CN109729089A - A kind of intelligent network security function management method and system based on container - Google Patents
A kind of intelligent network security function management method and system based on container Download PDFInfo
- Publication number
- CN109729089A CN109729089A CN201910001284.9A CN201910001284A CN109729089A CN 109729089 A CN109729089 A CN 109729089A CN 201910001284 A CN201910001284 A CN 201910001284A CN 109729089 A CN109729089 A CN 109729089A
- Authority
- CN
- China
- Prior art keywords
- security
- rule
- decision
- container
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of intelligent network security function management method and system based on container, which comprises by initial configuration process, complete the cold start-up of intelligent network security function management;When facing potential security risk, collaboration protection is carried out by security level promotion;When the long period not finding potential security risk, security level releasing is carried out.The design pattern and realization system that the present invention supports the update of security capabilities dynamic, rapid deployment, global collaborative, expense controllable, it can be realized flowing and configuration of the secure resources in global system, reach the dynamic definition and reconstruct of security function, and then realization security risk cooperates and is connected with security decision, security decision with the effective of links such as security responses with safety perception, safety perception, it realizes that safe hardware and software device ability rises to from single-point defence, local defense to total defense, maximizes the effectiveness of secure resources.
Description
Technical field
The present invention relates to technical field of network security, especially a kind of intelligent network security function manager based on container
Method and system.
Background technique
Omnibearing Infiltration is to fields such as national politics, economy and culture for cyberspace, and the operation of society, the public
Among life.Since cyberspace includes huge energy and interests, thus also closed as the emphasis of new period attacker
Gaze at mark.The malicious manner of attacker is changeful, update is rapid, destructive power is strong, to network, computer and structure element
Great threat, has been difficult to ensure the peace of cyberspace based on the conventional securities mechanism such as firewall, intrusion detection, security audit
Entirely.Reason is:
First is that the ability static state solidification of network security defence.The security protection ability of information system is from being mounted on net
The safe software and hardware of the significant points such as network, terminal.These software and hardwares have security function in design and embed in systems,
Use is opened by disposing and debugging configuration, realizes corresponding protection effect.The safe software and hardware disposed under normal conditions due to
The reasons such as Network Isolation, configuration complexity, policy conflict, self-protection are unable to get lasting upgrading and security strategy and safeguard, because
And function always remains as state when originally disposing, it is difficult to the attack that countermeasure techniques means become increasingly abundant.
Second is that secure topical function and general safety ability disconnect.Individual security equipment usually has a single function, and often can only
Single-point protection is realized in a network, and different software and hardware means are each responsible for threat detection, traffic filtering, policy determination, behavior
The functions such as management, data encryption lack to each other and contact and cooperate with, it is difficult to realize from discovery, identification, decision to the complete of disposition
Process is protected, there are larger disconnections between the security capabilities in secure topical function and integrally reached, or even can also generate " 1+1 <
2 " protective capacities conflict phenomenon.
Third is that detection and response speed are not able to satisfy safe disposal requirement.At current " edge-" center " formula security architecture
In, the safe hardware and software device disposed in user network is since data relation analysis, attack depth mining ability are weak, usually
Uniformly cloud is transferred to analyze security incident with reporting schemes, then receives the judgement in cloud and assigning for regulation completion security strategy
Response, but there are certain time delays due to communicating and handling, it is difficult to meet height and handle up and the sound under the conditions of real time handling requirement
Answer rate request.
Network security function management is security capabilities top management, the distribution being implemented on the safe software and hardware of single network
And the coordination system.Different network security function management frameworks the characteristics of all showing differentiation in composition, structure, operation,
Its form, mode and feature determine the validity of network security function management, more representational network security function management
Single-point defence, the static defence of mode such as early stage, the depth defense occurred for 2010 or so, composite defense, and mention in recent years
Dynamic security, elasticity defence out etc..As cyberspace security risk gradually intensifies, user is to network security function management
Demand is also higher and higher, to the agility of management system, the manageability of the interactivity of component, the configurability of process, top layer
Propose urgent requirement.
