CN-121997321-A - Authority boundary-oriented intelligent agent sensitive operation tracking method and system

Abstract

The invention discloses a sensitive operation tracking method and system of an intelligent agent facing a permission boundary, which particularly relates to the field of computer security and access control audit, and comprises the steps of obtaining a plurality of operation events generated by the intelligent agent in a task execution process as input, extracting event identification, main body identity information, accessed object information, operation type information and occurrence time sequence information for each operation event, outputting an event sequence, wherein the obtaining and the extracting are completed nearby by an edge computing node, and realizing traceable correlation of crossing the system crossing the identity by marking the boundary context of the operation event in the task and generating an identity delegation chain abstract based on token backtracking, further constructing a real boundary crossing set, solving a minimum boundary crossing set, carrying out differential evidence obtaining, and outputting a causal slice evidence package.

Inventors

• ZHOU QIAN
• LI QUAN
• SUN YU
• TANG KE

Assignees

• 成都工业职业技术学院

Dates

Publication Date

20260508

Application Date

20260409

Claims (10)

1. 1. The intelligent agent sensitive operation tracking method facing the authority boundary is characterized by comprising the following steps of: S1, acquiring a plurality of operation events generated by an agent in a task execution process as input, extracting event identification, main body identity information, accessed object information, operation type information and occurrence time sequence information for each operation event, and outputting an event sequence; S2, calculating the corresponding boundary context of each operation event based on the event sequence and a preset authority boundary description set as input, identifying whether authority boundary crossing occurs or not, and outputting an event sequence with boundary context labels and a boundary crossing candidate set; s3, taking an event sequence with boundary context labels, main identity information and a preset identity delegation analysis rule as inputs, calculating identity jump association among all operation events, generating a corresponding identity delegation chain abstract, and outputting an enhanced event sequence containing the identity delegation chain abstract; S4, taking the enhanced event sequence, a preset sensitive effect type set and an effect equivalent rule thereof as input, identifying a target effect related to the sensitive effect in the event sequence, constructing a real boundary crossing set reaching the target effect, and outputting a target effect description and the real boundary crossing set; S5, taking the target effect description, the effect equivalence rule, the authority boundary description set and a preset minimum crossing solving rule as inputs, generating a minimum boundary crossing set required under the condition of keeping the target effect unchanged, and outputting the minimum boundary crossing set; S6, taking the real boundary crossing set and the minimum boundary crossing set as inputs, calculating the difference of the real boundary crossing set and the minimum boundary crossing set, extracting key operation events corresponding to the difference to form a causal slice evidence packet, and outputting the causal slice evidence packet comprising the difference boundary type, the key operation event identification and the identity delegation chain abstract, wherein the causal slice evidence packet is used for carrying out verifiable necessity judgment and tracking attribution on a chain-type sensitive result crossing the authority boundary.
2. 2. The authority boundary-oriented intelligent agent sensitive operation tracking method according to claim 1, wherein the method comprises the following steps: The step S1 includes: S1-1, taking all original records which are generated during the execution of a task by the same intelligent agent instance and the occurrence time sequence information of which is between the starting time and the ending time of the task as input, calculating event identification for each original record, connecting the event identification in series by the combination of main body identity information, accessed object information, operation type information and occurrence time sequence information, then carrying out fixed length abstract to obtain the event identification, and outputting a plurality of operation events; S1-2, using a plurality of operation events as input, sequencing the operation events according to occurrence time sequence information from early to late, comparing main identity information, accessed object information and operation type information of two adjacent operation events one by one, combining the two operation events into one and retaining early occurrence time sequence information when the three are identical and the occurrence time sequence information of the two operation events is identical or only differs by a minimum time scale, and outputting a repeated event sequence; S1-3, taking the event sequence after duplication removal as input, respectively extracting a main body identity information field value from an original record as main body identity information for each operation event, extracting accessed object information from a resource positioning field value, jointly determining operation type information from a request method name and a parameter structure, writing a unified timestamp of the original record as occurrence time sequence information, and outputting an event sequence containing event identification, main body identity information, accessed object information, operation type information and occurrence time sequence information.
