CN115941294A - Firewall strategy recommendation method and device - Google Patents
Firewall strategy recommendation method and device Download PDFInfo
- Publication number
- CN115941294A CN115941294A CN202211449255.7A CN202211449255A CN115941294A CN 115941294 A CN115941294 A CN 115941294A CN 202211449255 A CN202211449255 A CN 202211449255A CN 115941294 A CN115941294 A CN 115941294A
- Authority
- CN
- China
- Prior art keywords
- equipment
- firewall
- strategy
- application state
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The embodiment of the disclosure provides a firewall policy recommendation method and device. The method comprises the steps of obtaining the application state of the equipment; generating an equipment portrait according to the application state of the equipment, and issuing a corresponding firewall strategy for the equipment according to threat information and the equipment portrait; and changing the firewall policy according to an operation instruction issued by an equipment administrator. In this way, a recommendation model based on the user portrait and the knowledge map can be constructed, the user equipment can customize a firewall strategy in a personalized mode, recommended firewall rules are distributed to the equipment under different scenes according to the functions, the requirements and the security levels of the equipment, and the method has high flexibility, adaptability and instantaneity.
Description
Technical Field
The present disclosure relates to the field of computer security, and more particularly, to the field of firewall policy recommendation techniques.
Background
The Firewall (Firewall) technology is a technology that helps a computer network to construct a relatively isolated protection barrier between the internal network and the external network by organically combining various software and hardware devices for security management and screening so as to protect the security of user data and information.
The firewall technology has the functions of discovering and processing the problems of security risk, data transmission and the like which may exist during the operation of the computer network in time, wherein the processing measures comprise isolation and protection, and meanwhile, the firewall technology can record and detect various operations in the security of the computer network so as to ensure the operation security of the computer network, ensure the integrity of user data and information and provide better and safer computer network use experience for users.
The firewall implements the network security policy in the overall security policy of an organization or an organization, and particularly, the firewall implements the network security policy by setting rules. Firewall rules may tell a firewall which types of traffic may enter and exit the firewall. All firewalls have a rule file, which is the most important configuration file.
In the prior art, the problems of strategy redundancy and conflict exist, and manual intervention is easy to cause the problems of safety risk, performance reduction and the like.
Disclosure of Invention
The disclosure provides a firewall policy recommendation method, device, equipment and storage medium.
According to a first aspect of the present disclosure, a firewall policy recommendation method is provided. The method comprises the following steps: acquiring an application state of equipment; generating an equipment portrait according to the application state of the equipment, and issuing a corresponding firewall strategy for the equipment according to threat information and the equipment portrait; and changing the firewall policy according to an operation instruction issued by an equipment administrator.
Further, the acquiring the application state of the device comprises: and acquiring the application state of the equipment and/or acquiring a new application permission application of the equipment.
Further, the acquiring the application state of the device further includes: and acquiring a flow alarm log of the equipment.
Further, acquiring a new application authority application of the device includes: and receiving a request for applying for giving new application authority sent by the equipment.
Further, the generating an equipment representation according to the application state of the equipment, and issuing a corresponding firewall policy for the equipment according to threat information and the equipment representation comprises: and generating an equipment portrait according to the application state of the equipment, generating a strategy according to threat information, and issuing a corresponding firewall strategy for the equipment according to the equipment portrait.
Further, issuing a corresponding firewall policy for the device according to the device representation comprises:
receiving data and equipment data from a policy base and preprocessing the data; constructing a knowledge graph through knowledge extraction, knowledge fusion, data model construction and quality evaluation processes; data acquisition, data mining and equipment image modeling; constructing a recommendation algorithm; and returning the recommendation result to the user equipment.
Further, the altering includes: whether to apply the firewall policy, a change to the firewall policy.
According to a second aspect of the present disclosure, a firewall policy recommendation apparatus is provided. The device includes: the state acquisition module is used for acquiring the application state of the equipment; the strategy issuing module is used for generating an equipment portrait according to the application state of the equipment and issuing a corresponding firewall strategy for the equipment according to threat information and the equipment portrait; and the strategy changing module is used for changing the firewall strategy according to an operation instruction issued by an equipment administrator.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as in accordance with the first aspect of the present disclosure.
