CN112202724B - Data aggregation method and device of all-in-one arrangement mode - Google Patents

Data aggregation method and device of all-in-one arrangement mode Download PDF

Info

Publication number
CN112202724B
CN112202724B CN202010943671.7A CN202010943671A CN112202724B CN 112202724 B CN112202724 B CN 112202724B CN 202010943671 A CN202010943671 A CN 202010943671A CN 112202724 B CN112202724 B CN 112202724B
Authority
CN
China
Prior art keywords
response
event data
node
data
security event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010943671.7A
Other languages
Chinese (zh)
Other versions
CN112202724A (en
Inventor
郭兰杰
高辉力
赵粤征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202010943671.7A priority Critical patent/CN112202724B/en
Publication of CN112202724A publication Critical patent/CN112202724A/en
Application granted granted Critical
Publication of CN112202724B publication Critical patent/CN112202724B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the technical field of network security, in particular to a data aggregation method and a device of an all-in-one arrangement mode, wherein the method is applied to an all-in-one arrangement structure, the all-in-one arrangement structure comprises at least two upstream response nodes, virtual nodes and downstream response nodes, the output ends of the at least two upstream response nodes are connected with the input ends of the virtual nodes, the output ends of the virtual nodes are connected with the input ends of the downstream response nodes, and the method comprises the following steps: the virtual nodes respectively acquire the security event data output by each upstream response node; the safety event data are combined to generate a data set containing the safety event data, so that the downstream response node obtains the safety event data from the data set and performs corresponding response operation according to the safety event data, and thus, a plurality of same downstream response nodes are not required to be arranged, the downstream response nodes only need to be in butt joint with the safety event data of the virtual nodes, and the execution efficiency is improved.