3. 3. The authority boundary-oriented intelligent agent sensitive operation tracking method according to claim 2, wherein the method comprises the following steps: the step S2 includes: S2-1, taking an event sequence and a permission boundary description set as input, respectively calculating boundary key values for each operation event according to each boundary type in the permission boundary description set, calculating to take tenant identification and identity category from main identity information as main side boundary key values, taking tenant identification and resource domain category of resources from accessed object information as object side boundary key values, mapping from occurrence time sequence information to environment identification as time sequence side boundary key values, serially connecting the boundary key values of each boundary type according to a fixed sequence to form boundary context of the operation event, and outputting an event sequence with boundary context labels; S2-2, using an event sequence with boundary context labels as input, traversing from morning to evening according to occurrence time sequence information, respectively taking out boundary contexts for item-by-item comparison for two adjacent operation events, adding a later operation event into a boundary crossing candidate set when any one of different tenant identifications, different identity categories, different resource domain categories or different environment identifications changes, writing the changed item names and values before and after the change into crossing fields of the later operation event, and outputting the boundary crossing candidate set; S2-3, taking the boundary crossing candidate set as input, backfilling the change item name and the values before and after the change in the crossing field of each candidate event to the boundary context of the candidate event and generating a corresponding crossing label, and outputting an event sequence with the crossing label and the boundary context label.
4. 4. A rights boundary oriented agent sensitive operation tracking method according to claim 3, characterized by: the step S3 includes: S3-1, taking an event sequence with boundary context labels as input, taking out an identity principal identification and an identity category from principal identity information for each operation event, taking out an access token identification and a father token identification from authentication information corresponding to the operation event, and outputting an identity label event sequence with the identity principal identification, the identity category, the access token identification and the father token identification attached to each operation event; S3-2, traversing the sequence of the identity marked events from the early to the late according to the occurrence time sequence information and executing token backtracking on each operation event, wherein the token backtracking is to locate the last operation event with the same access token identification as the last operation event and the closest occurrence time sequence information in the traversed operation event by using the parent token identification of the operation event as a search key, record the last operation event as a direct delegation event, and repeatedly locate the parent token identification of the direct delegation event as a new search key until the parent token identification is empty, thereby outputting an identity delegation chain corresponding to the operation event; S3-3, taking an identity delegation chain as input, sequentially taking out identity principal identifications and identity categories of all operation events according to the sequence from the starting point to the current event of the identity delegation chain, connecting the identity principal identifications and the identity categories in series to form a delegation chain sequence string, carrying out fixed length abstract on the delegation chain sequence string to obtain an identity delegation chain abstract, writing the identity delegation chain abstract into a corresponding operation event, and outputting an enhanced event sequence containing the identity delegation chain abstract.
5. 5. The authority boundary-oriented intelligent agent sensitive operation tracking method according to claim 4, wherein the method comprises the following steps: In S4, it includes: S4-1, taking an enhanced event sequence and a sensitive effect type set as input, reading operation type information and accessed object information of each operation event, determining the effect type of the operation event, determining that when the operation type information characterizes export, sharing, deleting, changing strategy, changing authority or submitting fund instructions, marking the effect type as the sensitive effect type, splicing a resource domain type, a resource acting range and the sensitive effect type in the accessed object information according to a fixed sequence to generate candidate target effect description, and outputting a candidate target effect description set and a candidate operation event set corresponding to the candidate target effect description set; S4-2, taking a candidate target effect description set and a corresponding candidate operation event set as input, calculating the effect landing time corresponding to each candidate operation event, sequencing the effect landing time from late to early, selecting a candidate operation event with the latest effect landing time as an effect landing event, taking a corresponding candidate target effect description as a target effect description, and outputting a target effect description and an effect landing event identification; S4-3, taking an effect landing event identification and an enhanced event sequence as input, tracing back each operation event forward along occurrence time sequence information from the effect landing event, judging whether a crossing mark of each traced operation event is empty, adding the operation event into a real boundary crossing set when the crossing mark is not empty, continuously tracing back until the operation event that the first identity entrusting chain abstract is the same as the effect landing event and the tenant identification and the resource domain category in the boundary context are the same as the effect landing event is traced back, and outputting a target effect description and a real boundary crossing set.
6. 6. The authority boundary-oriented intelligent agent sensitive operation tracking method according to claim 5, wherein the method comprises the following steps: In S5, it includes: S5-1, taking a target effect description, an effect equivalence rule, a real boundary crossing set and an enhanced event sequence as inputs, screening out operation events which are the same in operation type information and sensitive effect type of the target effect description and are respectively the same in resource domain type and resource action range in accessed object information from the enhanced event sequence as equivalent events, then backtracking each equivalent event forward until the position where an identity entrusted chain abstract appears for the first time, collecting operation events with non-empty crossing labels in a backtracking path, decomposing each collected crossing label into crossing items consisting of boundary types, boundary key values before change, boundary key values after change and occurrence time sequence information, and outputting an equivalent event set and a corresponding crossing item set thereof; S5-2, taking a crossing item set, a real boundary crossing set and a right boundary description set as inputs, calculating reachability evidence for each crossing item in the crossing item set, writing reachability marks, calculating to find whether at least one equivalent event exists in the equivalent event set to meet the condition that the crossing item which has the same boundary type as the crossing item and the same boundary key value before change and boundary key value after change is not included in a trace path, writing the reachability marks of the crossing item as alternatives and adding the crossing item into a rejection queue if the crossing item does not exist, writing the reachability marks of the crossing item as irreplaceable and adding the crossing item into a reservation queue, and outputting the crossing item set with the reachability marks and the reservation queue.
7. 7. The authority boundary-oriented intelligent agent sensitive operation tracking method according to claim 6, wherein the method comprises the following steps: In S5, the method further comprises: S5-3, taking a reserved queue and an enhanced event sequence as input, performing cross progressive gating update on each crossing item in the reserved queue, outputting a gating token state, wherein the gating update is to firstly perform consistency check to compare an identity class and an identity delegation chain abstract in main identity information of an operation event corresponding to the crossing item with the identity class and the identity delegation chain abstract of the last operation event before the crossing item changes, and when the identity class is consistent and the identity delegation chain abstract is consistent, setting the gating token state as locked and writing the locking basis into a writing field of the crossing item, otherwise setting the gating token state as to be backed back and writing a conflict field name into the writing field of the crossing item, and returning the crossing item back to S5-1 for backtracking so as to reconstruct a backtracking path; S5-4, taking a gating token state as a locked crossing item, an enhanced event sequence and a target effect description as input, executing time sequence propagation judgment on each locked crossing item, writing uncertainty count, generating a minimum crossing item set, executing time sequence propagation judgment on whether the operation event traversed from the occurrence time sequence information of the corresponding operation event of the locked crossing item to the effect landing event is the same identity delegation chain abstract and the boundary context contains a changed boundary key value of the locked crossing item, writing the locked crossing item into a confirmation mark when the number of operation events continuously met is not less than three, adding zero to the uncertainty count, writing the locked crossing item into a re-detection mark when the number of operation events continuously met is less than three, adding the uncertainty count together, returning the locked crossing item to S5-3, re-executing consistency check and gating update, merging all the crossing items written with the confirmation mark according to the boundary type, repeating the crossing items according to the occurrence time sequence information, and generating a minimum crossing boundary sorting set from early to late.
