-added issuing certificate record based on a fusion detection algorithm, and determining whether the certificate issuing record with anomalies is included according to anomaly detection results of multiple dimensions includes: invoking a plurality of sub-models of the fusion detection model to execute multidimensional parallel detection to respectively obtain an abnormal probability score, a reconstruction error score, a Boolean detection score and a confidence coefficient of each score, wherein the sub-models comprise an isolated forest model, a time sequence self-coding model and a rule engine model; carryin