Search

US-20260127307-A1 - FINE-GRAIN CONTROL SYSTEM USING PERMISSION RULES GENERATED BY A LANGUAGE MODEL

US20260127307A1US 20260127307 A1US20260127307 A1US 20260127307A1US-20260127307-A1

Abstract

A system management application includes program instructions for monitoring performance of a process running on a compute node of a computing system and providing a plurality of permission rules to be implemented by a fine-grain control system running on the compute node. Each permission rule instructs the fine-grain control system to permit or deny the process with access to specific resources. Access error data is received from the compute node identifying an access error indicating that the process was denied access to a specific resource by the fine-grain control system. The access error data is provided to an artificial intelligence model that has been trained to generate permission rules and an update of the permission rules is generated, wherein the update permits the process to access the specific resource. The update is then provided to the fine-grain control system.

Inventors

  • Christian de Hoyos
  • Igor Stolbikov
  • Scott Li
  • Rod D Waltermann

Assignees

  • Lenovo Global Technology (United States) Inc.

Dates

Publication Date
20260507
Application Date
20241107

Claims (20)

  1. 1 . A computer program product comprising a non-transitory computer readable storage medium and program instructions embodied therein, the program instructions being configured to be executable by a processor to cause the processor to perform operations comprising: monitoring performance of a process running on a compute node of a computing system; providing a plurality of permission rules to be implemented by a fine-grain control system running on the compute node, wherein, for each of the permission rules, the permission rule instructs the fine-grain control system to permit or deny the process with access to one or more files and/or one or more other processes identified by the permission rule; receiving access error data from the compute node that identifies an access error experienced by the process, wherein the access error indicates that the process attempted to access a specific resource and was denied access to the specific resource by the fine-grain control system; providing the access error data to an artificial intelligence model that has been trained to generate permission rules for processes; receiving an update of the permission rules from the artificial intelligence model, wherein the update of the permission rules permits the process to access the specific resource indicated by the access error; and providing the update of the permission rules to the fine-grain control system running in the computing system.
  2. 2 . The computer program product of claim 1 , wherein the resource is selected from a file, folder, process and/or logical port.
  3. 3 . The computer program product of claim 1 , wherein the update of the permission rules includes a revision to one or more of the permission rules and/or an additional permission rule.
  4. 4 . The computer program product of claim 1 , wherein the access error data is included in an output log.
  5. 5 . The computer program product of claim 1 , wherein the permission rules include a restrictive rule that prevents the process from accessing one or more specific resources that are expressly identified.
  6. 6 . The computer program product of claim 1 , wherein the permission rules include a permissive rule that allows the process to access only one or more specific resources that are expressly identified.
  7. 7 . The computer program product of claim 1 , wherein the artificial intelligence model generates the update of the permission rules during operation of the process on the computing system running the fine-grain control system.
  8. 8 . The computer program product of claim 1 , wherein the artificial intelligence model is a language model.
  9. 9 . The computer program product of claim 1 , wherein the operations of receiving access error data from the compute node, providing the access error data to the artificial intelligence model, receiving an update of the permission rules from the artificial intelligence model, and providing the update of the permission rules to the fine-grain control system running in the computing system are repeated continuously, periodically, and/or in response to some event.
  10. 10 . The computer program product of claim 1 , further comprising: receiving real-time threat data from the compute node that identifies a threat posed against the process by another process accessing the process or one of the resources to which the process has access; providing the real-time threat data to the artificial intelligence model; receiving a second update of the permission rules from the artificial intelligence model, wherein the second update of the permission rules prevents the threat posed against the process indicated by the threat data; and providing the second update of the permission rules to the fine-grain control system running in the computing system.
  11. 11 . The computer program product of claim 1 , wherein the computing system runs a plurality of fine-grain control systems, wherein the operation of providing a plurality of permission rules to be implemented by a fine-grain control system running on the compute node includes providing a plurality of permission rules to be implemented by each of the fine-grain control systems, and wherein the operation of providing the update of the permission rules to the fine-grain control system running in the computing system includes providing the update of the permission rules to the fine-grain control system running on the compute node where the process that experienced the access error is also running.
  12. 12 . The computer program product of claim 11 , wherein the plurality of fine-grain control systems running in the computing system include at least one fine-grain control system running on each of a plurality of compute nodes within the computing system.
  13. 13 . The computer program product of claim 11 , wherein the plurality of fine-grain control systems running in the computing system include at least one fine-grain control system running on each of a plurality of layers of a software stack running on at least one compute node within the computing system.
  14. 14 . The computer program product of claim 1 , wherein the operation of providing the access error data to an artificial intelligence model that has been trained to generate permission rules for processes includes providing the access error data to a plurality of artificial intelligence models that have been trained to generate permission rules for processes, wherein the operation of receiving an update of the permission rules from the artificial intelligence model includes receiving an updated permission rule from each of the plurality of artificial intelligence models, and wherein, for each of the plurality of artificial intelligence models, the updated permission rule received from the artificial intelligence model is provided to the fine-grain control system running in the computing system.
  15. 15 . The computer program product of claim 1 , further comprising: training the artificial intelligence model with training data that includes threat data, software code and software build scripts, security specifications and configurations, and/or information describing the software architecture of the process.
  16. 16 . The computer program product of claim 15 , wherein the training data further includes information describing standard behavior of the process, software installation scripts, and/or an installed configuration of software applications.
  17. 17 . The computer program product of claim 1 , further comprising: training the artificial intelligence model with training data that includes paired input data matching an access error and/or a threat with a revised access rule that is known to mitigate the access error or the threat.
  18. 18 . The computer program product of claim 1 , further comprising: identifying necessary computing system behaviors during the build, testing, and deployment of the computing system; and generating the permission rules for the specific fine-grain control system to permit the necessary computing system behaviors.
  19. 19 . The computer program product of claim 1 , further comprising: causing the artificial intelligence model to be dynamically fine-tuned with the access error data and/or threat data.
  20. 20 . The computer program product of claim 1 , wherein one or more of the permission rules restricts system calls from a service, a specific IP address and/or a specific user from executing a specific command on a specific file.