According to the firewall policy recommendation method and device, the recommendation model based on the user portrait and the knowledge map is established, the user equipment can customize the firewall policy in a personalized mode, the recommended firewall rules are distributed to the equipment under different scenes according to the functions of the equipment, the requirements of the user and the security level, and the method and device have high flexibility, adaptability and instantaneity.
It should be understood that what is described in this summary section is not intended to define key or essential features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
fig. 1 shows a flow diagram of a firewall policy recommendation method according to an embodiment of the disclosure;
fig. 2 shows a block diagram of a firewall policy recommendation device according to an embodiment of the present disclosure;
FIG. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing the association object, and means that there may be three kinds of relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Fig. 1 shows a flow diagram of a firewall policy recommendation method 100 according to an embodiment of the disclosure.
At block 110, a device application state is obtained;
in some embodiments, obtaining the device application state comprises: dynamically acquiring the application state of the equipment and/or acquiring a new application permission application sent by a user; the device application state further comprises a device flow alarm log.
In some embodiments, dynamically obtaining the device application state comprises:
and dynamically acquiring the application state of the equipment, and actively detecting the environment of the equipment so as to organize a new security policy for the equipment.
In some embodiments, asset information for devices or networks within the service range of the firewall policy intelligent recommendation system may be collected. For example, computer configuration and software installation in a network are tracked by using the open source asset management software GLPI + OCS Inventory-NG. The set information is collected through an OCS-agent, a snmp, an ipdiscover and the like and uploaded to a server. GLPI is an information resource manager, provides a comprehensive IT resource management interface, and can be used for establishing a database to comprehensively manage IT computers. In the GLPI-asset-software, all software information on equipment is captured, and a software list is generated, wherein the software list comprises information such as software names, version numbers and the like. After the asset information is collected, firewall services which need to be opened for newly added and unconfigured applications can be inquired, the security risk level is analyzed, a result report is returned to a user, and the user is informed of the risk applications in an alarm mode. And if the software assets are safe and the equipment user does not spontaneously apply for using the software and needs the newly added firewall service authority, generating strategy recommendation to ensure the normal use of the newly added application. If the software assets are unsafe, the risk application is notified to the user in an alarm mode, and the risk application is cleared and traced as soon as possible, so that further security threats are blocked.
In some embodiments, dynamically obtaining the device application state further comprises: and acquiring a flow alarm log of the equipment. The firewall policy intelligent recommendation system can collect frequent error state codes in a firewall log within a time range and screen logs caused by firewall rule interception. And returning the firewall rules corresponding to the behaviors causing frequent interception by the firewall to the user, selecting whether to open the authority by the user, and if the user selects to continue closing, intercepting the behaviors subsequently and not prompting any more. Due to the fact that application performance is reduced when certain firewall rules are closed, actions which are often rejected by the firewall are screened by starting the active detection function, a user is reminded of starting corresponding permission of the firewall, and improvement of functional performance of equipment is facilitated.
In some embodiments, a device with high security requirements places further demands on security on the basis of ensuring that the device functions are normally used. Multiple anomaly detection devices are often deployed to jointly protect the safety of equipment, and alarm logs generated by the devices record external attacks, internal abnormal behaviors and the like to which the equipment is subjected. Therefore, each device can be assigned a corresponding security policy according to its specific security situation.
The concrete implementation is as follows: the Elastic Search + Logstash + Kibana + Filebeat + abnormal behavior alarm log/Suricata log/Zeek log is deployed. The Elastic Search is an open-source high-expansion distributed full-text retrieval engine which can store and retrieve data in near real time; the data processing method has good expansibility, and can be expanded to hundreds of servers to process PB-level data. Logstack is a piece of data analysis software, and the main purpose is to analyze log logs, which can be integrated with various deployments. It provides a large number of plug-ins that help parse, enrich, convert, and buffer data from a variety of sources. Collected logs are often unstructured and have poor readability, and unstructured data can be changed into structured data through the Logstash processing. Kibana is an open source analysis and visualization platform for Elastic Search, and is used for searching and viewing data interactively stored in an Elastic Search index. Using Kibana, advanced data analysis and display can be performed through various charts. Filebeat is a lightweight transport program for forwarding and concentrating log data. As a proxy installation on the server, filebeat monitors the specified log files or locations, collects log events, and forwards them to the Elasticsearch or logstack for indexing. The Elastic Search, logstation, and Kibana are collectively called ELK, and a plurality of matched Filebeat modules in Kibana can be used to select an added log source, such as Zeek log, so as to obtain an alarm log generated by Zeek on a device equipped with the corresponding Filebeat. Zeek is a passive, open source network traffic analyzer that functions primarily as a security monitor that can go deep through all traffic on a link and generate a large log file to facilitate finding signs of suspicious activity. These logs obtained after Zeek deployment include not only a comprehensive record of each connection on the network, but also application layer records, such as URLs, key headers, MIME types and server responses for all HTTP sessions and their requests; DNS requests with replies; an SSL certificate; key content of SMTP session.
In some embodiments, log information for the security-enabled software deployed on the device is collected via Filebeat (Filebeat is a lightweight transport for forwarding and concentrating log data). The method comprises the steps of transmitting data to Logstash (the Logstash is data analysis software and mainly aims at analyzing log logs and can be integrated with various deployments), providing a large number of plug-ins which can help to analyze, enrich, convert and buffer data from various sources), filtering and formatting the data (converting the data into a JSON format), and transmitting the data to an Elastic Search (the Elastic Search is an open-source high-expansion distributed full-text Search engine which can store and Search the data in near real time, has good expansibility and can be expanded to hundreds of servers to process PB-level data) to store and build a Search index. Kibana (Kibana is an open source analysis and visualization platform for Elastic Search, and is used for searching and viewing data interactively stored in an Elastic Search index) provides a front-end page for searching and chart visualization, and data returned by calling an interface of the Elastic Search is visualized.
After the intelligent firewall policy recommendation system collects the flow alarm logs from the equipment, a feasible scheme can be provided for the safety problem of the equipment. For example, the system receives a surfata alarm log uploaded by a device, and knows that dst _ port of dst _ ip is attacked by SYN flooding from src _ port of src _ ip at the time of the timestamp. Firstly, the IP is added into a blacklist, a firewall strategy corresponding to the risk is inquired, and the firewall strategy is issued to a user.
Through the operation, the corresponding strategy can be specifically allocated in a targeted manner according to the real-time security state of the user equipment so as to resist external attack and achieve dynamic defense.
In some embodiments, acquiring the new application permission application sent by the user includes:
after the device adds the application, in order to use the added application normally, the user sends a request for applying for giving the new application authority to the firewall. The firewall policy intelligent recommendation system may receive the request.
The application directions of the devices are different, and the firewall filtering or other service rules needing to be set are different in grade degree. After the device adds the application, the user applies for giving the new application permission in order to normally use the application.
For example, a device itself only implements a mail receiving and sending function, and thus a firewall only opens a corresponding port; and when the new internet function is added, opening 80 ports, applying for opening corresponding permission by a user to the firewall on the equipment, and sending the request to the firewall strategy intelligent recommendation system by the firewall on the equipment. And the firewall policy intelligent recommendation system receives the request, queries a database, judges the firewall service which needs to be started by the new application, analyzes the security risk level, returns a result report to the user and issues a new firewall policy to the equipment.
Before adding new application, the firewall only opens the service and port needed by the current application of the device, so as to prevent the strategy redundancy. When an application is newly added, a user spontaneously applies for a firewall, and the part needs user identity authentication to prove that the application is provided by an equipment user instead of a hacker for IP spoofing or fragment attack and the like; meanwhile, common webpage attack modes such as XSS attack, webpage trojan horse and the like can be effectively controlled. Even if the device is downloaded with a malicious program, the corresponding authority can be started only after the user applies for the firewall, so that the security threat execution stage is effectively blocked.
The strategy redundancy is prevented through the operation, the security strategy is used at the highest utilization rate, and the problem of equipment performance reduction caused by excessive defense can be prevented.
At block 120, issuing a policy to the device based on the device application status, threat information, and device representation;
in some embodiments, an equipment representation is generated according to the application state of the equipment, and a corresponding firewall policy is issued for the equipment according to the equipment representation, wherein the firewall policy is generated according to threat intelligence.
Large-scale security risk problems are often concentrated in a certain population, and the population has similar features, such as being in the same geographical area, determining a regular time period, designating attack sites, and the like. Devices with similarities in similar size assets, similar network environments, similar functional requirements, etc. tend to have similar requirements for security. According to the state of the equipment, information of various aspects such as the deployment area, common applications, session objects and the like of the equipment can be obtained, so that the equipment can be represented, and safety strategy recommendation can be carried out on the equipment with similar images. For example, when a device is attacked, the device with a similar portrait can be prompted in advance and issued a corresponding security policy to protect against the same attack.
In some embodiments, the device information table is first collected, and the device functions, the deployment geographical locations, the common applications, the session objects, and the like in the information table are used as initial data. And calculating the similarity between the devices by using cosine similarity, clustering the devices according to the similarity, and recommending a security strategy.
In some embodiments, the security policy is generated by:
(1) the open threat information security platform is collected from newly added and widely spread security threats from all over the world and is divided according to regions. When the equipment in the service range of the system is at the same geographical position as the safety risk area frequently occurring in the threat information, the equipment in the area is subjected to collective risk warning, and a firewall strategy is issued. For example, users of devices with similar images (deployment geographical locations) are prompted in advance and issue corresponding security policies for the devices to protect against the same attacks.
(2) And collecting detected malicious IP (such as malicious access sources, scanning sources, central control services and the like) reported by other equipment in the system service range to a database, wherein the IP is not allowed to access or flow in and out in a firewall filtering rule in the system service range.
(3) And collecting a blacklist of malicious websites issued by an authoritative department to a database, wherein the flow of the malicious websites such as domain names, IP (Internet protocol) is not allowed to enter and exit in the firewall filtering rules within the service range of the system.
(4) The major security problems uploaded by the firewalls of the devices are collected in real time, corresponding security strategies are deployed for other firewalls in time, viruses such as a worm virus wannacry and the like attack the devices aiming at specific vulnerabilities of the system, wherein the wannacry utilizes vulnerabilities existing in a port of a Windows operating system 445 to carry out propagation and has the characteristics of self-replication and active propagation. If the system receives such a serious security problem, a relevant alarm prompt is issued, such as temporarily closing 445 the port.
In some embodiments, issuing a corresponding policy for a device based on a representation of the device includes:
the method comprises the following steps: receiving data from a strategy library and corresponding equipment data, and preprocessing the data;
step two: constructing a knowledge graph through processes of knowledge extraction, knowledge fusion (entity alignment), data model construction, quality evaluation and the like;
step three: performing equipment portrait;
in some embodiments, the method mainly comprises the steps of data acquisition, data mining, equipment portrait modeling and the like, and each step is implemented as follows:
the method comprises the steps of establishing an equipment portrait model by analyzing static information and dynamic behaviors of equipment, establishing a strategy portrait model by analyzing strategy data and characteristics of strategy services, and storing the established portrait model in a database through entity classes. The firewall policy intelligent recommendation system is adapted to use topic-based modeling. The modeling method based on the topic model extracts the topics represented by the characteristic words of the user. When the number of keywords is too large, the dimension of the image vector is also too large, resulting in a reduction in calculation efficiency. Meanwhile, topic-based modeling can solve the problem that partial keyword relevance is difficult to describe. For example: "computer" and "Tuoling" are almost literally irrelevant, but there is a strong semantic link. The way of the topic model can measure and describe the similarity of such words.
Data acquisition: firstly, data acquisition is carried out according to modes of strategy database extraction, equipment information uploading and the like.
Data mining: in the embodiment of the disclosure, the TF-IDF algorithm is adopted to extract the labels in the process of constructing the device image, and the TF-IDF algorithm is used as a basic algorithm to be applied to the extraction of the device characteristics, so that the method has the characteristics of convenience, high efficiency and convenience in extracting the text characteristics.
Modeling the equipment portrait: the method mainly adopts a clustering mode, for example, a Single-pass dynamic clustering method is adopted, the Single-pass is an incremental clustering algorithm, and a clustering object only needs to traverse once, so that the method is more suitable for being applied to a clustering scene with higher real-time requirement, and is therefore suitable for the scene requirement of the embodiment of the disclosure.
Step four: and (5) constructing a recommendation algorithm. The recommendation algorithm is completed by the steps of recalling, filtering, fine arranging, mixed arranging, strong rule and the like.
Recalling: the method and the device are applied to equipment information and firewall policy information. The invention uses two modes of collaborative recall and label recall. Millions of contents are first narrowed down to hundreds of orders of magnitude through a recall strategy.
And (3) filtering: firewall policies that have been recommended and adopted for device users are no longer recommended to device users.
Fine discharging: and issuing the firewall strategies suitable for the characteristics of the user equipment in sequence and recommending the firewall strategies to the equipment users. A logistic regression algorithm is used in the disclosed embodiments.
Mixed discharging: in order to avoid that the content is pushed more and narrower, the refined recommendation result is modified to some extent, for example, a certain type of frequency is controlled. The firewall policy applied in the disclosed embodiment to prevent the recommendation of only the use of the same application.
Strong rules: and modifying according to the business rule. When the method is applied to emergent major security events, the corresponding firewall security policy is recommended to the equipment user with the highest priority.
Step five: and issuing the recommendation result to the equipment.
In some embodiments, issuing a corresponding policy for the device according to the application state of the device includes: and acquiring a corresponding security policy according to the application condition and the security condition of the equipment, and issuing the security policy to the equipment.
In some embodiments, the method further comprises: at block 130, an operation instruction issued by the device administrator is received, and the firewall policy is modified.
In some embodiments, the altering comprises: whether to apply the firewall policy, a change to the firewall policy.
Each device may have different capabilities to accept security risks or may have to have some service for the traffic on the device, and thus, the firewall configuration policy required for each device may be different. In order to improve the flexibility and the applicability of the firewall policy application, an operation instruction issued by a device administrator is allowed to be received, and the device administrator participates in the decision of whether the policy is accepted for use. I.e. the device administrator has the right to choose whether the policy is applied to the device; the device administrator has the right to change the firewall configuration in the policy to make adjustments.
In some embodiments, the altering specifically comprises: (1) allowing the user to add a white list. (2) Allowing the user to customize the port number for different applications, and migrating the corresponding security policy service to the customized port number. The functions of each device are different, and the service requirements can be set individually, for example, the default of the sql server port number is 1433, the company service requires a high security level for accessing the database, the default port number is used to increase the exposure risk, and the default port number is changed into a custom port number. The firewall migrates the service associated with the 1433 port to the custom port number. (3) When the method is used for a multi-party cooperation scene, multiple parties jointly decide whether the strategy is executed or not, and the decision result is covered on all equipment. Such as access rights to a database or public server, etc.
According to the operation, the adaptability and the flexibility of the firewall strategy and the equipment are improved.
According to the embodiment of the disclosure, the following technical effects are achieved:
the method comprises the steps of constructing a recommendation model based on user portrait and knowledge map, realizing personalized customization of firewall strategies for user equipment, distributing recommended firewall rules for equipment under different scenes according to equipment functions, user requirements and security levels, and having strong flexibility, adaptability and instantaneity.
It should be noted that for simplicity of description, the above-mentioned method embodiments are described as a series of acts, but those skilled in the art should understand that the present disclosure is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present disclosure. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 2 shows a block diagram of a firewall policy recommendation device 200 according to an embodiment of the disclosure. As shown in fig. 2, the apparatus 200 includes:
a state obtaining module 202, configured to obtain an application device state;
the strategy issuing module 204 is used for issuing a corresponding strategy for the equipment according to the equipment application state, the threat information and the equipment portrait;
and a policy changing module 206, configured to receive an operation instruction issued by an equipment administrator, and change the policy.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
FIG. 3 shows a schematic block diagram of an electronic device 300 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The device 300 comprises a computing unit 301 which may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 302 or a computer program loaded from a storage unit 308 into a Random Access Memory (RAM) 303. In the RAM 303, various programs and data necessary for the operation of the device 300 can also be stored. The calculation unit 301, the ROM 302, and the RAM 303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Various components in device 300 are connected to I/O interface 305, including: an input unit 306 such as a keyboard, a mouse, or the like; an output unit 307 such as various types of displays, speakers, and the like; a storage unit 308 such as a magnetic disk, optical disk, or the like; and a communication unit 309 such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the device 300 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (10)
1. A firewall policy recommendation method is characterized by comprising the following steps:
acquiring an application state of equipment;
generating an equipment portrait according to the application state of the equipment, and issuing a corresponding firewall strategy for the equipment according to threat information and the equipment portrait;
and changing the firewall policy according to an operation instruction issued by an equipment administrator.
2. The method of claim 1, wherein obtaining the application state of the device comprises: and acquiring the application state of the equipment and/or acquiring a new application permission application of the equipment.
3. The method of claim 2, wherein obtaining the application state of the device further comprises: and acquiring a flow alarm log of the equipment.
4. The method of claim 2, wherein obtaining a new application permission application for a device comprises:
and receiving a request for applying for giving new application authority sent by the equipment.
5. The method of claim 1, wherein generating an equipment representation based on the application state of the equipment, and issuing a corresponding firewall policy for the equipment based on threat intelligence and the equipment representation comprises:
and generating an equipment portrait according to the application state of the equipment, generating a strategy according to threat information, and issuing a corresponding firewall strategy for the equipment according to the equipment portrait.
6. The method of claim 5, wherein issuing a corresponding firewall policy for the device based on the device representation comprises:
receiving data and equipment data from a strategy library, and preprocessing the data;
constructing a knowledge graph through knowledge extraction, knowledge fusion, data model construction and quality evaluation processes;
data acquisition, data mining and equipment image modeling;
constructing a recommendation algorithm;
and returning the recommendation result to the user equipment.
7. The method of claim 1, wherein the altering comprises:
whether to apply the firewall policy, a change to the firewall policy.
8. A firewall policy recommendation apparatus, comprising:
the state acquisition module is used for acquiring the application state of the equipment;
the strategy issuing module is used for generating an equipment portrait according to the application state of the equipment and issuing a corresponding firewall strategy for the equipment according to threat information and the equipment portrait;
and the strategy changing module is used for changing the firewall strategy according to an operation instruction issued by an equipment administrator.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211449255.7A CN115941294A (en) | 2022-11-18 | 2022-11-18 | Firewall strategy recommendation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211449255.7A CN115941294A (en) | 2022-11-18 | 2022-11-18 | Firewall strategy recommendation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941294A true CN115941294A (en) | 2023-04-07 |
Family
ID=86648195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211449255.7A Pending CN115941294A (en) | 2022-11-18 | 2022-11-18 | Firewall strategy recommendation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941294A (en) |
-
2022
- 2022-11-18 CN CN202211449255.7A patent/CN115941294A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11418523B2 (en) | Artificial intelligence privacy protection for cybersecurity analysis | |
| EP3369232B1 (en) | Detection of cyber threats against cloud-based applications | |
| US11228612B2 (en) | Identifying cyber adversary behavior | |
| US11388186B2 (en) | Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations | |
| US11063909B1 (en) | Methods and systems for efficient cyber protections of mobile devices | |
| US20160308898A1 (en) | Systems and methods for tracking, analyzing and mitigating security threats in networks via a network traffic analysis platform | |
| US20150101053A1 (en) | System and method for detecting insider threats | |
| US11290424B2 (en) | Methods and systems for efficient network protection | |
| US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
| Ramaki et al. | A survey of IT early warning systems: architectures, challenges, and solutions | |
| EP3987728B1 (en) | Dynamically controlling access to linked content in electronic communications | |
| US11582191B2 (en) | Cyber protections of remote networks via selective policy enforcement at a central network | |
| US20200076845A1 (en) | System and method for prevention of threat | |
| Caesarano et al. | Network forensics for detecting SQL injection attacks using NIST method | |
| Khan et al. | Artificial intelligence for cyber security: performance analysis of network intrusion detection | |
| CN115941294A (en) | Firewall strategy recommendation method and device | |
| Jerkovic et al. | Vulnerability Analysis of most Popular Open Source Content Management Systems with Focus on WordPress and Proposed Integration of Artificial Intelligence Cyber Security Features. | |
| Chikonga | Exploring the applicability of SIEM technology in IT security | |
| Dan-Şuteu | Boosting Cyber Security Innovation and Culture through Public-Private Research Projects | |
| US20230056625A1 (en) | Computing device and method of detecting compromised network devices | |
| US20230319097A1 (en) | Threat mitigation system and method | |
| Dimitrios | Security information and event management systems: benefits and inefficiencies | |
| Thriveni et al. | Real-time threat prediction for cloud based assets using big-data analytics | |
| Hajdarevic | Cyber Security Audit in Business Environments | |
| Bissict | Augmenting security event information with contextual data to improve the detection capabilities of a SIEM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |