CN114900345A

CN114900345A - Rule conversion method, apparatus, electronic apparatus, and storage medium

Info

Publication number: CN114900345A
Application number: CN202210456287.3A
Authority: CN
Inventors: 汪屹文; 王晓天; 吴卓群
Original assignee: DBAPPSecurity Co Ltd
Current assignee: DBAPPSecurity Co Ltd
Priority date: 2022-04-28
Filing date: 2022-04-28
Publication date: 2022-08-12

Abstract

The application relates to a rule conversion method, a rule conversion device, an electronic device and a storage medium, wherein the rule conversion method is used for converting a first rule and a second rule, and the method comprises the following steps: acquiring a plurality of first rules to be converted; extracting rule features of each first rule and generating a first feature set according to the rule features of the first rules, wherein the first feature set comprises the rule features of a plurality of first rules; converting the first feature set into a second feature set according to a preset mapping relation of rule features, wherein the second feature set comprises a plurality of rule features of a second rule; according to the method and the device, a plurality of second rules corresponding to the first rules are generated according to the second feature set, the problems that manual conversion of two different rules in the related technology is low in efficiency and standard unification cannot be achieved are solved, automatic rule identification is achieved, and the effect of converting the rules in batches by adopting unified conversion standards is achieved.

Description

Rule conversion method, apparatus, electronic apparatus, and storage medium

Technical Field

The present application relates to the field of network security, and in particular, to a rule transformation method and apparatus, an electronic apparatus, and a storage medium.

Background

At present, products common to security companies comprise flow detection and firewall WAFs, which belong to detection and defense categories respectively, but under general conditions, for the same bug, two teams still carry out corresponding bug emergency, and intercommunication between a detection end and a defense end cannot be achieved, so that capabilities of the detection end and the defense end are not equal. Generally, security companies have different accumulated quantities of defense and detection products, and when conversion is needed and product capabilities are complemented, vulnerability push and manual processing are generally adopted in the current common practice. Taking detection to defense as an example, the detection end pushes loopholes according to missing parts among products, security personnel acquire detection rules, perform artificial feature extraction, and convert the detection rules into defense rules one by one according to the requirements of the defense rules and input the defense end products. Correspondingly, the situation that security personnel convert the defense rules into the detection rules in a manual processing mode and then input the detection end products exists.

In this process, the manual operation has the disadvantage that when the number of required conversion rules is multiplied, the cost of human resources and time is greatly increased, and the efficiency is obviously reduced. Moreover, because the experience of each person is different, the converted rule format is also different, and the unification on the standard can not be achieved.

Aiming at the problems that the defense rules are manually converted into the detection rules one by one or the detection rules are manually converted into the defense rules one by one in the related technology, the efficiency is low, and the unified conversion standard can not be achieved, an effective solution is not provided at present.

Disclosure of Invention

The present embodiment provides a rule transformation method, an apparatus, an electronic apparatus, and a storage medium, so as to solve the problem in the prior art that it is inefficient to manually transform a defense rule into a detection rule, or to manually transform a detection rule into a defense rule, and the standards cannot be unified.

In a first aspect, a rule transformation method is provided in this embodiment, for transforming a first rule and a second rule, the method comprising:

acquiring a plurality of first rules to be converted;

extracting rule features of each first rule and generating a first feature set according to the rule features of the first rules, wherein the first feature set comprises the rule features of a plurality of first rules;

converting the first feature set into a second feature set according to a preset mapping relation of rule features, wherein the second feature set comprises a plurality of rule features of the second rule;

and generating a plurality of second rules corresponding to the first rules according to the second feature set.

In some embodiments, the converting the first feature set into the second feature set according to a mapping relationship of preset rule features includes:

establishing a feature mapping table according to a mapping relation of preset rule features, wherein the feature mapping table comprises rule features of a first rule and rule features of a second rule which correspond to each other;

and converting the first feature set into the second feature set according to the feature mapping table.