8. 8. The authority boundary-oriented agent sensitive operation tracking method according to claim 7, wherein: included in S6; S6-1, taking a real boundary crossing set and a minimum boundary crossing set as inputs, extracting boundary types, boundary key values before change and boundary key values after change from each crossing record in the real boundary crossing set, splicing to form crossing fingerprint strings, forming corresponding crossing fingerprint strings from each crossing record in the minimum boundary crossing set in the same way, and outputting a real crossing fingerprint set and a minimum crossing fingerprint set; S6-2, taking a real traversing fingerprint set and a minimum traversing fingerprint set as inputs, calculating a differential traversing fingerprint set, calculating to add traversing fingerprint strings which exist in the real traversing fingerprint set and do not exist in the minimum traversing fingerprint set into an excess set, adding traversing fingerprint strings which exist in the minimum traversing fingerprint set and do not exist in the real traversing fingerprint set into a missing set, respectively writing corresponding differential type marks for the excess set and the missing set, and outputting the differential traversing fingerprint set; S6-3, taking the differential crossing fingerprint set and the enhanced event sequence as input, positioning key operation events in the enhanced event sequence for each crossing fingerprint string in the differential crossing fingerprint set, positioning operation events which are respectively the same as the corresponding fields of the crossing fingerprint string in the crossing mark, the boundary key value before change and the boundary key value after change in the enhanced event sequence, selecting one of which the occurrence time sequence information is earliest as a crossing starting point event and the other of which the occurrence time sequence information is latest as a crossing drop point event, and outputting a key operation event pair and the corresponding differential boundary type.
9. 9. The authority boundary-oriented intelligent agent sensitive operation tracking method according to claim 8, wherein the method comprises the following steps: In S6, the method further includes: S6-4, calculating a causal path and outputting a causal slice for each pair of key operation events by taking the key operation event pairs, the target effect description and the enhanced event sequence as inputs, traversing the key operation event pairs to the effect landing event backwards along the occurrence time sequence information from the traversing starting point event, and only reserving operation events with the same identity delegation chain abstract as the traversing starting point event, and reserving operation events with changed boundary key values of the traversing landing point event in the boundary context from the reserved operation events, thereby outputting the causal slice consisting of the traversing starting point event, the traversing landing point event and the reserved operation events; S6-5, taking the causal slice and the differential boundary type as inputs, generating a causal slice evidence packet, and generating a causal slice evidence packet which comprises the differential boundary type, the event identifications of the crossing starting point event and the crossing falling point event, an event identification list of all operation events in the causal slice and the identity delegation chain abstract corresponding to the causal slice, writing the same evidence structure, sequencing according to the occurrence time sequence information, and outputting the causal slice evidence packet comprising the differential boundary type, the key operation event identification and the identity delegation chain abstract.
10. 10. The utility model provides an intelligent agent sensitive operation tracking system towards permission boundary, includes event extraction module, boundary marking module, entrust attribution module, effect identification module, minimum solution module and difference evidence obtaining module, its characterized in that: The event extraction module is used for obtaining a plurality of operation events generated by the intelligent agent in the process of executing a task as input, extracting event identification, main body identity information, accessed object information, operation type information and occurrence time sequence information for each operation event, and outputting an event sequence; The boundary labeling module is used for calculating the corresponding boundary context of each operation event based on the event sequence and a preset authority boundary description set as input, identifying whether authority boundary crossing occurs or not, and outputting an event sequence with boundary context labeling and a boundary crossing candidate set; The delegation attribution module is used for taking an event sequence with boundary context labels, main identity information and a preset identity delegation analysis rule as inputs, calculating identity jump association among all operation events, generating a corresponding identity delegation chain abstract, and outputting an enhanced event sequence containing the identity delegation chain abstract; The effect recognition module is used for taking the enhanced event sequence, a preset sensitive effect type set and an effect equivalent rule thereof as input, recognizing a target effect related to the sensitive effect in the event sequence, constructing a real boundary crossing set reaching the target effect, and outputting a target effect description and the real boundary crossing set; The minimum solving module is used for taking the target effect description, the effect equivalent rule, the authority boundary description set and a preset minimum traversing solving rule as inputs, generating a minimum boundary traversing set required under the condition of keeping the target effect unchanged, and outputting the minimum boundary traversing set; the differential evidence obtaining module is used for taking the real boundary crossing set and the minimum boundary crossing set as inputs, calculating the difference between the real boundary crossing set and the minimum boundary crossing set, extracting key operation events corresponding to the difference to form a causal slice evidence packet, outputting the causal slice evidence packet containing the difference boundary type, the key operation event identification and the identity delegation chain abstract, and carrying out verifiable necessity judgment and tracking reason on a chain-type sensitive result crossing the authority boundary.

