CN-122020664-A - Cloud computing security control system for communication cloud platform

Abstract

The invention relates to a cloud computing security control system for a credit cloud platform, which belongs to the field of cloud computing security and comprises a credit trusted computing base construction module, a data security situation label management module, a security function service meshing management module, a cross-layer heterogeneous security braiding engine, a data security situation label management module and a security situation label management module, wherein the credit trusted computing base construction module is used for constructing a trusted starting chain, dynamically measuring and verifying a virtualized monitor and key system components, the data security situation fingerprint monitoring and analysis module is used for collecting operation data and extracting a computing behavior fingerprint representing a normal behavior mode, calculating similarity with a reference fingerprint, outputting dynamic security confidence score, the security function service meshing management module is used for disassembling multiple security capabilities into an SFV micro-service instance, the cross-layer heterogeneous security braiding engine is used for receiving multi-source security information and matching with a predefined linkage response strategy, and the data security situation label management module is used for automatically attaching and updating a security situation label to a data key node. The system can be deeply integrated into the traumatology cloud bottom layer, and has active immunity and elastic defense capability.

Inventors

• WU PENG

Assignees

• 天翼数字生活科技有限公司

Dates

Publication Date

20260512

Application Date

20260127

Claims (10)

1. 1. A cloud computing security control system for a credit cloud platform, comprising: The trusted computing base construction module is used for forcedly starting a safety instruction set, a hardware trusted cryptography module TCM and a hardware trusted platform module TPM which are arranged in the CPU when the physical server is started, and constructing a trusted starting chain; dynamically measuring and verifying the virtualized monitor and key system components by utilizing the trusted starting chain, if the measurement and verification are successful, implanting a lightweight safety hook into the virtualized monitor, intercepting and monitoring the operation of a key virtual machine by utilizing the safety hook, and finally constructing a trusted computing base integrated in software and hardware of a trusted bottom layer; The system comprises a computing behavior fingerprint monitoring and analyzing module, a dynamic safety confidence score, a behavior abnormality judging module, a dynamic safety confidence score judging module, a behavior abnormality judging module and a behavior alarm judging module, wherein the computing behavior fingerprint monitoring and analyzing module is used for collecting the operation data of a virtual machine or a container, extracting the computing behavior fingerprint representing a normal behavior mode from time sequence data by utilizing a lightweight depth time sequence convolution network model, computing the similarity of the computing behavior fingerprint and a reference fingerprint, and outputting the dynamic safety confidence score when the safety confidence score is lower than a threshold value; The system comprises a grid management module, a grid control plane, a grid data plane, a grid management module, a storage module and a storage module, wherein the grid management module is used for carrying out security function virtualization on a plurality of security capabilities, and disassembling the security capabilities into a plurality of SFV micro-service instances which are independently containerized; the cross-layer heterogeneous security braiding engine is used for receiving multi-source security information through the unified security situation awareness center to form a global security situation view, matching with a predefined linkage response strategy and executing response according to the matched strategy; And when a data access request is received, the real-time security situation label of the data object is forcefully checked, and whether the data access is allowed is judged according to the checking result.
2. 2. The cloud computing security control system for a trusted cloud platform of claim 1, wherein the trusted boot chain is configured to perform dynamic metrics and verification step by step from a hardware BIOS, a Bootloader, a host OS to a virtualization monitor based on a cryptographic algorithm.
3. 3. The cloud computing security control system for a trusted computing base as claimed in claim 1, wherein the initiation process is terminated and an alarm is issued when dynamic metric verification of virtualized monitors and critical system components by the trusted computing base building module fails.
4. 4. The cloud computing security control system for a credit cloud platform as recited in claim 1, wherein said operational data collected by said computing behavior fingerprint monitoring and analysis module comprises CPU instruction thermodynamic diagrams, system call sequences, memory access patterns and network connection behaviors.
5. 5. The cloud computing security control system for a credit cloud platform according to claim 1, wherein the computing behavior fingerprint monitoring and analyzing module determines that the behavior is abnormal when the security confidence score is lower than a threshold value, triggers an alarm and reports the alarm to a cross-layer security braiding engine; And when the calculated behavior fingerprint monitoring and analyzing module judges that the safety confidence score is equal to or higher than the threshold value, judging that the state is normal, and continuously monitoring the operation data.
6. 6. The cloud computing security control system for a belief-creating cloud platform of claim 1, wherein the grid control plane is configured to manage registration, discovery, lifecycle management, and policy issuing of SFV micro-service instances.
7. 7. The cloud computing security control system for a signal creation cloud platform of claim 1, wherein said SFV micro-service examples include firewall, intrusion detection, virus scanning, and data encryption micro-services.
8. 8. The cloud computing security control system for a trusted cloud platform of claim 1, wherein said multi-source security information comprises hardware trusted cryptography module TCM, hardware trusted platform module TPM, virtual machine monitor VMM security hooks, computing behavior fingerprints, and security events and telemetry data for each SFV microservice instance.
9. 9. The cloud computing security control system for a credit cloud platform as recited in claim 1, wherein the security posture tag comprises a data sensitivity level, a tenant to which the security is applied, a current computing environment security score, and a processing history hash.
10. 10. The cloud computing security control system for a credit cloud platform of claim 1, wherein the data security posture tag management module records a history of changes to the data security posture tag via a security log.