In some embodiments, the establishing a feature mapping table according to a mapping relationship of preset rule features includes:

acquiring rule characteristics of the first rule and rule characteristics of the second rule;

matching the rule features with the same meaning in the first rule and the second rule, and establishing the feature mapping table based on the rule features with the same meaning.

In some embodiments, the obtaining the plurality of first rules to be converted comprises:

and acquiring a plurality of first rules according to a rule path input by a user, and removing interference information in the first rules.

In some of these embodiments, said extracting rule features of each of said first rules and generating a first feature set from the rule features of said first rule comprises:

identifying according to the head structure of the first rule to determine the rule category of the first rule;

and analyzing rules in a regular matching mode, extracting rule features used for describing vulnerability information in the first rule, and collecting the rule features used for describing vulnerability information to establish the first feature set.

In a second aspect, there is provided in this embodiment a rule conversion apparatus for converting a first rule and a second rule, the apparatus comprising: the system comprises a rule acquisition module, a feature extraction module, a feature conversion module and a rule generation module;

the rule obtaining module is used for obtaining a plurality of first rules to be converted;

the feature extraction module is used for extracting rule features of each first rule and generating a first feature set according to the rule features of the first rules, wherein the first feature set comprises a plurality of rule features of the first rules;

the characteristic conversion module is used for converting the first characteristic set into a second characteristic set according to a preset mapping relation of rule characteristics, wherein the second characteristic set comprises a plurality of rule characteristics of the second rule;

and the rule generating module is used for generating a plurality of second rules corresponding to the first rules according to the second feature set.

In some of these embodiments, the feature extraction module comprises: a first sub-module and a second sub-module;

the first submodule is used for identifying according to the head structure of the first rule so as to determine the rule category of the first rule;

the second sub-module is used for analyzing rules in a regular matching mode, extracting rule features used for describing vulnerability information in the first rule, and collecting the rule features used for describing vulnerability information to establish the first feature set.

In some of these embodiments, the feature transformation module comprises: a third sub-module and a fourth sub-module;

the third sub-module is used for establishing a feature mapping table according to a mapping relation of preset rule features, wherein the feature mapping table comprises rule features of a first rule and rule features of a second rule which correspond to each other;

the fourth sub-module is configured to convert the first feature set into the second feature set according to the feature mapping table.

In a third aspect, in this embodiment, there is provided an electronic apparatus, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the rule transformation method according to the first aspect is implemented.

In a fourth aspect, in the present embodiment, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the rule transformation method described in the first aspect above.

Compared with the related art, the rule conversion method provided in the embodiment is used for converting the first rule and the second rule, automatically identifying the rule characteristics of the first rule through a computer, then forming the first characteristic set, converting the first characteristic set into the second characteristic set through a characteristic mapping relation, and finally generating the second rule through the first characteristic set.

The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a block diagram of a hardware configuration of a terminal of a rule conversion method according to the present embodiment.

Fig. 2 is a flowchart of a rule conversion method according to the present embodiment.

Fig. 3 is a flowchart of a rule conversion method of the preferred embodiment.

Fig. 4 is a diagram showing a part of the feature mapping table of a rule transformation method according to the preferred embodiment.

Fig. 5 is a block diagram of a rule conversion device according to the present embodiment.

Detailed Description

For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.

Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of describing the invention (including a reference to the context of the specification and claims) are to be construed to cover both the singular and the plural, as well as the singular and plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.

The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or a similar computing device. For example, the method is executed on a terminal, and fig. 1 is a block diagram of a hardware structure of the terminal according to the rule conversion method of the embodiment. As shown in fig. 1, the terminal may include one or more processors 102 (only one shown in fig. 1) and a memory 104 for storing data, wherein the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the terminal described above. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

The memory 104 can be used to store computer programs, such as software programs and modules of application software, for example, a computer program corresponding to a rule conversion method in the embodiment, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 106 is used to receive or transmit data via a network. The network described above includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

In this embodiment, a rule transformation method is provided, and fig. 2 is a flowchart of the rule transformation method of this embodiment, as shown in fig. 2, the flowchart includes the following steps:

step S210, a plurality of first rules to be converted are obtained.