Description

Authority boundary-oriented intelligent agent sensitive operation tracking method and system Technical Field The invention relates to the technical field of computer security and access control audit, in particular to an intelligent agent sensitive operation tracking method and system facing a permission boundary. Background In the field of authority boundary management, the prior art mainly solves the problems that an intelligent agent leaves a traceable record and prevents obvious override as much as possible when executing a task; Recording audit logs at interfaces of each service system and tool, marking a uniform link identifier for each call, converging the logs to a centralized audit platform, judging whether a single request is allowed or not by using an access control strategy, finding abnormal operation by using rule or behavior analysis, and giving an alarm; taking analysis and operation of enterprise internal agent assistant data as an example, the agent often needs to switch identities between user authorization and service account numbers, firstly queries data in one system, then invokes another system to generate a report, and meanwhile, can possibly deliver tasks to a message queue to export files or issue configuration by asynchronous operation; The method has the advantages that the scene has a plurality of hard constraints which are difficult to avoid, firstly sensitive data cannot be written into a tracking record, secondly asynchronous operation and retry can catch up with the source, and thirdly, the transformation range of a legacy system is limited and the performance on a line can be obviously dragged; Under these constraints, the main stream approach can be stable with an observable defect that when the sensitive result is not caused by a certain obvious override, but is spliced by a plurality of steps which are all qualified, and only truly falls to the ground at the asynchronous end, the existing log and link identifier can only indicate which calls occur, but cannot easily indicate whether the steps crossing the boundaries are necessary, and cannot easily and reliably push the end result back to the original authorization and key crossing point; The actual situation is that the same kind of task often has link pairs on message queues and callback positions, alarms can be barely restored by manually splicing a plurality of logs, different people often draw different conclusions by rewinding, and for the behavior of disassembling sensitive operation into a plurality of small steps, the system can not give clear reasons because of frequent false alarm or long-term missing report; the application aims to solve the technical problem of realizing verifiable necessity judgment on chain type sensitive results crossing authority boundaries and completing reliable tracking attribution under the conditions of not recording sensitive contents, being compatible with multi-system multi-identity and asynchronous links and being matched with nearby processing and center cooperation of edge calculation. Disclosure of Invention In order to overcome the defects of the prior art, the embodiment of the invention provides an intelligent agent sensitive operation tracking method and system facing a permission boundary, which are used for realizing the traceable cross-system cross-identity association by marking the boundary context of an operation event in a task and generating an identity delegation chain abstract based on token backtracking, further constructing a real boundary crossing set, solving a minimum boundary crossing set and carrying out differential evidence collection, and outputting a causal slice evidence package so as to solve the problems in the background art. In order to achieve the above purpose, the invention provides a rights boundary-oriented intelligent agent sensitive operation tracking method, which comprises the following steps: S1, acquiring a plurality of operation events generated by an agent in a task execution process as input, extracting event identification, main body identity information, accessed object information, operation type information and occurrence time sequence information for each operation event, and outputting an event sequence; S2, calculating the corresponding boundary context of each operation event based on the event sequence and a preset authority boundary description set as input, identifying whether authority boundary crossing occurs or not, and outputting an event sequence with boundary context labels and a boundary crossing candidate set; s3, taking an event sequence with boundary context labels, main identity information and a preset identity delegation analysis rule as inputs, calculating identity jump association among all operation events, generating a corresponding identity delegation chain abstract, and outputting an enhanced event sequence containing the identity delegation chain abstract; S4, taking the enhanced event sequence, a prese