Description

BACKGROUND The present disclosure relates to the use of fine-grain control systems to improve security in a computing system. BACKGROUND OF THE RELATED ART Many complex, multi-component systems need to run multiple software components in a computing system, but managing security for these multiple software components is a challenge. It is generally ineffective to simply rely upon network security to keep everything within the network secure. Fine-grain control systems provide security that is separately configurable at the asset level, meaning that the permission rules implemented on each asset (i.e., software and hardware component or product) can be customized or specific to that asset. Fine-grain control systems like Security-Enhanced Linux (SELinux), AppArmor or Java security managers provide a robust framework for access control and mandatory access controls (MAC) on Linux systems. For example, SELinux is a Linux kernel security module. The kernel is at the core of an operating system and has control over conflicts between processes and interactions between software and hardware components. SELinux was developed by the National Security Agency (NSA) in collaboration with the open-source community to implement a fine-grained permissions model. Unlike traditional discretionary access controls (DAC), which rely on user and group ownership, SELinux allows administrators to define and enforce policies that specify the actions and processes that users can perform on resources. SELinux policy is a set of permission rules that defines which processes (i.e., an instance of a computer program being executed) can access which files, directories (folders), and ports (i.e., TCP or UDP ports). The permission rules identify processes and define whether the identified processes are permitted to access certain files and other processes. If a particular action that a process wants to perform is not explicitly permitted in the installed policy, SELinux will deny it. With the permission rules established, the fine-grain control system will only permit an application or process to access certain files (perhaps identified by filename and/or file type) and other processes that the process requires to function. However, a fine-grain control system may have to support and maintain hundreds of fine-grain permission rules to specifically identify all of the different processes and the files and other processes that each process may access. The importance of SELinux lies in its ability to mitigate the impact of security vulnerabilities and limit the damage caused by malicious activities. By enforcing a strict set of rules, SELinux and similar fine-grain control systems prevent unauthorized access to components in a computing system and reduce the attack surface of the computing system, enhancing the overall security posture. SELinux (or another fine-grain control system) can play an important role in safeguarding sensitive data, protecting against privilege escalation, and maintaining the integrity of the computing system. BRIEF SUMMARY Some embodiments provide a computer program product comprising a non-transitory computer readable storage medium and program instructions embodied therein, the program instructions being configured to be executable by a processor to cause the processor to perform various operations. The operations comprise monitoring performance of a process running on a compute node of a computing system and providing a plurality of permission rules to be implemented by a fine-grain control system running on the compute node, wherein, for each of the permission rules, the permission rule instructs the fine-grain control system to permit or deny the process with access to one or more resources identified by the permission rule. The operations further comprise receiving access error data from the compute node that identifies an access error experienced by the process, wherein the access error indicates that the process attempted to access a specific resource and was denied access to the specific resource by the fine-grain control system. Still further, the operations comprise providing the access error data to an artificial intelligence model that has been trained to generate permission rules for processes and receiving an update of the permission rules from the artificial intelligence model, wherein the update of the permission rules permits the process to access the specific resource indicated by the access error. In addition, the operations further comprise providing the update of the permission rules to the fine-grain control system running in the computing system. Some embodiments provide a method comprising various operations. The operations comprise monitoring performance of a process running on a compute node of a computing system and providing a plurality of permission rules to be implemented by a fine-grain control system running on the compute node, wherein, for each of the permission rules, the permissi