In this specific step, the conversion device first obtains a plurality of first rules that need to be converted, where the first rules are defense rules or detection rules that need to be converted. The first rule may be, for example, a common detection rule suricata or a common defense rule mod security. In this embodiment, the specific steps of obtaining the plurality of first rules to be converted are as follows: the conversion equipment acquires a plurality of first rules according to the rule path input by the user and removes interference information in the first rules. The specific conversion equipment searches and acquires a first rule to be converted under the rule storage path, removes interference information such as rule annotation and description in the first rule, and only stores a main part capable of expressing information in the first rule, thereby finally completing acquisition of the first rule. The conversion device here may be a terminal device having a computing function, such as a computer used by a user.

Step S220, extracting the rule features of each first rule, and generating a first feature set according to the rule features of the first rules, where the first feature set includes the rule features of a plurality of first rules.

Specifically, in this step, after the conversion device acquires the first rule, it needs to extract rule features in each first rule, where the rule features refer to contents in the rule that can effectively describe vulnerability information, and then the rule features of the first rule are collected to form a first feature set. In this embodiment, the conversion device first performs recognition according to the header structure of the first rule to determine the rule type of the first rule; and then, analyzing the rules in a regular matching mode, extracting the rule features used for describing the vulnerability information in the first rule, and collecting the rule features used for describing the vulnerability information to establish a first feature set. Because the head structures of different types of rules are different, the type of the first rule can be judged by identifying according to the head structure of the first rule; the type of the first rule is determined, so that rule features used for describing vulnerability information in the first rule can be extracted more accurately subsequently. Illustratively, the suiraca Rule typically begins with an alert flag, while the mod security Rule begins with a Sec Rule flag; therefore, when the header structure is identified as alert, the first Rule to be identified can be judged to be a suiracat Rule, and when the header structure is identified as Sec Rule, the first Rule to be identified can be judged to be a mod security Rule. When the first rule is identified to be a suiraca rule, rule features of the first rule, such as msg fields, content fields, http keywords and the like, which can effectively describe vulnerability information are extracted, and then a first feature set { msg, content, http keywords } is formed. When the first rule is identified to be the Mod security rule, then the rule features such as msg field, VARIABLES, OPERATOR, etc. are extracted, and then the first feature set { msg, VARIABLES, OPERATOR is formed.

Step S230, converting the first feature set into a second feature set according to a preset mapping relationship of rule features, where the second feature set includes a plurality of rule features of a second rule.

Specifically, in this step, the conversion device converts the first feature set into the second feature set according to a mapping relationship of preset rule features. The feature mapping is generally defined as establishing a corresponding relationship between product features oriented to different fields, and in a specific embodiment, the mapping relationship of the rule features refers to a relationship between two rule features describing the same vulnerability information, and the two rule features are respectively present in two different sets of product rules. Illustratively, for example, the msg field in the suiraca rule corresponds to the msg field in the mod security rule, and both are used for describing alarm information of a vulnerability; for example, the http _ uri key in Suricata corresponds to the REQUEST _ FILENAME in Mod security, and both refer to the REQUEST path in the http REQUEST, so that the http _ uri key and the REQUEST _ FILENAME in Mod security have a feature mapping relationship. Based on the feature mapping relationship, the rule features of the first rules in the first feature set are converted into corresponding rule features of the second rules, and therefore a second feature set is obtained. The second rule here is another rule different from the first rule, and may be, for example, a common detection rule suricata or a common defense rule mod security.

Step S240 is to generate a plurality of second rules corresponding to the first rules according to the second feature set.

In this specific step, the conversion device generates a plurality of corresponding second rules by formatting according to the rule features of the plurality of second rules in the second feature set and according to the basic format of the second rules, and finally converts the first rules into the second rules, where the converted second rules have a one-to-one correspondence with the first rules before conversion.

Through the steps, firstly, feature extraction is carried out on a first rule to be converted to form a first feature set, then the first feature set is converted into a second feature set through a preset rule feature mapping relation, finally, a corresponding second rule is generated according to the second feature set, so that the first rule is converted into the second rule in batches, and the fixed feature mapping relation is used as a conversion basis, so that each rule conversion is carried out according to the same standard. Therefore, the problems that manual conversion of two different rules in the related technology is not only low in efficiency, but also can not achieve standard unification are solved; the automatic rule identification is realized, and the effect of batch rule conversion by adopting a unified conversion standard is achieved.

It should be further noted that the subcatata rule and the Mod Security rule in this embodiment are only exemplary, and the first rule and the second rule in the rule transformation method may also be vulnerability detection rules or defense rules of other products. The Suricata is a free, open-source, mature, fast and robust network threat detection engine, can perform real-time Intrusion Detection (IDS), inline Intrusion Prevention (IPS), Network Security Monitoring (NSM) and offline pcap processing, and uses powerful and wide rules and signature languages to check network traffic and provide powerful Lua script support to detect complex threats. And Mod Security is an open source Web Application Firewall (WAF). It was originally designed as a module for the Apache HTTP Server and has now evolved to provide a range of hypertext transfer protocol request and response filtering functions, as well as other security functions across many different platforms, including Apache HTTP Server, Microsoft IIS and Nginx. It is free software that is released under Apache license 2.0. The platform provides a rule configuration language, called "Sec Rules," for monitoring, recording, and filtering HyperText transfer protocol communications in real-time based on user-defined Rules. Although not the only configuration, Mod Security is most often deployed to provide protection against generic vulnerability classes using the OWASP Mod Security Core Rule Set (CRS). This is a set of open source Rules written in the Sec Rules language of Mod Security. This item is part of the OWASP (open Web application security item). Several other rule sets are available. To detect threats, the Mod Security engine is embedded in the Web server or deployed as a proxy in front of the Web application. This allows the engine to scan for incoming and outgoing HTTP communications to the endpoint. According to the rule configuration, the engine determines the processing mode of communication, including functions of transmitting, deleting, redirecting, returning a given status code, executing a user script and the like.

In some embodiments, the step S230 of converting the first feature set into the second feature set according to the mapping relationship of the preset rule features specifically includes the following steps:

step a, establishing a feature mapping table according to a mapping relation of preset rule features, wherein the feature mapping table comprises rule features of a first rule and rule features of a second rule which correspond to each other;

and b, converting the first feature set into a second feature set according to the feature mapping table.

Specifically, in the above steps, the transformation device may establish the feature mapping table before rule transformation through a preset mapping relationship of rule features. The feature mapping table is a structure for storing data by using feature mapping. Its key and value represent features between different products, respectively. Exemplarily, when a- > B, it can be understood that a certain feature in the a product corresponds to a certain feature in the B product. Based on the method, the rule features in the first rule and the rule features in the second rule are in one-to-one correspondence through the feature mapping relation, so that a corresponding feature mapping table is established and stored. For example, a feature mapping table of Mod security- > sure, or a feature mapping table of sure- > Mod security may be established, so as to implement interconversion between the sure rule feature and the Mod security rule feature. And finally, converting the first feature set into a second feature set by the conversion equipment according to the feature mapping table.

The step a of establishing the feature mapping table according to the mapping relationship of the preset rule features specifically comprises the following steps:

step a1, acquiring rule characteristics of a first rule and rule characteristics of a second rule;

step a2, matching the rule features with the same meaning in the first rule and the second rule, and establishing a feature mapping table based on the rule features with the same meaning.

Specifically, in the above steps, before the transformation device establishes the feature mapping table, it needs to obtain the rule features of the first rule and the rule features of the second rule, and then match the rule features with the same meaning in the first rule and the second rule, where the rule features with the same meaning refer to features for describing the same vulnerability information, that is, the two rule features with the same meaning have a mutual mapping relationship. After the conversion equipment completely matches the rule features with the same meaning in the two rules, a feature mapping table can be finally established according to the matching relation.

The present embodiment is described and illustrated below by means of preferred embodiments.

Fig. 3 is a flowchart of a rule transformation method according to the preferred embodiment, and as shown in fig. 3, the rule transformation method includes the following steps:

in step S310, a rule path input by a user is received.

Specifically, in this step, the conversion device receives a rule path input by the user.

Step S320, detecting rule content in batch according to the rule path input by the user, identifying rule types, automatically extracting rule features, and establishing a feature set.

Specifically, in this step, the rule content is read from file to file according to the rule path obtained in step S310. Illustratively, when a line of content begins with an alert character, the line of content is extracted and the flag suricata is set; when the line content starts with the Sec Rule character, whether the line content has a chain keyword or not needs to be judged, if yes, the line content is read continuously until the read content does not contain the chain keyword, a Rule is considered to be acquired, and a mark mod security is set. When the mark is subcat, according to a subcat rule structure, extracting features which can effectively describe vulnerability information, such as msg field, content field, http keyword and the like, and forming a feature set [ msg, content, http keyword ]; when the flag is mod security, according to the mod security rule structure, the msg field, VARIABLES, OPERATOR and other features are extracted to form a feature set [ msg, VARIABLES, OPERATOR ]. And then, the mark content is reversely accommodated, namely, the mark content is converted into a mark corresponding to the target rule and is used as the category of each rule feature needing to be converted in the feature set.

And step S330, searching fields with the same matching meaning of the two parties according to the detection and defense rules to be converted, and establishing a feature mapping table by taking the fields of the rules to be converted as keys and the fields of the rules to be converted as values.

In this specific step, a common detection system rule (suricata) and a protection system rule (mod security) are exemplarily described.

The Mod security Rule has the basic format of Sec Rule VARIABLE OPERATOR ACTIONS. Where Sec Rule is a feature of the Mod security Rule, it represents the beginning of the Rule for creating security rules. VARIABLES represents an identification item in the HTTP REQUEST data packet, and specifies that the object processed by the Rule, such as Sec Rule FULL _ REQUEST, represents that the object processed by the Rule is an HTTP complete REQUEST, and comprises the complete REQUEST: a request line, a request header, and a request body. OPERATOR stands for OPERATOR, which is generally used to define the matching conditions of the security rules. Common operators include: @ rx (regular expression), @ streq (string identical), @ ipmatch (IP identical), etc. ACTIONS represents response ACTIONS and is generally used to define response ACTIONS after a packet is hit by a rule. Common actions include: deny (packet rejected), pass (allow packet pass), id (number defining rule), visibility (defining event severity), etc. Specifically, according to a rule in Mod security: sec Rule REQUEST _ FILENAME "@ contacts/test _ uri/" "chain, dent, log, id:1, t: none, t: ur1 decoderuni, t: normalize Path Win, msg: 'Exploit XXXX XSS vulnerability', secret: ERROR, status: 404"SecRule ARGS POST: hack" @ rx (. chain represents a rule chain, and the rule is supplemented subsequently. deny and log are operations after rule matching and respectively represent blocking requests and log recording; msg represents vulnerability information and is used for displaying alarms. the t field indicates how the content is operated on before matching, such as t: urlDecodeUni stands for URL decoding operation on data content. The severity field indicates the severity of the vulnerability. The status field indicates a status code for the response after blocking. The meaning of the Mod security rule is to detect whether the request path string contains/test _ uri/, the regular matching < script > "string in the POST request parameter hack, if the matching is successful, the number of the rule is recorded as 001, the display information is XSS attach, the severity is ERROR, then the request packet is rejected, and the http response returns to 404.

The basic format of the subcata rule is: an action protocol source IP source port data flows to a destination IP destination port (keyword: parameter; keyword: parameter). The front part is the rule header and the back part is the rule option. With a subcat rule for the same vulnerability as above: alert http any- > any (msg: "Exploit XXXXS vulnerability"; flow: estableshed, to server; content: "/test uri/"; http uri; pcre: "/\\ bhack ═ ^ &. < script >/Pi"; reference: cve, XXXX; class type: web-application-ack; sid: 1; rev: 1;) is illustrated as an example. In the rule, http represents a request for detecting an http protocol, msg represents alarm information of a bug, content represents that the content of a packet is checked, and if data contained in a payload exactly matches the content of parameters behind the content, the matching is represented. http _ uri denotes a request path. pcre represents the corresponding content using the regular matching, wherein Pi is used for modifying the regular field to respectively represent the content of the matching POST request body and is insensitive to case. Also means that in the detection of the HTTP request, the request path contains/test _ uri/string, and the POST request contains the regular matching hack parameter value containing "< script >" string.

From the writing of the two rules for detecting the same vulnerability, the msg field represents the information of the alarm; the http _ uri key in the Suricata corresponds to the REQUEST _ FILENAME in the Mod security, and both refer to a REQUEST path in the http REQUEST; the content field and @ contacts both indicate a string match; the pcre keyword is the same as @ rx and represents regular matching; the Pi keys, which respectively represent matching POST request body content, case insensitive, correspond to the' i. And establishing a corresponding feature mapping table based on the matching method and principle.

Step S340, performing mapping conversion on the feature set acquired in step S320 according to the feature mapping table established in step S330 to form a new feature set.

In the specific step, the conversion terminal converts the feature set of the rule to be converted into a new feature set according to the feature mapping table. Exemplarily, fig. 4 is a display diagram of a part of the feature mapping table of a rule transformation method in the present preferred embodiment. As shown in fig. 4, REQUEST _ filenamee maps to http _ uri; @ contacts maps are content; msg maps are msg; hack "@ rx (.

So the feature transformation refers to the following principle:

[REQUEST_FILENAME"/test_uri/"]＝>[content:"/test_uri/"；http_uri；]；

[ msg: 'explicit XXX XSS vulnerability' ] > [ msg: 'explicit XXXXS XSS vulnerability' ];

[ARGS_POST:hack"@rx(？i)<script>"]＝>[pcre:"/\bhack＝[^&]*？<script>/Pi"]。

during feature conversion, firstly extracting features in the rule: [ REQUEST _ FILENAME "@ contacts/test _ uri/" ], [ msg: 'explicit XXXXS XSS vulnerability' ], [ ARGS _ POST: hack "@ rx (; the regular features are then transformed into a new feature set according to the above transformation principles.

And step S350, formatting to generate a new rule according to the feature type and the corresponding rule basic format according to the new feature set obtained in the step S340.

In the specific step, the conversion equipment generates a corresponding new rule according to the features in the new feature set, and finally completes the mutual conversion between the detection rule and the defense rule.

In the preferred embodiment, the method of automatically extracting the feature rules is adopted, the effective feature information in the rules is automatically collected, then the fields with the same meaning in the detection and defense rules are integrated by adopting a feature mapping method, a detection-defense feature mapping table and a defense-detection feature mapping table are created, and the features after conversion are automatically mapped according to the existing feature information and mapping table. The rule conversion method solves the problem of asymmetrical detection and defense product capability of the security company, can quickly carry out the interconversion of the detection and defense rules, and realizes the capability intercommunication of the detection and defense products of the security company.

It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than presented herein. For example, step S330 may be performed before step S310, that is, a feature mapping table may be established in advance before rule conversion, and the feature mapping table may be directly called when rule conversion is required.

In this embodiment, a rule transformation apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description of the apparatus is omitted for brevity. The terms "module," "unit," "subunit," and the like as used below may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.

Fig. 5 is a block diagram of a rule conversion apparatus according to the present embodiment, and as shown in fig. 5, the apparatus includes: a rule obtaining module 410, a feature extracting module 420, a feature converting module 430 and a rule generating module 440; the rule obtaining module 410 is configured to obtain a plurality of first rules to be converted; the feature extraction module 420 is configured to extract rule features of each first rule and generate a first feature set according to the rule features of the first rule, where the first feature set includes rule features of a plurality of first rules; the feature transformation module 430 is configured to transform the first feature set into a second feature set according to a preset mapping relationship of rule features, where the second feature set includes a plurality of rule features of a second rule; the rule generating module 440 is configured to generate a plurality of second rules corresponding to the first rules according to the second feature set.

Wherein the feature extraction module 420 comprises: a first sub-module 421 and a second sub-module 422; the first sub-module 421 is configured to perform recognition according to a header structure of the first rule to determine a rule category of the first rule; the second sub-module 422 is configured to parse the rule in a regular matching manner, extract rule features used for describing the vulnerability information in the first rule, and set the rule features used for describing the vulnerability information to establish a first feature set.

Wherein the feature conversion module 430 comprises: a third submodule 431 and a fourth submodule 432; the third sub-module 431 is configured to establish a feature mapping table according to a mapping relationship of preset rule features, where the feature mapping table includes rule features of a first rule and rule features of a second rule that correspond to each other; the fourth sub-module 432 is configured to convert the first feature set into the second feature set according to the feature mapping table.

Through the cooperation of the functional modules, firstly, feature extraction is carried out on a first rule to be converted, so that a first feature set is formed, then, the first feature set is converted into a second feature set through a preset mapping relation of rule features, finally, a corresponding second rule is generated according to the second feature set, so that the first rule is converted into the second rule in batches, and each rule conversion is carried out according to the same standard based on a standard unique feature mapping relation. Therefore, the problems that manual conversion of two different rules in the related technology is not only low in efficiency, but also can not achieve standard unification are solved; the automatic rule identification is realized, and the effect of batch rule conversion by adopting a unified conversion standard is achieved.

The specific working principle of the rule conversion device is the same as that of the rule conversion method in this embodiment, and the working principle has been explained in detail and fully in the method embodiment, which is not described herein again.

The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.

There is also provided in this embodiment an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above described rule transformation method embodiments.

Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.

Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:

step S210, a plurality of first rules to be converted are obtained.

It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.

In addition, in combination with the rule transformation method provided in the foregoing embodiment, a storage medium may also be provided to implement in this embodiment. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the rule transformation methods in the above embodiments.

It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.

It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that such a development effort might be complex and lengthy, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, and is not intended to limit the present disclosure to the particular forms disclosed herein.

The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims

1. A rule transformation method for transforming a first rule and a second rule, the method comprising:

acquiring a plurality of first rules to be converted;

2. The rule transformation method according to claim 1, wherein transforming the first feature set into a second feature set according to a predetermined rule feature mapping relationship comprises:

3. The method of claim 2, wherein the establishing a feature mapping table according to the mapping relationship of the preset rule features comprises:

4. The rule conversion method according to claim 1, wherein the obtaining the plurality of first rules to be converted includes:

5. The rule transformation method according to claim 1, wherein the extracting rule features of each of the first rules and generating a first feature set from the rule features of the first rules comprises:

6. A rule converting apparatus for converting a first rule and a second rule, the apparatus comprising: the system comprises a rule acquisition module, a feature extraction module, a feature conversion module and a rule generation module;

7. The rule conversion apparatus according to claim 6, wherein the feature extraction module comprises: a first sub-module and a second sub-module;

8. The rule conversion apparatus according to claim 6, wherein the feature conversion module comprises: a third sub-module and a fourth sub-module;

9. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is configured to execute the computer program to perform the rule transformation method of any one of claims 1 to 6.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the rule transformation method according to any one of claims 1 to 6.