Summary of the invention
The technical problems to be solved by the present invention are: in view of the above problems, providing a kind of intelligence based on container
Network security function management method and system.
The technical solution adopted by the invention is as follows:
A kind of intelligent network security function management method based on container, comprising:
By initial configuration process, the cold start-up of intelligent network security function management is completed;
When facing potential security risk, collaboration protection is carried out by security level promotion;
When the long period not finding potential security risk, security level releasing is carried out.
Further, the initial configuration process the following steps are included:
A, respectively install security decision center, decision rule library, container mirror site, security incident library, by decision rule library,
Security decision center IP in container mirror site, security incident library is correctly configured;
B, in security decision center, the address, port of related terminal device and model in Configuration network environment;
C, mirror site, the newest generation of download online firewall, four class load of intrusion detection, host monitor and honey jar are initialized
Code, and source mirror image is encapsulated as using Typical Disposition;
D, security incident library is initialized, all event flags are removed;
E, decision rule library, allocating default protection rule are initialized;
F, starting security decision center, security decision center is automatically connected to the related terminal device in network environment, under
Send out firewall load;
G, related terminal device receives firewall load, loads and runs in container environment, opens security incident prison
It listens;
H, the security incident of generation is submitted to security incident library by related terminal device.
Further, the security level promoted the following steps are included:
A, when terminal device by network attack or execute abnormal operation, generate suspicious security incident and be submitted to safe thing
Part library;
B, security incident library receives suspicious security incident, by pretreatment, is divided into may relate to the thing of attack
Part type;
C, security decision centre scan likely relates to the event type of attack, and decision rule library is called to carry out doubtful attack
Hit behavior matching;
D, in the matching process in decision rule library, several attack rules have been hit, the rule service in decision rule library will
These attack rules are sent to security decision center;
E, security decision center extraction goes out to attack the consequent of rule, transmits it to container mirror site;
F, container mirror site generates new mirror image load based on source mirror image according to the requirement of the consequent of attack rule;
G, new mirror image load is sent to security decision center by the mirroring service in container mirror site;
H, network environment security level is raised at security decision center;
I, new mirror image load is sent to the terminal device for reporting suspicious security incident and similar by security decision center
The terminal device of type;
J, new mirror image load installation and operation on the terminal device.
Further, the security level release the following steps are included:
A, suspicious security incident is not increased in long period newly, the security level in decision rule library releases rule and touched
Hair;
B, security decision centre scan releases rule to the security level newly triggered, extracts security level and releases rule
Consequent transmits it to container mirror site;
C, container mirror site releases the requirement of the consequent of rule according to security level, generates new mirror image based on source mirror image and carries
Lotus;
D, new mirror image load is sent to security decision center by the mirroring service in container mirror site;
E, network environment security level is lowered at security decision center;
F, new mirror image load is sent to relevant terminal device by security decision center;
G, new mirror image load installation and operation on the terminal device.
A kind of intelligent network security function management system based on container, comprising: security decision center, decision rule library,
Container mirror site, security incident library and terminal device;The security decision center and decision rule library, container mirror site, safety
Event base and terminal device are communicated.
Further, the security decision center, comprising:
Event analysis component, for reading security incident from security incident library, and by the way that pairs of network environment has been calculated
Analysis, interpretation and the quantization of middle safe condition and security risk;
Rule-based reasoning component, for reading decision rule from decision rule library, by by safety case investigation result with
Taking effect rules condition carries out matching primitives, filters out the rule example for being applicable in and triggering under present case;
Mirror image formation component, the rule example screened for receiving rule-based reasoning component are read in example for referring to
The behaviour template of operation in next step is led, and the relevant parameter in template is sent to container mirror site to generate mirror image.
It is interactive to be responsible for and decision rule library, container mirror site, security incident library and terminal device with forwarding interface component
Between format communication.
Further, the container mirror site, comprising:
Mirror image source component can be used for generating the basic security function code of combined image for storing;
Mirror image formation component, the basic security function code for will store in mirror image source component are packaged by specified configuration
For mirror image;
Mirror image management assembly, for increasing, checking, modify, deleting source mirror image in current container mirror site or generation newly
Mirror image;
Mirroring service component, for the mirror image of specified generation being pushed to terminal and is set under the instruction at security decision center
It is standby.