Description

Cloud computing security control system for communication cloud platform Technical Field The invention belongs to the field of cloud computing security, and particularly relates to a cloud computing security control system for a credit-creation cloud platform. Background With the deep advancement of the credit industry, cloud platforms based on domestic CPUs, operating systems and virtualization technologies have become an important infrastructure for carrying key services. However, the traditional cloud security scheme mostly adopts an externally hung type boundary protection idea, and a plurality of pain points exist: 1. The coupling degree with software and hardware of the credit and debit bottom layer is low, and the traditional scheme is difficult to fully utilize unique security capabilities such as a security instruction set, a hardware trusted module (such as a national secret TCM/TPM) and the like which are built in a domestic CPU, so that the security capabilities cannot be deeply embedded into a platform core. 2. Protection lag and statization, namely, the protection means which rely on the updating of the feature library is difficult to cope with unknown threats (0 day attack) and intra-cloud lateral movement attacks. The security policy is often static configuration and cannot adapt to dynamic changes of the cloud environment. The traditional protection paradigm has static performance, and the security evaluation and policy decision-making occur at the initial stage of the device accessing the network or at fixed periods, and is a static point-based authentication. In addition, the security dimension is single, the credibility assessment is seriously dependent on traditional static properties such as certificates, software integrity measurement and the like (namely, a credible root in the prior art is established on a software certificate and integrity verification), and the hardware performance entropy value of the bottom layer of the equipment is not fully utilized, which is a dynamic security element difficult to tamper, so that the identity authentication dimension is single and the anti-counterfeiting capability is limited. 3. The safety resource can not stretch flexibly as required as the calculation and storage resources, and is easy to become a performance bottleneck or cause resource waste. 4. The data security and compliance challenge is that under the cloud environment of multi-tenant and multi-component cooperation, the dynamic security state of the data is difficult to continuously track and guarantee, and the high-level data compliance requirement cannot be met. 5. Heterogeneous environment coordination is difficult because the created cloud platform often comprises various domestic technical routes (such as Feiteng, kunpeng, loongson and the like), and unified and cooperative safety management and control of the cross-heterogeneous computing power are difficult to realize by the traditional scheme. The traditional defense system has isolation that when a single device is broken, an effective multi-device cooperative authentication mechanism is lacked to quickly sense and share threat information and implement cooperative response in a device group, so that single-point failure and risk diffusion are easily caused. The traditional cloud security scheme adopts an externally hung and boundary protection thought, and has various pain points including low coupling degree with software and hardware of a credit-created bottom layer, protection lag and stationarity, lack of endogenous elastic security capability, data security and compliance challenges and difficulty in cooperation with heterogeneous environments. Therefore, a cloud security control system having an endogenous security capability and an active defense elasticity, which is deeply compatible with the technical characteristics of the credit card, is needed. Disclosure of Invention In view of the shortcomings of the prior art, the invention aims to provide a cloud computing security control system for a credit cloud platform, which can be deeply integrated into a credit cloud bottom layer and has active immunity and elastic defense capability. The invention provides a cloud computing security control system for a credit creation cloud platform, which comprises the following components: The trusted computing base construction module is used for forcedly starting a safety instruction set, a hardware trusted cryptography module TCM and a hardware trusted platform module TPM which are arranged in the CPU when the physical server is started, and constructing a trusted starting chain; dynamically measuring and verifying the virtualized monitor and key system components by utilizing the trusted starting chain, if the measurement and verification are successful, implanting a lightweight safety hook into the virtualized monitor, intercepting and monitoring the operation of a key virtual machine by utilizing the safety hook, and final