Description

Data aggregation method and device of all-in-one arrangement mode
Technical Field
The present application relates to the field of network security technologies, and in particular, to a data aggregation method and apparatus for an all-in-one arrangement mode.
Background
At present, security Organization and Automated Response (SOAR) is very important in the technical field of network Security, the SOAR can flexibly organize the existing Security capability, access various data sources, complete scene construction by writing scripts and realize automatic operation, and the modes of the organization process include a serial organization mode, a parallel organization mode, a one-in-many organization mode, a multi-in-one organization mode and the like.
Particularly, in the all-in-one arrangement mode, since the input of the downstream response node is determined by the upstream response node, and the number of the upstream response nodes is larger, the selection of the security event data by the downstream response node is more complicated, and since the downstream response node only supports the response operation of the data of one upstream response node, under the condition that all the upstream response nodes have response operation requirements and the response operation requirements are the same, the response operation requirements of a plurality of upstream response nodes can be met by arranging a plurality of downstream response nodes with the same function, but the method in the prior art causes a complicated operation flow and reduces the CPU utilization rate.
Disclosure of Invention
The embodiment of the application provides a data aggregation method and device of an all-in-one arrangement mode, so as to simplify the operation flow of an all-in-one scene and simplify the complexity of arrangement of a user.
The embodiment of the application provides the following specific technical scheme:
a data aggregation method of an all-in-one layout mode is applied to an all-in-one layout framework, the all-in-one layout framework comprises at least two upstream response nodes, a virtual node and a downstream response node, the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, and the output end of the virtual node is connected with the input end of the downstream response node, and the method comprises the following steps:
the virtual nodes respectively acquire the security event data output by each upstream response node;
and merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
Optionally, merging the security event data to generate a data set including the security event data, specifically including:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
Optionally, after generating the data set including the security event data, the method further includes:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the security event data from the data set according to the response completion instruction.
Optionally, the security event data at least includes one or any combination of the following: source IP, destination port, security event name, security event type.
An all-in-one arrangement mode data aggregation device is applied to an all-in-one arrangement structure, the all-in-one arrangement structure comprises at least two upstream response nodes, a virtual node and a downstream response node, the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, and the output end of the virtual node is connected with the input end of the downstream response node, and the device comprises:
the acquisition module is used for respectively acquiring the security event data output by each upstream response node;
and the processing module is used for merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
Optionally, when merging the security event data to generate a data set including the security event data, the processing module is specifically configured to:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
Optionally, after generating the data set including the security event data, the processing module is further configured to:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the security event data from the data set according to the response completion instruction.
Optionally, the security event data at least includes one or any combination of the following: source IP, destination port, security event name, security event type.
An electronic device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor implements the steps of the data aggregation method of the all-in-one arrangement mode when executing the program.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the data aggregation method of the above-mentioned all-in-one orchestration mode.
In the embodiment of the application, the virtual node respectively acquires the security event data output by each upstream response node, combines the acquired security event data, and generates a data set containing each security event data, so that the downstream response node acquires each security event data from the data set of the virtual node, and performs a corresponding response operation according to each security event data, thus, a virtual node is arranged between the upstream response node and the downstream response node, each upstream response node outputs the security event data to the virtual node, the downstream response node acquires each security event data from the data set of the virtual node, when each upstream response node needs to execute the response operation defined by the downstream response node, a plurality of downstream response nodes with the same function do not need to be arranged, only each security event data needs to be acquired from the data set of the virtual node to process the data from each upstream response node, the operation flow is simplified, and for the SOAR engine, only the security event data of the docking node needs to be acquired from each upstream response node, the usage rate of the CPU is reduced, and the execution efficiency is improved.
Drawings
FIG. 1 is a schematic diagram illustrating an arrangement of an all-in-one arrangement mode in the prior art;
FIG. 2 is a flowchart illustrating a data aggregation method for an all-in-one layout mode according to an embodiment of the present disclosure;
FIG. 3 is a diagram illustrating a data structure of an all-in-one layout mode according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an arrangement interface according to an embodiment of the present application;
FIG. 5 is a schematic diagram of constructing virtual nodes in an embodiment of the present application;
FIG. 6 is a schematic diagram of an arrangement including a logic decision module according to an embodiment of the present application;