Further, the security incident library, comprising:
Event receiving unit is received for receiving and acquiring the security incident reported from terminal device, and by all
Data it is temporary;
Event pre-processing assembly, for carrying out classification and format according to the content for the specific format for receiving security incident
Change;
Incident management component, for checking, modifying, deleting all security incidents in current safety event base;
Event Service component, under the instruction at security decision center, by specific type, special time period, particular source,
Specific objective or the event for meeting specific combination conditional plan are sent to security decision center, use for its analysis and decision.
Further, the decision rule library, comprising:
Rule setting component, for passing through the newly-built rule of manually or automatically lead-in mode;
Regulation management component, for checking, modifying, deleting the strictly all rules in current decision rule base;
Rule learning component, for automatically extracting rule from security incident;
Rule service component, under the instruction at security decision center, by specific type, specific former piece, specific preferential
Grade or the rule for meeting specific combination condition are sent to security decision center, use for its analysis and decision.
Further, the terminal device can receive the container mirror image that issues from security decision center, and carry out installation and
Operation.
In conclusion by adopting the above-described technical solution, the beneficial effects of the present invention are:
1, the dynamically load of security function in a network environment is supported.Current strange changeable zero-day vulnerability attack, APT are attacked
It hits equal attack patterns and severe challenge all is constituted to the protective capacities of information system.The present invention can with dynamic, real-time mode into
Line discipline upgrading safeguards that the security function effectiveness provided is gradually increased with the time with security strategy, realization and attacker
Horizontal corresponding, with resistance risk to a certain degree expection security protection ability.
2, the coordination of security function and specific aim configuration under global visual angle are supported.For the function for making single safe hardware and software device
It can be unlikely to the short slab as whole system, the present invention goes to perceive and analyzes security threat from global angle, for each safety
The characteristics of hardware and software device, carries out specific aim configuration, realizes the equilibrium of general safety ability.
3, the equalization of threat detection speed and precision is supported.It was being run for every a kind of network security hardware and software device
Can all generate fixed operation overhead issues in journey, the present invention can the security risk grade that currently faces of real-time judge, pacifying
Global safety safeguard function intensity, priority support network and service environment safety are raised when full blast danger is higher;Security risk compared with
Security level is reduced when low, the high of secure resources is released and occupies, and provides sufficient resource guarantee for the operation of network and business.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 is that the present invention is based on the intelligent network security function management system structure diagrams of container.
Fig. 2 is that the present invention is based on the initial configuration flow charts of the intelligent network security function management method of container.
Fig. 3 is that the present invention is based on the security levels of the intelligent network security function management method of container to promote flow chart.
Fig. 4 is that the present invention is based on the security levels of the intelligent network security function management method of container to release flow chart.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not
For limiting the present invention, i.e., described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is logical
The component for the embodiment of the present invention being often described and illustrated herein in the accompanying drawings can be arranged and be designed with a variety of different configurations.
Therefore, claimed invention is not intended to limit to the detailed description of the embodiment of the present invention provided in the accompanying drawings below
Range, but be merely representative of selected embodiment of the invention.Based on the embodiment of the present invention, those skilled in the art are not having
Every other embodiment obtained under the premise of creative work is made, shall fall within the protection scope of the present invention.
Feature and performance of the invention are described in further detail with reference to embodiments.
Embodiment 1
A kind of intelligent network security function management system based on container provided in this embodiment supports security capabilities dynamic
The controllable design pattern of update, rapid deployment, global collaborative, expense and realization system, can be realized secure resources in the overall situation is
Flowing and configuration in system reach the dynamic definition and reconstruct of security function, and then realize security risk and safety perception, safety
It perceives and cooperates and be connected with security decision, security decision with the effective of links such as security responses, realize safe hardware and software device energy
Power maximizes the effectiveness of secure resources from single-point is defendd, local defense to total defense rises to.Specifically: as shown in Figure 1,
It include: security decision center, decision rule library, container mirror site, security incident library and terminal device.
(1) the security decision center is the master control maincenter for planning as a whole the management of intelligent network security function, is deployed in network rings
Compared with the region of high safety grade in border, led to decision rule library, container mirror site, security incident library and terminal device
Letter;It specifically includes: event analysis component, rule-based reasoning component, mirror image formation component and interaction and forwarding interface component, each group
Between part function is worked out and assigned by the common decision of completing of cooperation.Specifically,
Event analysis component, for reading security incident from security incident library, and by the way that pairs of network environment has been calculated
Analysis, interpretation and the quantization of middle safe condition and security risk;
Rule-based reasoning component, for reading decision rule from decision rule library, by by safety case investigation result with
Taking effect rules condition carries out matching primitives, filters out the rule example for being applicable in and triggering under present case;
Mirror image formation component, the rule example screened for receiving rule-based reasoning component are read in example for referring to
The behaviour template of operation in next step is led, and the relevant parameter in template is sent to container mirror site to generate mirror image.
It is interactive to be responsible for and decision rule library, container mirror site, security incident library and terminal device with forwarding interface component
Between format communication.Be wherein JSON format with the communication in what security incident library of decision rule library, with container mirror site and
Communication between terminal device uses JSON or binary system specialized protocol format.
(2) the container mirror site, for complete the software implementation of network security function, load metaplasia at, encapsulation, publication and
The abilities such as management, are deployed in the region in network environment compared with high safety grade, keep connection with security decision center.Specific packet
It includes: mirror image source component, mirror image formation component, mirror image management assembly, mirroring service component, it is shared by operation between various components
Memory space complete the configuration activities of mirror image life cycle.Specifically,
Mirror image source component can be used for generating the basic security function code of combined image for storing, including but not limited to
Four class such as firewall, intrusion detection, host monitor and honey jar.Wherein firewall is increased income using the GPL licensing of Github trustship
Code Modsecurity, intrusion detection use the GPL licensing Open Source Code Snort of Github trustship, and host monitor uses
The GPL licensing Open Source Code Metricbeat of Github trustship, honey jar use the GPL licensing Open Source Code of Github trustship
Conpot。
Mirror image formation component, the basic security function code for will store in mirror image source component are packaged by specified configuration
For mirror image;Specifically can be by Dockerfile command-line tool, the basic security function code that will be stored in mirror image source component
Docker mirror image is packaged as by specified configuration.Specified configuration includes the rule file loaded, the port of opening, allows concurrently to visit
The self-defined title etc. of the quantity and mirror image asked.
Mirror image management assembly allows user or security decision center increase newly, check, modifying, deleting current container mirror site
In mirror image, the mirror image including source mirror image or generation;When user is managed mirror image, Web function interface is provided, in safety
When decision center is managed mirror image, the far call interface realized in a manner of Restful is provided.
Mirroring service component, for the mirror image of specified generation being pushed to terminal and is set under the instruction at security decision center
It is standby, realize the long-range delivery of mirror image.
(3) the security incident library, for completing convergence, storage, classification and the pretreatment of security incident in network environment.
Security incident library is deployed in the region in network environment compared with high safety grade, is led to security decision center and terminal device
Letter.It specifically includes:
Event receiving unit is responsible for providing interface, for receiving and acquiring the security incident reported from terminal device, and
All data received are kept in;The implementation of interface is JSON.
Event pre-processing assembly, for carrying out classification and format according to the content for the specific format for receiving security incident
Change;The foundation of classification includes the reporter of security incident, report time, event type, event time, source IP, source port, purpose
IP, destination port, protocol name, urgency level, duration, frequency, additional information etc..Format mode includes time mark
Standard is unitized, presses reporter's classification, classifies by event type classification, by destination IP, by urgency level classification etc., formatted
Event uses national standard GBT28517-2012 " network safety event description and exchange format " storage.
Incident management component allows user or security decision center check, modify, deletes the institute in current safety event base
There is security incident;When user is managed event, Web function interface is provided, pipe is carried out to event at security decision center
When reason, the remote access interface realized in a manner of Restful is provided.
Event Service component, under the instruction at security decision center, by specific type, special time period, particular source,
Specific objective or the event for meeting specific combination conditional plan are sent to security decision center, use for its analysis and decision.
(4) the decision rule library, for completing security incident and threat-response in the management of intelligent network security function
Mapping and linking function, decision rule library be deployed in the region in network environment compared with high safety grade, with security decision center and
Security incident library is communicated, comprising:
Rule setting component, for passing through the newly-built rule of manually or automatically lead-in mode;It selects in user with manual side
Formula is arranged in regular situation, and the list auxiliary user for providing web interface style inputs;Regular situation is imported in automation
Under, the CSV/XLS/JSON/XML guiding effect of format convention file is provided, and have preview function before importing.
Regulation management component allows user or security decision center check, modify, deletes the institute in current decision rule base
It is regular;When user is managed rule, Web function interface is provided, when security decision center is managed rule,
The remote access interface realized in a manner of Restful is provided.
Rule learning component, for automatically extracting rule from security incident;The type for automatically extracting rule includes the time
Ambit rule, port frequency rule, access path rule and flow rule rule etc..
Rule service component, under the instruction at security decision center, by specific type, specific former piece, specific preferential
Grade or the rule for meeting specific combination condition are sent to security decision center, use for its analysis and decision.
For rule with the storage of JSON format in decision rule library, each rule includes the former piece of " IF-THEN " style (must
Fill out), configuration (optional) and three parts of consequent (optional).Regular former piece is the condition met necessary to triggering rule, to become
Measure expression formula or regular expression form;Rule is configured to the regular type set itself, priority, is wanted using limitation, environment
It the information such as seeks, is used for auxiliary regular matching process;Consequent is to suggest the response executed operation after rule triggers.
The terminal device is the fringe node of intelligent network security function management, except calculating, the storage, net of completion itself
Except network function, the container mirror image issued from security decision center also can receive, and carry out installation and operation.
The terminal device includes terminal and the network equipment.Specifically,
For terminal, it is desirable that Docker Community or Docker can be run in its operating system platform
Enterprise 17.00 and version later have independent IP address, can be with security decision center connection, and can
Administrator right account number is logged in remote mode, and when residual memory space is greater than corresponding mirror image container and operation required faces
When file overall size.
For the network equipment, it is desirable that Docker Community or Docker can be run in its hardware operating system
Enterprise 17.00 and version later can not have independent IP address, but can have with security decision center connection
Administrator right account number can be logged in remote mode by having the equipment requirement of IP address, and residual memory space is greater than corresponding mirror
Required temporary file overall size when as container and operation.
Based on the above-mentioned intelligent network security function management system based on container, the present embodiment also provides a kind of based on appearance
The intelligent network security function management method of device, comprising:
By initial configuration process, the cold start-up of intelligent network security function management is completed;
When facing potential security risk, collaboration protection is carried out by security level promotion;
When the long period not finding potential security risk, security level releasing is carried out.
As shown in Fig. 2, the initial configuration process the following steps are included:
A, respectively install security decision center, decision rule library, container mirror site, security incident library, by decision rule library,
Security decision center IP in container mirror site, security incident library is correctly configured;
B, in security decision center, the information such as the address, port of related terminal device and model in Configuration network environment;
C, mirror site, the newest generation of download online firewall, four class load of intrusion detection, host monitor and honey jar are initialized
Code, and source mirror image is encapsulated as using Typical Disposition;
D, security incident library is initialized, all event flags are removed;
E, decision rule library, allocating default protection rule are initialized;
F, starting security decision center, security decision center is automatically connected to the related terminal device in network environment, under
Send out firewall load;
G, related terminal device receives firewall load, loads and runs in container environment, opens security incident prison
It listens;
H, the security incident of generation is submitted to security incident library by related terminal device.
As shown in figure 3, the security level promoted the following steps are included:
A, when terminal device by network attack or execute abnormal operation, generate suspicious security incident and be submitted to safe thing
Part library;
B, security incident library receives suspicious security incident, by pretreatment, is divided into may relate to the thing of attack
Part type;
C, security decision centre scan likely relates to the event type of attack, and decision rule library is called to carry out doubtful attack
Hit behavior matching;
D, in the matching process in decision rule library, several attack rules have been hit, the rule service in decision rule library will
These attack rules are sent to security decision center;
E, security decision center extraction goes out to attack the consequent of rule, transmits it to container mirror site;
F, container mirror site generates new mirror image load based on source mirror image according to the requirement of the consequent of attack rule;
G, new mirror image load is sent to security decision center by the mirroring service in container mirror site;
H, network environment security level is raised at security decision center;
I, new mirror image load is sent to the terminal device for reporting suspicious security incident and similar by security decision center
The terminal device of type;
J, new mirror image load installation and operation on the terminal device.
As shown in figure 4, the security level release the following steps are included:
A, suspicious security incident is not increased in long period newly, the security level in decision rule library releases rule and touched
Hair;
B, security decision centre scan releases rule to the security level newly triggered, extracts security level and releases rule
Consequent transmits it to container mirror site;
C, container mirror site releases the requirement of the consequent of rule according to security level, generates new mirror image based on source mirror image and carries
Lotus;
D, new mirror image load is sent to security decision center by the mirroring service in container mirror site;
E, network environment security level is lowered at security decision center;
F, new mirror image load is sent to relevant terminal device by security decision center;
G, new mirror image load installation and operation on the terminal device.
Using the intelligent network security function management method and system of the invention based on containerization, have following beneficial to effect
Fruit:
(1) dynamically load of security function in a network environment is supported.Current strange changeable zero-day vulnerability attack, APT
The attack patterns such as attack all constitute severe challenge to the protective capacities of information system.The present invention can be with dynamic, real-time mode
It carries out rule upgrading and safeguards that the security function effectiveness provided is gradually increased with the time with security strategy, realize and attack
Person's level is corresponding, with the expection security protection ability for resisting risk to a certain degree.
(2) coordination of security function and specific aim configuration under global visual angle are supported.To make single safe hardware and software device
Function is unlikely to the short slab as whole system, and the present invention goes to perceive and analyzes security threat from global angle, for each peace
The characteristics of full hardware and software device, carries out specific aim configuration, realizes the equilibrium of general safety ability.
(3) equalization of threat detection speed and precision is supported.It is being run for every a kind of network security hardware and software device
Can all generate fixed operation overhead issues in the process, the present invention can the security risk grade that currently faces of real-time judge,
Global safety safeguard function intensity, priority support network and service environment safety are raised when security risk is higher;In security risk
Security level is reduced when lower, the high of secure resources is released and occupies, and provides sufficient resource guarantee for the operation of network and business.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (10)
1. a kind of intelligent network security function management method based on container characterized by comprising
By initial configuration process, the cold start-up of intelligent network security function management is completed;
When facing potential security risk, collaboration protection is carried out by security level promotion;
When the long period not finding potential security risk, security level releasing is carried out.
2. the intelligent network security function management method based on container as described in claim 1, which is characterized in that described initial
Configuration flow the following steps are included:
A, security decision center, decision rule library, container mirror site, security incident library are installed respectively, by decision rule library, container
Security decision center IP in mirror site, security incident library is correctly configured;
B, in security decision center, the address, port of related terminal device and model in Configuration network environment;
C, initialization mirror site, the newest code of download online firewall, four class load of intrusion detection, host monitor and honey jar,
And source mirror image is encapsulated as using Typical Disposition;
D, security incident library is initialized, all event flags are removed;
E, decision rule library, allocating default protection rule are initialized;
F, start security decision center, security decision center is automatically connected to the related terminal device in network environment, issues anti-
Wall with flues load;
G, related terminal device receives firewall load, loads and runs in container environment, opens security incident and monitors;
H, the security incident of generation is submitted to security incident library by related terminal device.
3. the intelligent network security function management method based on container as described in claim 1, which is characterized in that the safety
Grade promoted the following steps are included:
A, when terminal device by network attack or execute abnormal operation, generate suspicious security incident and be submitted to security incident
Library;
B, security incident library receives suspicious security incident, by pretreatment, is divided into may relate to the event class of attack
Type;
C, security decision centre scan likely relates to the event type of attack, and decision rule library is called to carry out doubtful attack row
For matching;
D, in the matching process in decision rule library, hit several attacks rule, the rule service in decision rule library by these
Attack rule is sent to security decision center;
E, security decision center extraction goes out to attack the consequent of rule, transmits it to container mirror site;
F, container mirror site generates new mirror image load based on source mirror image according to the requirement of the consequent of attack rule;
G, new mirror image load is sent to security decision center by the mirroring service in container mirror site;
H, network environment security level is raised at security decision center;
I, new mirror image load is sent to the terminal device and same type for reporting suspicious security incident by security decision center
Terminal device;
J, new mirror image load installation and operation on the terminal device.
4. the intelligent network security function management method based on container as described in claim 1, which is characterized in that the safety
Grade release the following steps are included:
A, suspicious security incident is not increased in long period newly, the security level in decision rule library releases rule and is triggered;
B, security decision centre scan releases rule to the security level newly triggered, after extracting security level releasing rule
Part transmits it to container mirror site;
C, container mirror site releases the requirement of the consequent of rule according to security level, and new mirror image load is generated based on source mirror image;
D, new mirror image load is sent to security decision center by the mirroring service in container mirror site;
E, network environment security level is lowered at security decision center;
F, new mirror image load is sent to relevant terminal device by security decision center;
G, new mirror image load installation and operation on the terminal device.
5. a kind of intelligent network security function management system based on container characterized by comprising security decision center is determined
Plan rule base, container mirror site, security incident library and terminal device;The security decision center and decision rule library, container mirror
As library, security incident library and terminal device are communicated.
6. the intelligent network security function management system based on container as claimed in claim 5, which is characterized in that the safety
Decision center, comprising:
Event analysis component is pacified for reading security incident from security incident library, and by having been calculated in pairs of network environment
Analysis, interpretation and the quantization of total state and security risk;
Rule-based reasoning component, for reading decision rule from decision rule library, by by safety case investigation result and rule
Effective term carries out matching primitives, filters out the rule example for being applicable in and triggering under present case;
Mirror image formation component, the rule example screened for receiving rule-based reasoning component are read in example under guidance
The behaviour template of single stepping, and the relevant parameter in template is sent to container mirror site to generate mirror image.
Interactive and forwarding interface component is responsible between decision rule library, container mirror site, security incident library and terminal device
Format communication.
7. the intelligent network security function management system based on container as claimed in claim 5, which is characterized in that the container
Mirror site, comprising:
Mirror image source component can be used for generating the basic security function code of combined image for storing;
Mirror image formation component, the basic security function code for will store in mirror image source component are packaged as mirror by specified configuration
Picture;
Mirror image management assembly, for increasing, checking, modify, deleting the mirror image of the source mirror image in current container mirror site or generation newly;
Mirroring service component, under the instruction at security decision center, the mirror image of specified generation to be pushed to terminal device.
8. the intelligent network security function management system based on container as claimed in claim 5, which is characterized in that the safety
Event base, comprising:
Event receiving unit, for receiving and acquiring the security incident reported from terminal device, and by all numbers received
According to temporary;
Event pre-processing assembly, for being classified and being formatted according to the content for the specific format for receiving security incident;
Incident management component, for checking, modifying, deleting all security incidents in current safety event base;
Event Service component, under the instruction at security decision center, by specific type, special time period, particular source, specific
Target or the event for meeting specific combination conditional plan are sent to security decision center, use for its analysis and decision.
9. the intelligent network security function management system based on container as claimed in claim 5, which is characterized in that the decision
Rule base, comprising:
Rule setting component, for passing through the newly-built rule of manually or automatically lead-in mode;
Regulation management component, for checking, modifying, deleting the strictly all rules in current decision rule base;
Rule learning component, for automatically extracting rule from security incident;
Rule service component, under the instruction at security decision center, by specific type, specific former piece, certain priority or
The rule for meeting specific combination condition is sent to security decision center, uses for its analysis and decision.
10. the intelligent network security function management system based on container as claimed in claim 5, which is characterized in that the end
End equipment can receive the container mirror image issued from security decision center, and carry out installation and operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910001284.9A CN109729089B (en) | 2019-01-02 | 2019-01-02 | Container-based intelligent network security function management method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910001284.9A CN109729089B (en) | 2019-01-02 | 2019-01-02 | Container-based intelligent network security function management method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109729089A true CN109729089A (en) | 2019-05-07 |
CN109729089B CN109729089B (en) | 2021-04-27 |
Family
ID=66298730
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910001284.9A Active CN109729089B (en) | 2019-01-02 | 2019-01-02 | Container-based intelligent network security function management method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109729089B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114050967A (en) * | 2021-08-16 | 2022-02-15 | 湖州学院 | Container-based intelligent network security function management method and system |
CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007066412A1 (en) * | 2005-12-09 | 2007-06-14 | Matsushita Electric Industrial Co., Ltd. | Information-communication terminal device and automatic backup system including the same |
CN104767876A (en) * | 2015-03-03 | 2015-07-08 | 中国联合网络通信集团有限公司 | Safety software processing method and user terminal |
CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
CN107733877A (en) * | 2017-09-27 | 2018-02-23 | 中科鼎慧(天津)物联网技术有限公司 | A kind of management method and system of Internet of Things wireless telecommunications framework |
-
2019
- 2019-01-02 CN CN201910001284.9A patent/CN109729089B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007066412A1 (en) * | 2005-12-09 | 2007-06-14 | Matsushita Electric Industrial Co., Ltd. | Information-communication terminal device and automatic backup system including the same |
CN104767876A (en) * | 2015-03-03 | 2015-07-08 | 中国联合网络通信集团有限公司 | Safety software processing method and user terminal |
CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
CN107733877A (en) * | 2017-09-27 | 2018-02-23 | 中科鼎慧(天津)物联网技术有限公司 | A kind of management method and system of Internet of Things wireless telecommunications framework |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114050967A (en) * | 2021-08-16 | 2022-02-15 | 湖州学院 | Container-based intelligent network security function management method and system |
CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
CN114780168B (en) * | 2022-03-30 | 2023-04-28 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN109729089B (en) | 2021-04-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101951384B (en) | Distributed security domain logic boundary protection method | |
CN107659543A (en) | The means of defence of facing cloud platform APT attacks | |
US10671723B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
CN114372286A (en) | Data security management method and device, computer equipment and storage medium | |
Backman | Conceptualizing cyber crises | |
CN113422779B (en) | Active security defense system based on centralized management and control | |
Du | Application of information communication network security management and control based on big data technology | |
CN113645213A (en) | Multi-terminal network management monitoring system based on VPN technology | |
Eastman et al. | Big data and predictive analytics: on the cybersecurity front line | |
Bellini et al. | Cyber Resilience in IoT network: Methodology and example of assessment through epidemic spreading approach | |
Klement et al. | Open or not open: Are conventional radio access networks more secure and trustworthy than Open-RAN? | |
CN109729089A (en) | A kind of intelligent network security function management method and system based on container | |
CN115361186A (en) | Zero trust network architecture for industrial internet platform | |
Toker et al. | Mitre ics attack simulation and detection on ethercat based drinking water system | |
CN113971288A (en) | Big data technology-based smart campus security management and control platform | |
CN103312693A (en) | Video and audio access control gateway equipment | |
Rajaboevich et al. | Methods and intelligent mechanisms for constructing cyberattack detection components on distance-learning systems | |
CN106534223B (en) | Openstack access control method based on key algorithm and log audit | |
CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
CN110213301A (en) | A kind of method, server and system shifting network attack face | |
Wang et al. | Research on Secure Cloud Networking Plan Based on Industry-Specific Cloud Platform | |
Lakka et al. | Incident Handling for Healthcare Organizations and Supply-Chains | |
Rawal et al. | Cybersecurity and Identity Access Management | |
CN114189355A (en) | Layered network safety protection integrated linkage defense method | |
Bayer | Strategic information warfare: An introduction |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |