CN110505186A - A kind of recognition methods of safety regulation conflict, identification equipment and storage medium - Google Patents
A kind of recognition methods of safety regulation conflict, identification equipment and storage medium Download PDFInfo
- Publication number
- CN110505186A CN110505186A CN201810485801.XA CN201810485801A CN110505186A CN 110505186 A CN110505186 A CN 110505186A CN 201810485801 A CN201810485801 A CN 201810485801A CN 110505186 A CN110505186 A CN 110505186A
- Authority
- CN
- China
- Prior art keywords
- safety regulation
- rule
- measured
- raw security
- raw
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The invention discloses a kind of recognition methods of safety regulation conflict, identification equipment and storage mediums.Identification equipment of the invention obtains the raw security rule of each terminal security agency in target network first, and generates safety regulation model according to the raw security rule of each terminal security agency;The safety regulation to be measured that terminal security to be measured agency sends in target network is received again;Finally safety regulation to be measured is matched with each raw security rule in safety regulation model, and then it can efficiently identify out whether newly-increased safety regulation to be measured can clash with original safety regulation of terminal each in target network, when a raw security rule match in the safety regulation to be measured and safety regulation model is successful, assert safety regulation to be measured and raw security rules conflict, even if target network is larger network, also can identify in time has the raw security rule to conflict with the safety regulation to be measured increased newly, guarantee is provided for the stability of target network.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of recognition methods of safety regulation conflict, identification to set
Standby and storage medium.
Background technique
TSM Security Agent Agent is typically mounted above terminal device, these terminal devices may include physical server, void
Quasi- machine, container (a kind of virtual technology more light-weighted than virtual machine), TSM Security Agent Agent usually operates in end in the form of software
In end equipment, TSM Security Agent Agent is mainly responsible for the implementation of terminal device security strategy, such as security strategy can be ACL
(access control list, accesses control list) rule, i.e., acl rule is deployed on terminal device.
And may include multiple terminal devices in a target network, TSM Security Agent is deployed on each terminal device
Agent;Meanwhile target network can be divided region by administrative staff, then just more terminal devices, every end in each region
There is TSM Security Agent Agent at end.Assuming that certain in target network terminal device equipped with TSM Security Agent Agent will to region into
Row security strategy issues, then security strategy can be in TSM Security Agent Agent each in automatic synchronization to the region.It can reach in this way
Interregional security protection also may be implemented in security protection between terminal device single machine.Central control terminal generally is had, as
User interface, user issue security strategy by operation interface, to TSM Security Agent Agent, host/virtual machine of realization or
The protection in region.
But presently, there are following two problems: (1) the target network it is larger when, tend to as generation
Problem, the rule issued conflicts mutually, including rule conflict in single machine, in domain between host/virtual machine between rule conflict or even domain
Rule conflict;(2) it is unpredictable issued to security strategy after, client traffic can be caused what kind of influence.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill
Art.
Summary of the invention
The main purpose of the present invention is to provide a kind of recognition methods of safety regulation conflict, identification equipment and storages to be situated between
Matter, it is intended to solve that newly-increased security strategy and original when target network is larger, can not be efficiently identified out in the prior art
Some conflicting technical problems of safety regulation.
To achieve the above object, the present invention provides a kind of recognition methods of safety regulation conflict, and the method includes following
Step:
Identify that equipment obtains the raw security rule of each terminal security agency in target network, and according to each terminal security generation
The raw security rule of reason generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described
When a raw security rule match in safety regulation to be measured and the safety regulation model is successful, the safety rule to be measured are assert
Then with raw security rules conflict.
Preferably, the raw security of each terminal security agency is regular in the identification equipment acquisition target network, and according to
The raw security rule of each terminal security agency generates safety regulation model, specifically includes:
Identify that each terminal security agency of the equipment into target network sends rule acquisition request, so that each terminal security
Agency is according to the rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
Preferably, the preset data structure is default tree structure;
Correspondingly, the raw security rule based on each terminal security agency establishes safety rule according to preset data structure
Then model specifically includes:
Parameter corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule
Information;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
Preferably, the raw security rule for receiving each terminal security agency feedback, specifically includes:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
Correspondingly, the raw security rule is saved to the leaf node of selection, to establish safety regulation model, specifically
Include:
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety rule
Then model.
Preferably, each raw security rule by the safety regulation to be measured and the safety regulation model carries out
Matching assert institute when the raw security rule match in the safety regulation to be measured and the safety regulation model is successful
Safety regulation to be measured and raw security rules conflict are stated, is specifically included:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, institute is assert
State safety regulation to be measured and the target raw security rules conflict, the target raw security rule be with it is described to be measured
The raw security rule of safety regulation successful match;
Correspondingly, the raw security rule match in the safety regulation to be measured and the safety regulation model
When success, after the identification safety regulation to be measured and raw security rules conflict, further includes:
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification
And the target raw security rule is shown.
Preferably, described by the safety regulation to be measured and the progress of each raw security rule of the safety regulation model
Match, in the safety regulation to be measured and the success of a raw security rule match of the safety regulation model, described in identification
Safety regulation to be measured and raw security rules conflict, specifically include:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control
Make whether rule is block rule;
When the access control rule is block rule, assert that the safety regulation to be measured is corresponding with the block rule
Target raw security rules conflict;
Correspondingly, the raw security rule match in the safety regulation to be measured and the safety regulation model
When success, after the identification safety regulation to be measured and raw security rules conflict, further includes:
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification
And the target raw security rule is shown.
Preferably, the raw security rule match in the safety regulation to be measured and the safety regulation model
When success, after assert the safety regulation to be measured and raw security rules conflict, the method also includes:
The safety regulation to be measured is intercepted.
Preferably, described to save the raw security rule and the device identification to the leaf node of selection, to build
After vertical safety regulation model, the method also includes:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
In addition, to achieve the above object, the present invention also proposes a kind of identification equipment, the identification equipment include: memory,
Processor and the recognizer for being stored in the safety regulation conflict that can be run on the memory and on the processor, it is described
Such as safety described in any item of the claim 1 to 8 is realized when the recognizer of safety regulation conflict is executed by the processor
The step of recognition methods of rule conflict.
In addition, to achieve the above object, the present invention also proposes a kind of storage medium, safety is stored on the storage medium
Such as claim 1 to 8 is realized when the recognizer of the recognizer of rule conflict, the safety regulation conflict is executed by processor
Any one of described in safety regulation conflict recognition methods the step of.
The raw security that identification equipment of the invention obtains each terminal security agency in target network first is regular, and according to
The raw security rule of each terminal security agency generates safety regulation model;Terminal security agency to be measured in target network is received again
The safety regulation to be measured sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model
Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network
Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful
Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network
Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network
Barrier.
Detailed description of the invention
Fig. 1 is the identification device structure schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the recognition methods first embodiment of safety regulation conflict of the present invention;
Fig. 3 is the flow diagram of the recognition methods second embodiment of safety regulation conflict of the present invention;
Fig. 4 is the schematic diagram that tree structure is preset in one embodiment of recognition methods of safety regulation conflict of the present invention;
Fig. 5 is that the default tree structure of dimension in one embodiment of recognition methods of safety regulation conflict of the present invention is shown
It is intended to;
Fig. 6 is the flow diagram of the recognition methods 3rd embodiment of safety regulation conflict of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is the structural representation of the identification equipment for the hardware running environment that the embodiment of the present invention is related to
Figure.
As shown in Figure 1, the identification equipment may include: processor 1001, such as CPU, communication bus 1002, user interface
1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is for realizing the connection communication between these components.
User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional user interface
1003 can also include standard wireline interface and wireless interface.Network interface 1004 optionally may include that the wired of standard connects
Mouth, wireless interface (such as WI-FI interface).Memory 1005 can be high speed RAM memory, be also possible to stable memory
(non-volatile memory), such as magnetic disk storage.
Wherein, the identification equipment can be other network equipments such as server.
It will be understood by those skilled in the art that structure shown in Fig. 1 does not constitute the restriction to the identification equipment, it can
To include perhaps combining certain components or different component layouts than illustrating more or fewer components.
As shown in Figure 1, as may include that operating system, network are logical in a kind of memory 1005 of computer storage medium
Believe module, Subscriber Interface Module SIM and the recognizer of safety regulation conflict.
In identification equipment shown in FIG. 1, network interface 1004 is mainly used for carrying out data communication with external network;User connects
Mouth 1003 is mainly used for receiving the inputs instruction of user;The safety equipment is called in memory 1005 by processor 1001 and is deposited
The recognizer of the safety regulation conflict of storage, and execute following operation:
The raw security rule of each terminal security agency in target network is obtained, and according to the original of each terminal security agency
Safety regulation generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described
When a raw security rule match in safety regulation to be measured and the safety regulation model is successful, the safety rule to be measured are assert
Then with raw security rules conflict.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
Each terminal security agency into target network sends rule acquisition request, so that each terminal security acts on behalf of basis
The rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
Parameter corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule
Information;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety rule
Then model.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, institute is assert
State safety regulation to be measured and the target raw security rules conflict, the target raw security rule be with it is described to be measured
The raw security rule of safety regulation successful match;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification
And the target raw security rule is shown.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control
Make whether rule is block rule;
When the access control rule is block rule, assert that the safety regulation to be measured is corresponding with the block rule
Target raw security rules conflict;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification
And the target raw security rule is shown.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
The safety regulation to be measured is intercepted.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005,
Also execute following operation:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
The identification equipment of the present embodiment obtains the raw security rule of each terminal security agency in target network, and root first
Safety regulation model is generated according to the raw security rule of each terminal security agency;Terminal security generation to be measured in target network is received again
The safety regulation to be measured that haircut is sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model
Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network
Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful
Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network
Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network
Barrier.
Based on above-mentioned hardware configuration, the recognition methods embodiment of safety regulation conflict of the present invention is proposed.
It is the flow diagram of the recognition methods first embodiment of safety regulation conflict of the present invention referring to Fig. 2, Fig. 2.
In the first embodiment, the safety regulation conflict recognition methods the following steps are included:
Step S10: identification equipment obtains the raw security rule of each terminal security agency in target network, and according to each end
The raw security rule of TSM Security Agent is held to generate safety regulation model;
It should be noted that the executing subject of the present embodiment is identification equipment, the identification equipment can be server etc.
The network equipment.Include multiple terminal devices in target network, between these terminal devices for physics be directly connected to or network between
It connects in succession, wherein these terminal devices may include physical server, virtual machine and container (such as application container engine
Docker);Wherein, installing terminal equipment has TSM Security Agent Agent, and TSM Security Agent operates in terminal device in the form of software
In, it is responsible for security strategy/rule (hereinafter referred to as safety regulation), such as access control rule (Access Control List,
ACL), in the deployment of terminal device.Meanwhile target network can be divided region by administrative staff, then just having in each region
More terminal devices, every terminal have TSM Security Agent agent.Assuming that certain in the target network is equipped with TSM Security Agent Agent
Terminal device will to region carry out safety regulation issue, then safety regulation can be with safe generation each in automatic synchronization to the region
It manages in Agent.
It will be appreciated that the raw security rule also can be regarded as the current safety regulation of each terminal security agency;
In the concrete realization, identification equipment is regular by the raw security for obtaining each terminal security agency in target network,
Profiling is carried out to the target network based on the raw security rule got, is formed or corrective networks model is (i.e. safe to advise
Then model), and the safety regulation model is deposited in database.Safety regulation model is the core of whole system.In order to
The safety regulation model of guarantee system and the virtually or physically truth of network do not have a deviation, system can periodically actively from
Each lane terminal obtains current safety regulation, and with the deviation of corrective networks model and live network situation, cycle length is adjustable.
Step S20: the safety regulation to be measured that terminal security to be measured agency sends in the target network is received;
It is understood that user can be equipped with the terminal device pair of TSM Security Agent Agent by certain in target network
Region or whole network, which increase newly, issues a safety regulation, this newly-increased safety regulation can be referred to as safety to be measured by us
Rule.
Step S30: by each raw security rule progress in the safety regulation to be measured and the safety regulation model
Match, when the raw security rule match in the safety regulation to be measured and the safety regulation model is successful, described in identification
Safety regulation to be measured and raw security rules conflict.
It will be appreciated that needing to verify or know after identification equipment obtains newly-increased safety regulation (safety regulation i.e. to be measured)
Not Xin Zeng safety regulation whether can with terminal security each in target network act on behalf of raw security rules conflict, specifically
Newly-increased safety regulation can be put into the safety regulation model and matched by ground, identification equipment, if newly-increased safety regulation with
Some raw security rule in the safety regulation model matches, that is, illustrates that newly-increased safety regulation advises the raw security
Then there is conflict to influence.
The identification equipment of the present embodiment obtains the raw security rule of each terminal security agency in target network, and root first
Safety regulation model is generated according to the raw security rule of each terminal security agency;Terminal security generation to be measured in target network is received again
The safety regulation to be measured that haircut is sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model
Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network
Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful
Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network
Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network
Barrier.
It is the flow diagram of the recognition methods second embodiment of safety regulation conflict of the present invention referring to Fig. 3, Fig. 3.It is based on
The recognition methods first embodiment of safety regulation conflict of the present invention proposes that the recognition methods second of safety regulation conflict of the present invention is real
Apply example.
In the present embodiment, the step S10 is specifically included:
Step S101: each terminal security agency of the identification equipment into target network sends rule acquisition request, so that
Each terminal security agency is according to the rule acquisition request feedback raw security rule;
Step S102: the raw security rule of each terminal security agency feedback is received;
It will be appreciated that identification equipment can be acted on behalf of to each terminal security in real time sends rule acquisition request, so that respectively
Terminal security agency is according to the rule acquisition request feedback traffic statistics;Identification equipment is receiving terminal security agency
When feeding back traffic statistics, the terminal security is converted by traffic statistics and acts on behalf of current safety regulation (i.e. original peace
Full rule), then carry out duplicate removal processing to identical raw security rule (can certainly be converted by traffic statistics
Before safety regulation, duplicate removal processing first is carried out to traffic statistics);
Further, after step s 102, identification terminal can act on behalf of the raw security rule of feedback based on each terminal security
Safety regulation model then is established according to preset data structure, the preset data structure in the present embodiment is default tree structure, phase
Ying Di, the raw security rule based on each terminal security agency are established safety regulation model according to preset data structure, are had
Body includes:
Step S103: it is obtained respectively and each parameter preset type pair in default tree structure from the raw security rule
The parameter information answered;
It will be appreciated that including five-tuple (i.e. source IP address, source port, purpose IP address, destination in safety regulation
Mouth and transport layer protocol), five-tuple is referred to as parameter preset type by the present embodiment.
In the concrete realization, in order to which more easily carry out will be in the safety regulation to be measured and the safety regulation model
Each raw security rule matched, can establish a data structure, by the target network terminal security act on behalf of
Raw security rule be stored entirely in the data structure, simplify search with the matched time.
Data structure in the present embodiment can be default tree structure, reference can be made to Fig. 4, Fig. 4 are showing for default tree structure
Be intended to, presetting tree structure is multistage tree structure, and every level-one tree is all a dimension, for example, dimension 1, dimension 2, dimension 3,
Dimension 4 and dimension 5 etc..Wherein, every dimension all corresponds to a kind of parameter preset type, it is to be understood that described default
Parameter type should be corresponding with characteristic information (including the five-tuple) of safety regulation, may include, source IP address, destination IP
Location, source MAC (Media Access Control Address, media access control address), target MAC (Media Access Control) address and port
Number, specific corresponding relationship the present embodiment of dimension and parameter preset type is without restriction.
It should be understood that when getting a safety regulation, can extract this safety regulation source IP address,
Purpose IP address, source MAC, target MAC (Media Access Control) address and port numbers, for example, the parameter information extracted includes that source IP address is
1.0.0.1, purpose IP address 1.0.0.25, source MAC X1.X2.X3.X4, target MAC (Media Access Control) address X5.X6.X7.X8
And port numbers are X9.
Step S104: leaf node corresponding with the parameter information is chosen in the default tree structure;
It in the concrete realization, will be in default tree as shown in Figure 4 after the parameter information for extracting above-mentioned each parameter type
Corresponding leaf node is found in shape structure saving current safety rule into the leaf node.
Referring to Fig. 5, Fig. 5 is the schematic diagram of the default tree structure of a dimension.It should be noted that it is described preset it is tree-like
In structure, every level-one tree is all a dimension, and every dimension all corresponds to a kind of parameter preset type, the height of every level-one tree
For the length of the field of the parameter preset type.
It is understood that as can be seen from FIG. 5, for example, dimension X shown in fig. 5 is the dimension 1 for characterizing source IP address, by
It is 32 bits in source IP address, then the height of corresponding tree structure is also 32, i.e. each layer of expression of the tree structure of dimension 1
One bit.
In the present embodiment, each layer there are three kinds of trends, respectively 1,0 and asterisk wildcard *, wherein " * " indicate 0 or 1
All may be used.For example, source IP address is 1.0.0.1, then the value of the corresponding tree structure of dimension 1 should be 00000001
00000000 00000000 00000001.As can be known from Fig. 4, it first can determine the first layer of the corresponding tree structure of dimension 1
Trend is 0, and the trend of the second layer is 0 ..., and the 8th layer of trend is 1 ..., and the 32nd layer of trend is 1, and the 32nd layer is also dimension
The last layer of 1 corresponding tree structure.After the last layer for reaching the corresponding tree structure of dimension 1, it will enter in next step
The first layer of the corresponding tree structure of dimension 2, until eventually arriving at the last layer of the tree structure of dimension 5 as shown in Figure 4.
By designing this kind of default tree structure, safety regulation can be subjected to classification storage according to a variety of different parameter types.Its
In, the present embodiment does not limit the particular number of dimension.
Step S105: the raw security rule is saved to the leaf node of selection, to establish safety regulation model.
In the concrete realization, according to walking always to determine safety regulation finally after corresponding node, if this safety regulation
The parameter information of above-mentioned 5 kinds of parameter types is existed simultaneously, then is eventually arranged in the last layer of the corresponding tree structure of dimension 5
One leaf node, and current safety rule is saved into the last layer of the corresponding tree structure of the dimension 5 to the leaf determined
Child node, and be based ultimately upon default tree structure and handled the tree-like knot obtained after the raw security rule that each terminal security is acted on behalf of
Structure is safety regulation model.
Further, after establishing safety regulation model, newly-increased safety regulation can be put into the peace by identification equipment
Full rule model is matched, if newly-increased safety regulation and some raw security rule phase in the safety regulation model
Match, that is, illustrates that newly-increased safety regulation has conflict to influence the corresponding traffic statistics of raw security rule.It finally can be right
The safety regulation to be measured is intercepted.
The advantages of default tree structure in the present embodiment, is to occupy little space, and search time is short.Rules up to ten thousand
Memory consumption is about 50MB, and the time overhead of verifying is Millisecond, by acting on behalf of terminal security each in the target network
Raw security rule be uniformly stored in the default tree structure, reduce the storage space of safety regulation, shorten to be measured
The match time of each raw security rule in safety regulation and safety regulation model.
It is the flow diagram of the recognition methods 3rd embodiment of safety regulation conflict of the present invention referring to Fig. 6, Fig. 6.It is based on
The recognition methods second embodiment of safety regulation conflict of the present invention proposes that the recognition methods third of safety regulation conflict of the present invention is real
Apply example.
In the present embodiment, the step S102 is specifically included:
Step S1021: the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback are received;
It will be appreciated that the Terminal Equipment Identifier is the MAC Address of the terminal in the present embodiment;It is all to be used as difference
The Terminal Equipment Identifier that all can serve as the terminal of the identity information of the terminal, the present embodiment is not again to repeat.
Correspondingly, the step S105 is specifically included:
Step S1051: the raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, with
Establish safety regulation model.
It will be appreciated that by target network terminal security agency safety regulation carried out it is centrally stored after, can
Also saving the device identification of terminal each in target network into the leaf node chosen, in the safety regulation to be measured and institute
When stating the raw security rule match success in safety regulation model, it can determine and matched into the safety regulation to be measured increased newly
The raw security rule of function, also can quickly find out safety to be measured in the target network and newly-increased by device identification
Terminal where the conflicting raw security rule of rule.
Correspondingly, the step S30 is specifically included:
Step S301: by each raw security rule progress in the safety regulation to be measured and the safety regulation model
Match;
Step S302: identical as the target raw security rule in the safety regulation model in the safety regulation to be measured
When, assert the safety regulation to be measured and the target raw security rules conflict, the target raw security rule is
With the raw security rule of the safety regulation successful match to be measured;
Step S302`: the read access control rule from the safety regulation to be measured determines the safety regulation mould respectively
The block rule of each raw security rule in type carries out the block rule of the access control rule and each raw security rule
Matching, when the access control rule is block rule, is assert with judging whether the access control rule is block rule
The safety regulation to be measured target raw security rules conflict corresponding with the block rule;
In the concrete realization, it is illustrated for the present embodiment is using ACL access control rule as safety regulation, identification is set
When whether the standby to be measured safety regulation newly-increased in verifying generates conflict, the ACL access control in safety regulation to be measured can read first
System rule, while determining the permission rule and block rule of each raw security rule in the safety regulation model;And this implementation
Example is to determine whether newly-increased safety regulation to be measured clashes by two kinds of situations: the first is in the safety regulation to be measured
When identical as the target raw security rule in the safety regulation model, assert whether newly-increased safety regulation to be measured rushes
Prominent (the corresponding step S302) is assert newly-increased to be measured when newly-increased safety regulation to be measured is block rule
Whether safety regulation clashes (the corresponding step S302`).
It will be appreciated that whether examining newly-increased safety regulation and original safety regulation according to the above step of this implementation
When conflict, whether the safety regulation that can verify the terminal to be measured itself is clashed, and can also verify the target network
Whether the safety regulation in some interior domain between each terminal stand-alone clashes, and can also verify each domain in the target network
Between safety regulation whether clash.For example, if this newly-increased safety regulation is the safety rule issued to some region
Then, then the security strategy of multiple terminal stand-alone agent may be influenced simultaneously in newly-increased safety regulation, if in the region eventually
The safety regulation at end is identical, then what is influenced is one IP sections of safety regulation.
Further, after the step S30, further includes:
Step S40: the corresponding target terminal device identification of the target raw security rule is determined, to the target terminal
Device identification and the target raw security rule are shown.
It will be appreciated that the identification equipment of the present embodiment quickly finds out the target network by target terminal device identification
In network with the conflicting raw security rule of newly-increased safety regulation to be measured where target terminal, and by corresponding target terminal
It is shown with raw security rule, can targetedly help influence of the user in predicting safety regulation to business.
In addition, the embodiment of the present invention also proposes a kind of storage medium, safety regulation conflict is stored on the storage medium
Recognizer, following operation is realized when the recognizer of the safety regulation conflict is executed by processor:
The raw security rule of each terminal security agency in target network is obtained, and according to the original of each terminal security agency
Safety regulation generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described
When a raw security rule match in safety regulation to be measured and the safety regulation model is successful, the safety rule to be measured are assert
Then with raw security rules conflict.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
Each terminal security agency into target network sends rule acquisition request, so that each terminal security acts on behalf of basis
The rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
Parameter corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule
Information;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety rule
Then model.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, institute is assert
State safety regulation to be measured and the target raw security rules conflict, the target raw security rule be with it is described to be measured
The raw security rule of safety regulation successful match;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification
And the target raw security rule is shown.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control
Make whether rule is block rule;
When the access control rule is block rule, assert that the safety regulation to be measured is corresponding with the block rule
Target raw security rules conflict;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification
And the target raw security rule is shown.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The safety regulation to be measured is intercepted.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
The identification equipment of the present embodiment obtains the raw security rule of each terminal security agency in target network, and root first
Safety regulation model is generated according to the raw security rule of each terminal security agency;Terminal security generation to be measured in target network is received again
The safety regulation to be measured that haircut is sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model
Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network
Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful
Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network
Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network
Barrier.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in one as described above
In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone,
Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of recognition methods of safety regulation conflict, which is characterized in that the described method comprises the following steps:
Identify that equipment obtains the raw security rule of each terminal security agency in target network, and according to each terminal security agency's
Raw security rule generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described to be measured
When raw security rule match success in safety regulation and the safety regulation model, assert the safety regulation to be measured with
Raw security rules conflict.
2. the method as described in claim 1, which is characterized in that the identification equipment obtains each terminal security generation in target network
The raw security rule of reason, and safety regulation model is generated according to the raw security rule of each terminal security agency, it specifically includes:
Identify that each terminal security agency of the equipment into target network sends rule acquisition request, so that each terminal security is acted on behalf of
According to the rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
3. method according to claim 2, which is characterized in that the preset data structure is default tree structure;
Correspondingly, the raw security rule based on each terminal security agency establishes safety regulation mould according to preset data structure
Type specifically includes:
Parameter information corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
4. method as claimed in claim 3, which is characterized in that the raw security rule for receiving each terminal security agency feedback
Then, it specifically includes:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
Correspondingly, the raw security rule is saved to the leaf node of selection, it is specific to wrap to establish safety regulation model
It includes:
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety regulation mould
Type.
5. method as claimed in claim 4, which is characterized in that described by the safety regulation to be measured and the safety regulation mould
Each raw security rule in type is matched, the original peace in the safety regulation to be measured and the safety regulation model
When full rule match success, assert the safety regulation to be measured and raw security rules conflict, specifically includes:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, assert it is described to
Safety regulation and the target raw security rules conflict are surveyed, the target raw security rule is and the safety to be measured
The successful raw security rule of rule match;
Correspondingly, the raw security rule match success in the safety regulation to be measured and the safety regulation model
When, after assert the safety regulation to be measured and raw security rules conflict, further includes:
Determine the corresponding target terminal device identification of target raw security rule, to the target terminal device identification and
The target raw security rule is shown.
6. method as claimed in claim 4, which is characterized in that described by the safety regulation to be measured and the safety regulation mould
Each raw security rule of type is matched, in a raw security of the safety regulation to be measured and the safety regulation model
When rule match success, assert the safety regulation to be measured and raw security rules conflict, specifically includes:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control rule
It whether is then block rule;
When the access control rule is block rule, the safety regulation to be measured mesh corresponding with the block rule is assert
Mark raw security rules conflict;
Correspondingly, the raw security rule match success in the safety regulation to be measured and the safety regulation model
When, after assert the safety regulation to be measured and raw security rules conflict, further includes:
Determine the corresponding target terminal device identification of target raw security rule, to the target terminal device identification and
The target raw security rule is shown.
7. as the method according to claim 1 to 6, which is characterized in that described in the safety regulation to be measured and the peace
When a raw security rule match in full rule model is successful, assert that the safety regulation to be measured and raw security rule occur
After conflict, the method also includes:
The safety regulation to be measured is intercepted.
8. as the method according to claim 1 to 6, which is characterized in that described by the raw security rule and described to set
Standby mark saves the leaf node extremely chosen, after establishing safety regulation model, the method also includes:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
9. a kind of identification equipment, which is characterized in that the identification equipment includes: memory, processor and is stored in the storage
On device and the recognizer of safety regulation conflict that can run on the processor, the recognizer of the safety regulation conflict
The step of the recognition methods such as safety regulation conflict described in any item of the claim 1 to 8 is realized when being executed by the processor
Suddenly.
10. a kind of storage medium, which is characterized in that be stored with the recognizer of safety regulation conflict, institute on the storage medium
It states and is realized when the recognizer of safety regulation conflict is executed by processor such as safety rule described in any item of the claim 1 to 8
The step of recognition methods then to conflict.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810485801.XA CN110505186A (en) | 2018-05-18 | 2018-05-18 | A kind of recognition methods of safety regulation conflict, identification equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810485801.XA CN110505186A (en) | 2018-05-18 | 2018-05-18 | A kind of recognition methods of safety regulation conflict, identification equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110505186A true CN110505186A (en) | 2019-11-26 |
Family
ID=68584179
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810485801.XA Pending CN110505186A (en) | 2018-05-18 | 2018-05-18 | A kind of recognition methods of safety regulation conflict, identification equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110505186A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113472756A (en) * | 2021-06-18 | 2021-10-01 | 深信服科技股份有限公司 | Policy conflict detection method and device and storage medium |
CN114285657A (en) * | 2021-12-28 | 2022-04-05 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
CN114285657B (en) * | 2021-12-28 | 2024-05-17 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008009990A1 (en) * | 2006-07-19 | 2008-01-24 | Chronicle Solutions (Uk) Limited | System |
CN107508836A (en) * | 2017-09-27 | 2017-12-22 | 杭州迪普科技股份有限公司 | The method and device that a kind of acl rule issues |
CN107800640A (en) * | 2017-09-19 | 2018-03-13 | 北京邮电大学 | A kind of method for detection and the processing for flowing rule |
-
2018
- 2018-05-18 CN CN201810485801.XA patent/CN110505186A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008009990A1 (en) * | 2006-07-19 | 2008-01-24 | Chronicle Solutions (Uk) Limited | System |
CN107800640A (en) * | 2017-09-19 | 2018-03-13 | 北京邮电大学 | A kind of method for detection and the processing for flowing rule |
CN107508836A (en) * | 2017-09-27 | 2017-12-22 | 杭州迪普科技股份有限公司 | The method and device that a kind of acl rule issues |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113472756A (en) * | 2021-06-18 | 2021-10-01 | 深信服科技股份有限公司 | Policy conflict detection method and device and storage medium |
CN114285657A (en) * | 2021-12-28 | 2022-04-05 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
CN114285657B (en) * | 2021-12-28 | 2024-05-17 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3178011B1 (en) | Method and system for facilitating terminal identifiers | |
US7592906B1 (en) | Network policy evaluation | |
US10498731B2 (en) | Apparatus and method for controlling wireless network access and wireless data traffic | |
TW201830929A (en) | Context-based detection of anomalous behavior in network traffic patterns | |
CN105049502B (en) | The method and apparatus that device software updates in a kind of cloud network management system | |
CN111464355A (en) | Method and device for controlling expansion capacity of Kubernetes container cluster and network equipment | |
EP3493472B1 (en) | Network function (nf) management method and nf management device | |
WO2016004981A1 (en) | Network topology estimation based on event correlation | |
CN109284140B (en) | Configuration method and related equipment | |
CN109829287A (en) | Api interface permission access method, equipment, storage medium and device | |
CN103905464A (en) | Network security strategy verification system and method on basis of formalizing method | |
EP2989543A1 (en) | Method and device for updating client | |
CN111258627A (en) | Interface document generation method and device | |
KR20170057030A (en) | Method and apparatus for detecting attaks and generating attack signatures based on signature merging | |
CN111901317B (en) | Access control policy processing method, system and equipment | |
CN112565334A (en) | Access method and device of Internet of things equipment and MQTT gateway | |
US8060592B1 (en) | Selectively updating network devices by a network management application | |
CN106909197B (en) | Virtualization host time management method and virtualization host system | |
CN113127023A (en) | Method, device and system for upgrading service | |
CN102281189A (en) | Service implementation method and device based on private attribute of third-party equipment | |
CN109428788B (en) | Function testing method and system | |
CN110505186A (en) | A kind of recognition methods of safety regulation conflict, identification equipment and storage medium | |
CN113918352A (en) | Service resource allocation method, computing device and storage medium | |
CN114492849B (en) | Model updating method and device based on federal learning | |
CN110888892A (en) | Block synchronization method, device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191126 |
|
RJ01 | Rejection of invention patent application after publication |