FIG. 7 is a schematic structural diagram of a data aggregation apparatus with an all-in-one arrangement mode according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, security Organization and Automated Response (SOAR) is very important in the technical field of network Security, the SOAR can flexibly organize the existing Security capability, access various data sources, complete scene construction by writing scripts, realize automatic operation, and support complex and flexible modes for an organization process, such as a serial organization mode, a parallel organization mode, a one-to-many organization mode, a multiple-in-one organization mode and the like.
Particularly, in the all-in-one arrangement mode, because the input data of the downstream response node is determined by the security event data output by the upstream response node, a user is confronted with the selection of a plurality of data sources when arranging, and if the number of the upstream response nodes is larger, the selection of the security event data by the downstream response node is more complicated, which greatly increases the use difficulty.
Moreover, since the downstream response node only supports the response operation of the security event data output by one upstream response node, under the condition that all the upstream response nodes have response operation requirements and the response operation requirements are the same, a plurality of downstream response nodes with the same function need to be arranged to process the security event data from different upstream response nodes, so that the response operation requirements of a plurality of upstream response nodes can be met, as shown in fig. 1, an arrangement schematic diagram of an all-in-one arrangement mode in the prior art is shown, since the upstream response node a and the upstream response node B both have response operation requirements, two downstream response nodes C need to be arranged to meet the response operation requirements of the upstream response node a and the upstream response node B, but the method in the prior art causes a complex and redundant operation flow, and reduces the utilization rate of a Central Processing Unit (CPU).
In the embodiment of the application, a data aggregation method of an all-in-one arrangement mode is provided, in which a virtual node acquires security event data output by each upstream response node respectively, and combines the acquired security event data to generate a data set including each security event data, so that a downstream response node acquires each security event data from the data set of the virtual node and performs corresponding response operation according to each security event data, thereby setting the virtual node, storing the security event data output by each upstream response node into the virtual node, acquiring each security event data from the virtual node by the downstream response node, performing corresponding response operation according to each acquired security event data, and when each upstream response node needs to perform response operation defined by the downstream response node, arranging the security event data of each upstream response node without a plurality of same downstream response operation nodes, simplifying an operation flow, and for an SOAR engine, acquiring the security event data from each upstream response node, connecting the security event data stored in the virtual node, reducing the utilization rate of a CPU, and improving the execution efficiency.
Based on the foregoing embodiment, referring to fig. 2, a flowchart of a data aggregation method for an all-in-one arrangement mode in the embodiment of the present application is specifically included:
step 200: and the virtual nodes respectively acquire the security event data output by each upstream response node.
The method in the embodiment of the application is applied to an all-in-one arrangement structure, the all-in-one arrangement structure comprises at least two upstream response nodes, a virtual node and a downstream response node, the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, the output end of the virtual node is connected with the input end of the downstream response node, when the at least two upstream response nodes execute response operations, security event data are output, and then the virtual node respectively obtains the security event data output by each upstream response node.
Wherein, the safety event data at least comprises one or any combination of the following: source IP, destination port, security event name, security event type.
The response operation of the upstream response node may be, for example, global blocking, host isolation, and the like, which is not limited in this embodiment of the application.
Further, before the virtual node respectively acquires the security event data output by each upstream response node, it first needs to define the data structure of the all-in-one arrangement mode, specifically, define the point information of each upstream response node and downstream response node, the edge information of the edge between the upstream response node and the downstream response node, the edge start point, and the edge end point.
The core fields of the point information of the upstream response node and the downstream response node at least include a node identifier and attribute information, for example, the point information may be defined by nodelist, the point information includes a node ID and attribute information, and the attribute information may be, for example, a blocking type, a device type, and the like, which is not limited in this embodiment of the application.
The edge information of the edge between the upstream response node and the downstream response node, the edge characterizing the connection line between the upstream response node and the downstream response node, may be defined by linelist, for example.
The edge starting point is provided at the upstream responding node, and may be defined, for example, by from.
The edge termination point is provided at the downstream response node, and may be defined, for example, by to.
For example, referring to fig. 3, which is a schematic diagram of a data structure of an all-in-one arrangement mode in an embodiment of the present application, an upstream response node a, an upstream response node B, an upstream response node C, and a downstream response node D are points, an edge start point is set at the upstream response node a, the upstream response node B, the upstream response node C, and an edge end point is set at the downstream response node D, and a connection line between the upstream response node a and the downstream response node D, a connection line between the upstream response node B and the downstream response node D, and a connection line between the upstream response node C and the downstream response node D are edges.
A specific example is used to describe in detail the data structure of the all-in-one layout mode in the embodiment of the present application, and refer to fig. 4, which is a schematic diagram of a layout interface in the embodiment of the present application.
Wherein, the security event _1 is a threat event, and the attribute data of the security event comprises a rule ID:490082, rule name: APACHE _ HTTP _ SERVCER, association rule template: common template, associated event template: for the template of APACHE _ HTTP _ SERVCER, rule state: enable, aggregation window(s): 300, aggregation field: dip.
The upstream response nodes are A and B, global blocking _1 and host isolation _1, respectively.
The node identifier of the global block _1 is A, and the attribute data is a block type: IP plugging, the plugging object: source IP, blocking cause, eeee, device type: ADS _ V4.5R90F00, auto release: open, plugging time (min): 1.
the node identification of the host isolation _1 is B, and the attribute data comprises an isolation object: source IP, device type: ADS _ V4.5R90F00, isolation cause: ww, auto release: open, isolation time (min): 1.
the node identifier of the downstream response node is C, and is notification early warning _1, where the attribute data is: subject matter: threat event generation, recipient: glj@1.com.cn, summary of contents: including secure time base information.
After the data structure is arranged, whether a plurality of to C edges are detected or not is judged based on the arranged data structure, if the plurality of to C edges are determined, a downstream response node C is determined to have a plurality of upstream response nodes, that is, whether one downstream response node corresponds to at least two upstream response nodes or not is judged, and if one downstream response node corresponds to at least two upstream response nodes, a virtual node join _ C is constructed at the moment.
It should be noted that the virtual node join _ C is invisible to the user, that is, the user cannot see the virtual node join _ C, whether the virtual node join _ C is seen by the user or the downstream response node C, where the join _ C is only used to receive each security event data output by each upstream response node, merge each security event data, and store each merged security event data, as shown in fig. 5, a is an upstream response node, B is another upstream response node, join _ C is a virtual node, and C is a downstream response node.
Step 210: and merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
In the embodiment of the application, after the virtual nodes respectively acquire the security event data output by each upstream response node, the security event data are merged and a data set containing the security event data is generated, then, the virtual nodes store the generated data set, and further, the downstream response nodes can acquire each security event data from the data set in the virtual nodes and perform corresponding response operation according to the security event data.
Specifically, when merging the security event data to generate a security event data set including the security event data, the method specifically includes:
s1: and acquiring data identifications corresponding to the safety event data.
Wherein each security event data corresponds to a data identifier.
In the embodiment of the application, each piece of security event data corresponds to one data identifier, so that after the security event data output by each upstream response node is obtained, the data identifier corresponding to each piece of security event data is obtained.
The data identifier corresponding to each security event data is used for distinguishing each security event data, and if the security event data are the same, the data identifiers are the same.
For example, it is assumed that the security event data output by the upstream response node a is A1 and X, respectively, the data identifier corresponding to A1 is 1,X is 2, the security event data output by the upstream response node B is B1 and X, respectively, and the data identifier corresponding to B1 is 3,X is 2.
If the security event data output by each upstream responding node is the same, the data identifiers corresponding to the same security event data are also the same.
For example, assuming that the security event data output by the upstream response node a are A1 and Y, respectively, and the security event data output by the upstream response node B are B1 and Y, respectively, the data identifier corresponding to the security event data Y output by the upstream response node a is 1, and the data identifier corresponding to the security event data Y output by the upstream response node B is also 1.
S2: and according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data.
In the embodiment of the application, after the data identifier corresponding to the security event data output by each upstream response node is obtained, duplicate removal is performed on each security event data according to the data identifier corresponding to each security event data, that is, duplicate security event data is deleted for the obtained security event data regardless of which upstream response node the security event data is obtained from.
Specifically, according to the data identifier corresponding to each security event data, if it is determined that there is a duplicate data identifier, the security event data corresponding to one of the data identifiers is deleted, thereby implementing deduplication of each security event.
For example, assuming that the security event data output by the upstream response node a is [ a1, a2, x ], and the security event data output by the upstream response node B is [ B1, x ], it is known that the security event data x output by the upstream response node a and the upstream response node B are duplicate security event data, one of the x is selected and the selected x is deleted, and assuming that the security event data output by the upstream response node a is selected to be deleted, at this time, the security event data output by each upstream response node acquired by the virtual node is a1, a2, B1, x, respectively.
S3: and merging the deduplicated safety event data to obtain a data set containing the safety event data.
In the embodiment of the application, after the duplicate-removed security event data are obtained, the security event data are merged to generate a data set containing the security event data.
For example, assuming that the output of the upstream response node A is [ a1, a2, x ] and the output of the upstream response node B is [ B1, x ], the data set join _ C in the virtual node is [ a1, a2, B1, x ].
In this way, the virtual node obtains the security event data output by each upstream response node, merges the data, and generates a data set, while the input of the downstream response node will be decoupled from each upstream response node, no matter how many upstream response nodes there are in the upstream flow block, i.e. no matter how many branches there are upstream, only one branch of the virtual node join _ C needs to be processed here.
Further, after merging the security event data to generate a data set including the security event data, determining whether each upstream response node completes the response, if each upstream response node performs the response completion operation, the downstream response node can acquire each security event data from the data set of the virtual node, and then determining whether each upstream response node completes the response, specifically including:
s1: and judging whether the node identifications corresponding to the upstream response nodes all appear in the data set.
In the embodiment of the application, after the upstream response node executes the corresponding response operation, the security event data after the response is completed is output to the virtual node, the virtual node receives the security event data output by the upstream response node, the security event data output by the upstream response node received by the virtual node carries a node identifier, the node identifier is an ID of the upstream response node, the node identifier is globally unique in the current flow and is used for representing which upstream response node the security event data comes from, if the upstream response node executes the corresponding response operation, if the upstream response node does not execute the corresponding response operation, the security event data after the response is completed cannot be output to the virtual node, and further the corresponding node identifier cannot be output to the virtual node, only if the virtual node receives the node identifiers corresponding to all the upstream response nodes, it can be considered that all the upstream response nodes are completed in response, further the downstream response node obtains all the security event data from the virtual node, and performs the corresponding response operation according to all the security event data, so that when all the upstream response nodes execute the response operations, call the downstream response nodes invoke the downstream response node, only a specific branch of the security event data in the upstream response node is required by a virtual branch, and a more compact virtual user can be realized.
For example, suppose that in the process of scheduling, an upstream response node a and an upstream response node B are scheduled, the node identifier corresponding to the upstream response node a is a, the node identifier corresponding to the upstream response node B is B, after the upstream response node a performs a response operation, a completion check is triggered, that is, it is determined whether both the node identifiers a and B appear in the data set, if it is found that the node identifier B does not exist, the node identifier B waits, after the upstream response node B performs a response operation, a completion check is triggered again, and if both the node identifier a and the node identifier B appear in the data set, it is determined that both the upstream response node responds completely, and the downstream response node continues to perform.
S2: and if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction.
In the embodiment of the application, if it is determined that the node identifiers corresponding to the upstream response nodes all appear in the data set, it is determined that the upstream response nodes all execute the response completion operation, and then a response completion instruction is generated at this time.
S3: and sending the response completion instruction to the downstream response node so that the downstream response node acquires each safety event data from the data set according to the response completion instruction.
In the embodiment of the application, if the virtual node determines that all the upstream response nodes complete responses, a response completion instruction is generated, and the response completion instruction is sent to the downstream response nodes, so that the downstream response nodes know that all the upstream response nodes complete responses according to the response completion instruction, acquire all the security event data from the data set of the virtual node, and further perform corresponding response operation according to all the security event data.
The response completion instruction is used for notifying the downstream response nodes, and each upstream response node executes the completion response operation.
Further, in this embodiment of the present application, a study and judgment node and a logic decision node may also be arranged before the upstream response node, where the study and judgment node is configured to obtain a currently detected security event information evidence result, and the logic decision node is configured to decide the security event, as shown in fig. 6, which is an arrangement schematic diagram including a logic decision module in this embodiment of the present application, a study and judgment evidence _1 and a logic decision _1 are arranged before the upstream response node is globally plugged, the currently detected security event information evidence result is obtained through the study and judgment evidence _1, and whether the currently detected security event successfully hits the information is determined through the logic decision _1.
For example, obtaining the currently detected security event intelligence forensics result, that is, the IP of the attacker is: 36.35.36.36, then, according to the IP blacklist, determining whether the IP of the attacker is one of the IPs in the IP blacklist, if the IP of the attacker is one of the IPs in the IP blacklist, determining that the forensics result of the currently detected security event is successful, then continuing to flow the following process, that is, each upstream response node starts to execute a corresponding response operation, and if the IP of the attacker is not one of the IPs in the IP blacklist, discarding the security event.
For another example, before the upstream response node notifies the early warning, a logic decision _2 is set to decide whether the event type of the currently detected security event is a web vulnerability attack, and if the event type of the currently detected security event is determined to be the web vulnerability attack, the upstream response node notifies the early warning to execute corresponding response operation according to the security event.
In the embodiment of the application, the virtual nodes respectively acquire security event data output by each upstream response node, and combine the acquired security event data to generate a data set containing each security event data, so that the downstream response nodes acquire each security event data from the data set of the virtual nodes, and perform corresponding response operation according to each security event data.
Based on the same inventive concept, the embodiment of the application also provides a data aggregation device of the all-in-one arrangement mode, and the data aggregation device of the all-in-one arrangement mode can be a hardware structure, a software module or a hardware structure and a software module. Based on the above embodiments, referring to fig. 7, a schematic structural diagram of a data aggregation device with an all-in-one arrangement mode in the embodiment of the present application is shown, which specifically includes:
an obtaining module 700, configured to obtain security event data output by each upstream response node;
the processing module 710 is configured to combine the security event data, generate a data set including the security event data, so that a downstream response node obtains the security event data from the data set, and perform a corresponding response operation according to the security event data.
Optionally, when the security event data are combined to generate a data set including the security event data, the processing module 710 is specifically configured to:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
Optionally, after generating the data set including the security event data, the processing module 710 is further configured to:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
Optionally, the security event data at least includes one or any combination of the following: source IP, destination port, security event name, security event type.
Based on the above embodiments, fig. 8 is a schematic structural diagram of an electronic device in an embodiment of the present application.
An embodiment of the present application provides an electronic device, which may include a processor 810 (CPU), a memory 820, an input device 830, an output device 840, and the like, where the input device 830 may include a keyboard, a mouse, a touch screen, and the like, and the output device 840 may include a Display device, such as a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT), and the like.
Memory 820 may include Read Only Memory (ROM) and Random Access Memory (RAM), and provides processor 810 with program instructions and data stored in memory 820. In this embodiment, the memory 820 may be used to store a program of any one of the data aggregation methods of the all-in-one orchestration mode in this embodiment.
The processor 810 is configured to execute the data aggregation method of any one of the all-in-one arrangement modes according to the obtained program instructions by calling the program instructions stored in the memory 820.
Based on the foregoing embodiments, in the embodiments of the present application, a computer-readable storage medium is provided, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the data aggregation method of the all-in-one orchestration mode in any of the foregoing method embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A data aggregation method of an all-in-one layout mode is applied to an all-in-one layout framework, the all-in-one layout framework comprises at least two upstream response nodes, a virtual node and a downstream response node, output ends of the at least two upstream response nodes are connected with an input end of the virtual node, and an output end of the virtual node is connected with an input end of the downstream response node, and the method comprises the following steps:
the virtual nodes respectively acquire the security event data output by each upstream response node;
and merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
2. The method of claim 1, wherein merging the security event data to generate a data set comprising the security event data comprises:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
3. The method of claim 2, wherein after generating the data set including the security event data, further comprising:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
4. A method according to any of claims 1-3, wherein the security event data comprises at least one or any combination of: source IP, destination port, security event name, security event type.
5. The data aggregation device of the all-in-one layout mode is applied to an all-in-one layout framework, and the all-in-one layout framework comprises at least two upstream response nodes, a virtual node and a downstream response node, wherein the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, and the output end of the virtual node is connected with the input end of the downstream response node, and the device comprises:
the acquisition module is used for respectively acquiring the security event data output by each upstream response node;
and the processing module is used for merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
6. The apparatus of claim 5, wherein when merging the security event data to generate a data set comprising the security event data, the processing module is specifically configured to:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
7. The apparatus of claim 6, wherein after generating the data set comprising the security event data, the processing module is further to:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
8. The apparatus of any of claims 5-7, wherein the security event data comprises at least one or any combination of: source IP, destination port, security event name, security event type.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any of claims 1-4 are implemented when the program is executed by the processor.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 4.
CN202010943671.7A 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode Active CN112202724B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010943671.7A CN112202724B (en) 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010943671.7A CN112202724B (en) 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode

Publications (2)

Publication Number Publication Date
CN112202724A CN112202724A (en) 2021-01-08
CN112202724B true CN112202724B (en) 2023-04-07

Family

ID=74014944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010943671.7A Active CN112202724B (en) 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode

Country Status (1)

Country Link
CN (1) CN112202724B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472787A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Alarm information processing method, device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017178068A1 (en) * 2016-04-15 2017-10-19 Nokia Solutions And Networks Oy Mechanism for modyfying security setting of a network service including virtual network parts
CN109947534A (en) * 2019-03-12 2019-06-28 中山大学 A kind of Yunan County's global function scheduling system based on SDN

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9807118B2 (en) * 2014-10-26 2017-10-31 Mcafee, Inc. Security orchestration framework
US10970103B2 (en) * 2018-12-28 2021-04-06 Intel Corporation Technologies for hybrid virtualization and secure enclave policy enforcement for edge orchestration
US20200259847A1 (en) * 2019-02-08 2020-08-13 Fortinet, Inc. Providing secure data-replication between a master node and tenant nodes of a multi-tenancy architecture
CN110213077B (en) * 2019-04-18 2022-02-22 国家电网有限公司 Method, device and system for determining safety event of power monitoring system
CN110990233B (en) * 2019-11-28 2023-05-30 杭州安恒信息技术股份有限公司 Method and system for displaying SOAR by utilizing Gantt chart
CN111010391A (en) * 2019-12-12 2020-04-14 杭州安恒信息技术股份有限公司 Vulnerability repairing method, device and related equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017178068A1 (en) * 2016-04-15 2017-10-19 Nokia Solutions And Networks Oy Mechanism for modyfying security setting of a network service including virtual network parts
CN109947534A (en) * 2019-03-12 2019-06-28 中山大学 A kind of Yunan County's global function scheduling system based on SDN

Also Published As

Publication number Publication date
CN112202724A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
CN110704283A (en) Method, device and medium for uniformly generating alarm information
CN112202724B (en) Data aggregation method and device of all-in-one arrangement mode
CN110781009A (en) Method and device for real-time communication of browser page
CN113282444B (en) Visualization method and device for debugging business process
CN108366098B (en) Data interaction method and device for network nodes
CN109614164A (en) Realize plug-in unit configurable method, apparatus, equipment and readable storage medium storing program for executing
CN111737275A (en) Database update event processing method and device and computer readable storage medium
CN113434396A (en) Interface test method, device, equipment, storage medium and program product
CN111132038A (en) Information interaction method and system, AMF entity and 5G terminal
CN112825525B (en) Method and apparatus for processing transactions
US10862908B2 (en) System and method for consensus ordering of broadcast messages
CN110311826B (en) Network equipment configuration method and device
US20200127908A1 (en) Monitoring cloud computing
CN111274032A (en) Task processing system and method, and storage medium
WO2020033048A1 (en) System and method for consensus ordering of broadcast messages
CN115951923A (en) Subscription event management method and related product
CN109298956A (en) Document transmission method, device and terminal device
CN111475316B (en) Persistence operation method, device, equipment and system for mimicry construction cloud service system
CN106301906A (en) Object collocation method based on distributed system and device
CN112379952A (en) Method for implementing cross-process callback
CN111679899A (en) Task scheduling method, device, platform equipment and storage medium
CN110569673A (en) Data file processing method, device, equipment and storage medium
US11693739B2 (en) Hang detection and remediation in a multi-threaded application process
CN109634857B (en) Method, device and storage medium for testing page object
CN115526580B (en) Node state determining method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant