CN110505186A - A kind of recognition methods of safety regulation conflict, identification equipment and storage medium - Google Patents

A kind of recognition methods of safety regulation conflict, identification equipment and storage medium Download PDF

Info

Publication number
CN110505186A
CN110505186A CN201810485801.XA CN201810485801A CN110505186A CN 110505186 A CN110505186 A CN 110505186A CN 201810485801 A CN201810485801 A CN 201810485801A CN 110505186 A CN110505186 A CN 110505186A
Authority
CN
China
Prior art keywords
safety regulation
rule
measured
raw security
raw
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810485801.XA
Other languages
Chinese (zh)
Inventor
陈晓帆
古亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201810485801.XA priority Critical patent/CN110505186A/en
Publication of CN110505186A publication Critical patent/CN110505186A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The invention discloses a kind of recognition methods of safety regulation conflict, identification equipment and storage mediums.Identification equipment of the invention obtains the raw security rule of each terminal security agency in target network first, and generates safety regulation model according to the raw security rule of each terminal security agency;The safety regulation to be measured that terminal security to be measured agency sends in target network is received again;Finally safety regulation to be measured is matched with each raw security rule in safety regulation model, and then it can efficiently identify out whether newly-increased safety regulation to be measured can clash with original safety regulation of terminal each in target network, when a raw security rule match in the safety regulation to be measured and safety regulation model is successful, assert safety regulation to be measured and raw security rules conflict, even if target network is larger network, also can identify in time has the raw security rule to conflict with the safety regulation to be measured increased newly, guarantee is provided for the stability of target network.

Description

A kind of recognition methods of safety regulation conflict, identification equipment and storage medium
Technical field
The present invention relates to technical field of network security more particularly to a kind of recognition methods of safety regulation conflict, identification to set Standby and storage medium.
Background technique
TSM Security Agent Agent is typically mounted above terminal device, these terminal devices may include physical server, void Quasi- machine, container (a kind of virtual technology more light-weighted than virtual machine), TSM Security Agent Agent usually operates in end in the form of software In end equipment, TSM Security Agent Agent is mainly responsible for the implementation of terminal device security strategy, such as security strategy can be ACL (access control list, accesses control list) rule, i.e., acl rule is deployed on terminal device.
And may include multiple terminal devices in a target network, TSM Security Agent is deployed on each terminal device Agent;Meanwhile target network can be divided region by administrative staff, then just more terminal devices, every end in each region There is TSM Security Agent Agent at end.Assuming that certain in target network terminal device equipped with TSM Security Agent Agent will to region into Row security strategy issues, then security strategy can be in TSM Security Agent Agent each in automatic synchronization to the region.It can reach in this way Interregional security protection also may be implemented in security protection between terminal device single machine.Central control terminal generally is had, as User interface, user issue security strategy by operation interface, to TSM Security Agent Agent, host/virtual machine of realization or The protection in region.
But presently, there are following two problems: (1) the target network it is larger when, tend to as generation Problem, the rule issued conflicts mutually, including rule conflict in single machine, in domain between host/virtual machine between rule conflict or even domain Rule conflict;(2) it is unpredictable issued to security strategy after, client traffic can be caused what kind of influence.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill Art.
Summary of the invention
The main purpose of the present invention is to provide a kind of recognition methods of safety regulation conflict, identification equipment and storages to be situated between Matter, it is intended to solve that newly-increased security strategy and original when target network is larger, can not be efficiently identified out in the prior art Some conflicting technical problems of safety regulation.
To achieve the above object, the present invention provides a kind of recognition methods of safety regulation conflict, and the method includes following Step:
Identify that equipment obtains the raw security rule of each terminal security agency in target network, and according to each terminal security generation The raw security rule of reason generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described When a raw security rule match in safety regulation to be measured and the safety regulation model is successful, the safety rule to be measured are assert Then with raw security rules conflict.
Preferably, the raw security of each terminal security agency is regular in the identification equipment acquisition target network, and according to The raw security rule of each terminal security agency generates safety regulation model, specifically includes:
Identify that each terminal security agency of the equipment into target network sends rule acquisition request, so that each terminal security Agency is according to the rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
Preferably, the preset data structure is default tree structure;
Correspondingly, the raw security rule based on each terminal security agency establishes safety rule according to preset data structure Then model specifically includes:
Parameter corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule Information;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
Preferably, the raw security rule for receiving each terminal security agency feedback, specifically includes:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
Correspondingly, the raw security rule is saved to the leaf node of selection, to establish safety regulation model, specifically Include:
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety rule Then model.
Preferably, each raw security rule by the safety regulation to be measured and the safety regulation model carries out Matching assert institute when the raw security rule match in the safety regulation to be measured and the safety regulation model is successful Safety regulation to be measured and raw security rules conflict are stated, is specifically included:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, institute is assert State safety regulation to be measured and the target raw security rules conflict, the target raw security rule be with it is described to be measured The raw security rule of safety regulation successful match;
Correspondingly, the raw security rule match in the safety regulation to be measured and the safety regulation model When success, after the identification safety regulation to be measured and raw security rules conflict, further includes:
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification And the target raw security rule is shown.
Preferably, described by the safety regulation to be measured and the progress of each raw security rule of the safety regulation model Match, in the safety regulation to be measured and the success of a raw security rule match of the safety regulation model, described in identification Safety regulation to be measured and raw security rules conflict, specifically include:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control Make whether rule is block rule;
When the access control rule is block rule, assert that the safety regulation to be measured is corresponding with the block rule Target raw security rules conflict;
Correspondingly, the raw security rule match in the safety regulation to be measured and the safety regulation model When success, after the identification safety regulation to be measured and raw security rules conflict, further includes:
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification And the target raw security rule is shown.
Preferably, the raw security rule match in the safety regulation to be measured and the safety regulation model When success, after assert the safety regulation to be measured and raw security rules conflict, the method also includes:
The safety regulation to be measured is intercepted.
Preferably, described to save the raw security rule and the device identification to the leaf node of selection, to build After vertical safety regulation model, the method also includes:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
In addition, to achieve the above object, the present invention also proposes a kind of identification equipment, the identification equipment include: memory, Processor and the recognizer for being stored in the safety regulation conflict that can be run on the memory and on the processor, it is described Such as safety described in any item of the claim 1 to 8 is realized when the recognizer of safety regulation conflict is executed by the processor The step of recognition methods of rule conflict.
In addition, to achieve the above object, the present invention also proposes a kind of storage medium, safety is stored on the storage medium Such as claim 1 to 8 is realized when the recognizer of the recognizer of rule conflict, the safety regulation conflict is executed by processor Any one of described in safety regulation conflict recognition methods the step of.
The raw security that identification equipment of the invention obtains each terminal security agency in target network first is regular, and according to The raw security rule of each terminal security agency generates safety regulation model;Terminal security agency to be measured in target network is received again The safety regulation to be measured sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network Barrier.
Detailed description of the invention
Fig. 1 is the identification device structure schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the recognition methods first embodiment of safety regulation conflict of the present invention;
Fig. 3 is the flow diagram of the recognition methods second embodiment of safety regulation conflict of the present invention;
Fig. 4 is the schematic diagram that tree structure is preset in one embodiment of recognition methods of safety regulation conflict of the present invention;
Fig. 5 is that the default tree structure of dimension in one embodiment of recognition methods of safety regulation conflict of the present invention is shown It is intended to;
Fig. 6 is the flow diagram of the recognition methods 3rd embodiment of safety regulation conflict of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is the structural representation of the identification equipment for the hardware running environment that the embodiment of the present invention is related to Figure.
As shown in Figure 1, the identification equipment may include: processor 1001, such as CPU, communication bus 1002, user interface 1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is for realizing the connection communication between these components. User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional user interface 1003 can also include standard wireline interface and wireless interface.Network interface 1004 optionally may include that the wired of standard connects Mouth, wireless interface (such as WI-FI interface).Memory 1005 can be high speed RAM memory, be also possible to stable memory (non-volatile memory), such as magnetic disk storage.
Wherein, the identification equipment can be other network equipments such as server.
It will be understood by those skilled in the art that structure shown in Fig. 1 does not constitute the restriction to the identification equipment, it can To include perhaps combining certain components or different component layouts than illustrating more or fewer components.
As shown in Figure 1, as may include that operating system, network are logical in a kind of memory 1005 of computer storage medium Believe module, Subscriber Interface Module SIM and the recognizer of safety regulation conflict.
In identification equipment shown in FIG. 1, network interface 1004 is mainly used for carrying out data communication with external network;User connects Mouth 1003 is mainly used for receiving the inputs instruction of user;The safety equipment is called in memory 1005 by processor 1001 and is deposited The recognizer of the safety regulation conflict of storage, and execute following operation:
The raw security rule of each terminal security agency in target network is obtained, and according to the original of each terminal security agency Safety regulation generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described When a raw security rule match in safety regulation to be measured and the safety regulation model is successful, the safety rule to be measured are assert Then with raw security rules conflict.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
Each terminal security agency into target network sends rule acquisition request, so that each terminal security acts on behalf of basis The rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
Parameter corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule Information;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety rule Then model.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, institute is assert State safety regulation to be measured and the target raw security rules conflict, the target raw security rule be with it is described to be measured The raw security rule of safety regulation successful match;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification And the target raw security rule is shown.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control Make whether rule is block rule;
When the access control rule is block rule, assert that the safety regulation to be measured is corresponding with the block rule Target raw security rules conflict;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification And the target raw security rule is shown.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
The safety regulation to be measured is intercepted.
Further, processor 1001 can call the recognizer of the safety regulation conflict stored in memory 1005, Also execute following operation:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
The identification equipment of the present embodiment obtains the raw security rule of each terminal security agency in target network, and root first Safety regulation model is generated according to the raw security rule of each terminal security agency;Terminal security generation to be measured in target network is received again The safety regulation to be measured that haircut is sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network Barrier.
Based on above-mentioned hardware configuration, the recognition methods embodiment of safety regulation conflict of the present invention is proposed.
It is the flow diagram of the recognition methods first embodiment of safety regulation conflict of the present invention referring to Fig. 2, Fig. 2.
In the first embodiment, the safety regulation conflict recognition methods the following steps are included:
Step S10: identification equipment obtains the raw security rule of each terminal security agency in target network, and according to each end The raw security rule of TSM Security Agent is held to generate safety regulation model;
It should be noted that the executing subject of the present embodiment is identification equipment, the identification equipment can be server etc. The network equipment.Include multiple terminal devices in target network, between these terminal devices for physics be directly connected to or network between It connects in succession, wherein these terminal devices may include physical server, virtual machine and container (such as application container engine Docker);Wherein, installing terminal equipment has TSM Security Agent Agent, and TSM Security Agent operates in terminal device in the form of software In, it is responsible for security strategy/rule (hereinafter referred to as safety regulation), such as access control rule (Access Control List, ACL), in the deployment of terminal device.Meanwhile target network can be divided region by administrative staff, then just having in each region More terminal devices, every terminal have TSM Security Agent agent.Assuming that certain in the target network is equipped with TSM Security Agent Agent Terminal device will to region carry out safety regulation issue, then safety regulation can be with safe generation each in automatic synchronization to the region It manages in Agent.
It will be appreciated that the raw security rule also can be regarded as the current safety regulation of each terminal security agency;
In the concrete realization, identification equipment is regular by the raw security for obtaining each terminal security agency in target network, Profiling is carried out to the target network based on the raw security rule got, is formed or corrective networks model is (i.e. safe to advise Then model), and the safety regulation model is deposited in database.Safety regulation model is the core of whole system.In order to The safety regulation model of guarantee system and the virtually or physically truth of network do not have a deviation, system can periodically actively from Each lane terminal obtains current safety regulation, and with the deviation of corrective networks model and live network situation, cycle length is adjustable.
Step S20: the safety regulation to be measured that terminal security to be measured agency sends in the target network is received;
It is understood that user can be equipped with the terminal device pair of TSM Security Agent Agent by certain in target network Region or whole network, which increase newly, issues a safety regulation, this newly-increased safety regulation can be referred to as safety to be measured by us Rule.
Step S30: by each raw security rule progress in the safety regulation to be measured and the safety regulation model Match, when the raw security rule match in the safety regulation to be measured and the safety regulation model is successful, described in identification Safety regulation to be measured and raw security rules conflict.
It will be appreciated that needing to verify or know after identification equipment obtains newly-increased safety regulation (safety regulation i.e. to be measured) Not Xin Zeng safety regulation whether can with terminal security each in target network act on behalf of raw security rules conflict, specifically Newly-increased safety regulation can be put into the safety regulation model and matched by ground, identification equipment, if newly-increased safety regulation with Some raw security rule in the safety regulation model matches, that is, illustrates that newly-increased safety regulation advises the raw security Then there is conflict to influence.
The identification equipment of the present embodiment obtains the raw security rule of each terminal security agency in target network, and root first Safety regulation model is generated according to the raw security rule of each terminal security agency;Terminal security generation to be measured in target network is received again The safety regulation to be measured that haircut is sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network Barrier.
It is the flow diagram of the recognition methods second embodiment of safety regulation conflict of the present invention referring to Fig. 3, Fig. 3.It is based on The recognition methods first embodiment of safety regulation conflict of the present invention proposes that the recognition methods second of safety regulation conflict of the present invention is real Apply example.
In the present embodiment, the step S10 is specifically included:
Step S101: each terminal security agency of the identification equipment into target network sends rule acquisition request, so that Each terminal security agency is according to the rule acquisition request feedback raw security rule;
Step S102: the raw security rule of each terminal security agency feedback is received;
It will be appreciated that identification equipment can be acted on behalf of to each terminal security in real time sends rule acquisition request, so that respectively Terminal security agency is according to the rule acquisition request feedback traffic statistics;Identification equipment is receiving terminal security agency When feeding back traffic statistics, the terminal security is converted by traffic statistics and acts on behalf of current safety regulation (i.e. original peace Full rule), then carry out duplicate removal processing to identical raw security rule (can certainly be converted by traffic statistics Before safety regulation, duplicate removal processing first is carried out to traffic statistics);
Further, after step s 102, identification terminal can act on behalf of the raw security rule of feedback based on each terminal security Safety regulation model then is established according to preset data structure, the preset data structure in the present embodiment is default tree structure, phase Ying Di, the raw security rule based on each terminal security agency are established safety regulation model according to preset data structure, are had Body includes:
Step S103: it is obtained respectively and each parameter preset type pair in default tree structure from the raw security rule The parameter information answered;
It will be appreciated that including five-tuple (i.e. source IP address, source port, purpose IP address, destination in safety regulation Mouth and transport layer protocol), five-tuple is referred to as parameter preset type by the present embodiment.
In the concrete realization, in order to which more easily carry out will be in the safety regulation to be measured and the safety regulation model Each raw security rule matched, can establish a data structure, by the target network terminal security act on behalf of Raw security rule be stored entirely in the data structure, simplify search with the matched time.
Data structure in the present embodiment can be default tree structure, reference can be made to Fig. 4, Fig. 4 are showing for default tree structure Be intended to, presetting tree structure is multistage tree structure, and every level-one tree is all a dimension, for example, dimension 1, dimension 2, dimension 3, Dimension 4 and dimension 5 etc..Wherein, every dimension all corresponds to a kind of parameter preset type, it is to be understood that described default Parameter type should be corresponding with characteristic information (including the five-tuple) of safety regulation, may include, source IP address, destination IP Location, source MAC (Media Access Control Address, media access control address), target MAC (Media Access Control) address and port Number, specific corresponding relationship the present embodiment of dimension and parameter preset type is without restriction.
It should be understood that when getting a safety regulation, can extract this safety regulation source IP address, Purpose IP address, source MAC, target MAC (Media Access Control) address and port numbers, for example, the parameter information extracted includes that source IP address is 1.0.0.1, purpose IP address 1.0.0.25, source MAC X1.X2.X3.X4, target MAC (Media Access Control) address X5.X6.X7.X8 And port numbers are X9.
Step S104: leaf node corresponding with the parameter information is chosen in the default tree structure;
It in the concrete realization, will be in default tree as shown in Figure 4 after the parameter information for extracting above-mentioned each parameter type Corresponding leaf node is found in shape structure saving current safety rule into the leaf node.
Referring to Fig. 5, Fig. 5 is the schematic diagram of the default tree structure of a dimension.It should be noted that it is described preset it is tree-like In structure, every level-one tree is all a dimension, and every dimension all corresponds to a kind of parameter preset type, the height of every level-one tree For the length of the field of the parameter preset type.
It is understood that as can be seen from FIG. 5, for example, dimension X shown in fig. 5 is the dimension 1 for characterizing source IP address, by It is 32 bits in source IP address, then the height of corresponding tree structure is also 32, i.e. each layer of expression of the tree structure of dimension 1 One bit.
In the present embodiment, each layer there are three kinds of trends, respectively 1,0 and asterisk wildcard *, wherein " * " indicate 0 or 1 All may be used.For example, source IP address is 1.0.0.1, then the value of the corresponding tree structure of dimension 1 should be 00000001 00000000 00000000 00000001.As can be known from Fig. 4, it first can determine the first layer of the corresponding tree structure of dimension 1 Trend is 0, and the trend of the second layer is 0 ..., and the 8th layer of trend is 1 ..., and the 32nd layer of trend is 1, and the 32nd layer is also dimension The last layer of 1 corresponding tree structure.After the last layer for reaching the corresponding tree structure of dimension 1, it will enter in next step The first layer of the corresponding tree structure of dimension 2, until eventually arriving at the last layer of the tree structure of dimension 5 as shown in Figure 4. By designing this kind of default tree structure, safety regulation can be subjected to classification storage according to a variety of different parameter types.Its In, the present embodiment does not limit the particular number of dimension.
Step S105: the raw security rule is saved to the leaf node of selection, to establish safety regulation model.
In the concrete realization, according to walking always to determine safety regulation finally after corresponding node, if this safety regulation The parameter information of above-mentioned 5 kinds of parameter types is existed simultaneously, then is eventually arranged in the last layer of the corresponding tree structure of dimension 5 One leaf node, and current safety rule is saved into the last layer of the corresponding tree structure of the dimension 5 to the leaf determined Child node, and be based ultimately upon default tree structure and handled the tree-like knot obtained after the raw security rule that each terminal security is acted on behalf of Structure is safety regulation model.
Further, after establishing safety regulation model, newly-increased safety regulation can be put into the peace by identification equipment Full rule model is matched, if newly-increased safety regulation and some raw security rule phase in the safety regulation model Match, that is, illustrates that newly-increased safety regulation has conflict to influence the corresponding traffic statistics of raw security rule.It finally can be right The safety regulation to be measured is intercepted.
The advantages of default tree structure in the present embodiment, is to occupy little space, and search time is short.Rules up to ten thousand Memory consumption is about 50MB, and the time overhead of verifying is Millisecond, by acting on behalf of terminal security each in the target network Raw security rule be uniformly stored in the default tree structure, reduce the storage space of safety regulation, shorten to be measured The match time of each raw security rule in safety regulation and safety regulation model.
It is the flow diagram of the recognition methods 3rd embodiment of safety regulation conflict of the present invention referring to Fig. 6, Fig. 6.It is based on The recognition methods second embodiment of safety regulation conflict of the present invention proposes that the recognition methods third of safety regulation conflict of the present invention is real Apply example.
In the present embodiment, the step S102 is specifically included:
Step S1021: the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback are received;
It will be appreciated that the Terminal Equipment Identifier is the MAC Address of the terminal in the present embodiment;It is all to be used as difference The Terminal Equipment Identifier that all can serve as the terminal of the identity information of the terminal, the present embodiment is not again to repeat.
Correspondingly, the step S105 is specifically included:
Step S1051: the raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, with Establish safety regulation model.
It will be appreciated that by target network terminal security agency safety regulation carried out it is centrally stored after, can Also saving the device identification of terminal each in target network into the leaf node chosen, in the safety regulation to be measured and institute When stating the raw security rule match success in safety regulation model, it can determine and matched into the safety regulation to be measured increased newly The raw security rule of function, also can quickly find out safety to be measured in the target network and newly-increased by device identification Terminal where the conflicting raw security rule of rule.
Correspondingly, the step S30 is specifically included:
Step S301: by each raw security rule progress in the safety regulation to be measured and the safety regulation model Match;
Step S302: identical as the target raw security rule in the safety regulation model in the safety regulation to be measured When, assert the safety regulation to be measured and the target raw security rules conflict, the target raw security rule is With the raw security rule of the safety regulation successful match to be measured;
Step S302`: the read access control rule from the safety regulation to be measured determines the safety regulation mould respectively The block rule of each raw security rule in type carries out the block rule of the access control rule and each raw security rule Matching, when the access control rule is block rule, is assert with judging whether the access control rule is block rule The safety regulation to be measured target raw security rules conflict corresponding with the block rule;
In the concrete realization, it is illustrated for the present embodiment is using ACL access control rule as safety regulation, identification is set When whether the standby to be measured safety regulation newly-increased in verifying generates conflict, the ACL access control in safety regulation to be measured can read first System rule, while determining the permission rule and block rule of each raw security rule in the safety regulation model;And this implementation Example is to determine whether newly-increased safety regulation to be measured clashes by two kinds of situations: the first is in the safety regulation to be measured When identical as the target raw security rule in the safety regulation model, assert whether newly-increased safety regulation to be measured rushes Prominent (the corresponding step S302) is assert newly-increased to be measured when newly-increased safety regulation to be measured is block rule Whether safety regulation clashes (the corresponding step S302`).
It will be appreciated that whether examining newly-increased safety regulation and original safety regulation according to the above step of this implementation When conflict, whether the safety regulation that can verify the terminal to be measured itself is clashed, and can also verify the target network Whether the safety regulation in some interior domain between each terminal stand-alone clashes, and can also verify each domain in the target network Between safety regulation whether clash.For example, if this newly-increased safety regulation is the safety rule issued to some region Then, then the security strategy of multiple terminal stand-alone agent may be influenced simultaneously in newly-increased safety regulation, if in the region eventually The safety regulation at end is identical, then what is influenced is one IP sections of safety regulation.
Further, after the step S30, further includes:
Step S40: the corresponding target terminal device identification of the target raw security rule is determined, to the target terminal Device identification and the target raw security rule are shown.
It will be appreciated that the identification equipment of the present embodiment quickly finds out the target network by target terminal device identification In network with the conflicting raw security rule of newly-increased safety regulation to be measured where target terminal, and by corresponding target terminal It is shown with raw security rule, can targetedly help influence of the user in predicting safety regulation to business.
In addition, the embodiment of the present invention also proposes a kind of storage medium, safety regulation conflict is stored on the storage medium Recognizer, following operation is realized when the recognizer of the safety regulation conflict is executed by processor:
The raw security rule of each terminal security agency in target network is obtained, and according to the original of each terminal security agency Safety regulation generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described When a raw security rule match in safety regulation to be measured and the safety regulation model is successful, the safety rule to be measured are assert Then with raw security rules conflict.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
Each terminal security agency into target network sends rule acquisition request, so that each terminal security acts on behalf of basis The rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
Parameter corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule Information;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety rule Then model.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, institute is assert State safety regulation to be measured and the target raw security rules conflict, the target raw security rule be with it is described to be measured The raw security rule of safety regulation successful match;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification And the target raw security rule is shown.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control Make whether rule is block rule;
When the access control rule is block rule, assert that the safety regulation to be measured is corresponding with the block rule Target raw security rules conflict;
The corresponding target terminal device identification of the target raw security rule is determined, to the target terminal device identification And the target raw security rule is shown.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The safety regulation to be measured is intercepted.
Further, following operation is also realized when the recognizer of the safety regulation conflict is executed by processor:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
The identification equipment of the present embodiment obtains the raw security rule of each terminal security agency in target network, and root first Safety regulation model is generated according to the raw security rule of each terminal security agency;Terminal security generation to be measured in target network is received again The safety regulation to be measured that haircut is sent;Finally by each raw security rule progress in safety regulation to be measured and safety regulation model Match, and then whether can efficiently identify out newly-increased safety regulation to be measured can be with original safety of terminal each in target network Rules conflict is recognized when the raw security rule match in the safety regulation to be measured and safety regulation model is successful Fixed safety regulation to be measured and raw security rules conflict also can be timely even if target network is larger network Ground, which is identified, the raw security rule to conflict with the safety regulation to be measured increased newly, provides guarantor for the stability of target network Barrier.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone, Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of recognition methods of safety regulation conflict, which is characterized in that the described method comprises the following steps:
Identify that equipment obtains the raw security rule of each terminal security agency in target network, and according to each terminal security agency's Raw security rule generates safety regulation model;
Receive the safety regulation to be measured that terminal security to be measured agency sends in the target network;
The safety regulation to be measured is matched with each raw security rule in the safety regulation model, described to be measured When raw security rule match success in safety regulation and the safety regulation model, assert the safety regulation to be measured with Raw security rules conflict.
2. the method as described in claim 1, which is characterized in that the identification equipment obtains each terminal security generation in target network The raw security rule of reason, and safety regulation model is generated according to the raw security rule of each terminal security agency, it specifically includes:
Identify that each terminal security agency of the equipment into target network sends rule acquisition request, so that each terminal security is acted on behalf of According to the rule acquisition request feedback raw security rule;
Receive the raw security rule of each terminal security agency feedback;
Raw security rule based on each terminal security agency's feedback establishes safety regulation model according to preset data structure.
3. method according to claim 2, which is characterized in that the preset data structure is default tree structure;
Correspondingly, the raw security rule based on each terminal security agency establishes safety regulation mould according to preset data structure Type specifically includes:
Parameter information corresponding with parameter preset type each in default tree structure is obtained respectively from the raw security rule;
Leaf node corresponding with the parameter information is chosen in the default tree structure;
The raw security rule is saved to the leaf node of selection, to establish safety regulation model.
4. method as claimed in claim 3, which is characterized in that the raw security rule for receiving each terminal security agency feedback Then, it specifically includes:
Receive the raw security rule and Terminal Equipment Identifier of each terminal security agency feedback;
Correspondingly, the raw security rule is saved to the leaf node of selection, it is specific to wrap to establish safety regulation model It includes:
The raw security rule and the Terminal Equipment Identifier are saved to the leaf node of selection, to establish safety regulation mould Type.
5. method as claimed in claim 4, which is characterized in that described by the safety regulation to be measured and the safety regulation mould Each raw security rule in type is matched, the original peace in the safety regulation to be measured and the safety regulation model When full rule match success, assert the safety regulation to be measured and raw security rules conflict, specifically includes:
The safety regulation to be measured is matched with each raw security rule in the safety regulation model;
When the safety regulation to be measured is identical as the target raw security rule in the safety regulation model, assert it is described to Safety regulation and the target raw security rules conflict are surveyed, the target raw security rule is and the safety to be measured The successful raw security rule of rule match;
Correspondingly, the raw security rule match success in the safety regulation to be measured and the safety regulation model When, after assert the safety regulation to be measured and raw security rules conflict, further includes:
Determine the corresponding target terminal device identification of target raw security rule, to the target terminal device identification and The target raw security rule is shown.
6. method as claimed in claim 4, which is characterized in that described by the safety regulation to be measured and the safety regulation mould Each raw security rule of type is matched, in a raw security of the safety regulation to be measured and the safety regulation model When rule match success, assert the safety regulation to be measured and raw security rules conflict, specifically includes:
The read access control rule from the safety regulation to be measured;
The block rule of each raw security rule in the safety regulation model is determined respectively;
The access control rule is matched with the block rule of each raw security rule, to judge the access control rule It whether is then block rule;
When the access control rule is block rule, the safety regulation to be measured mesh corresponding with the block rule is assert Mark raw security rules conflict;
Correspondingly, the raw security rule match success in the safety regulation to be measured and the safety regulation model When, after assert the safety regulation to be measured and raw security rules conflict, further includes:
Determine the corresponding target terminal device identification of target raw security rule, to the target terminal device identification and The target raw security rule is shown.
7. as the method according to claim 1 to 6, which is characterized in that described in the safety regulation to be measured and the peace When a raw security rule match in full rule model is successful, assert that the safety regulation to be measured and raw security rule occur After conflict, the method also includes:
The safety regulation to be measured is intercepted.
8. as the method according to claim 1 to 6, which is characterized in that described by the raw security rule and described to set Standby mark saves the leaf node extremely chosen, after establishing safety regulation model, the method also includes:
The raw security rule of each terminal security agency in the target network is obtained according to predetermined period;
Safety regulation model described in the raw security Policy Updates acted on behalf of according to each terminal security.
9. a kind of identification equipment, which is characterized in that the identification equipment includes: memory, processor and is stored in the storage On device and the recognizer of safety regulation conflict that can run on the processor, the recognizer of the safety regulation conflict The step of the recognition methods such as safety regulation conflict described in any item of the claim 1 to 8 is realized when being executed by the processor Suddenly.
10. a kind of storage medium, which is characterized in that be stored with the recognizer of safety regulation conflict, institute on the storage medium It states and is realized when the recognizer of safety regulation conflict is executed by processor such as safety rule described in any item of the claim 1 to 8 The step of recognition methods then to conflict.
CN201810485801.XA 2018-05-18 2018-05-18 A kind of recognition methods of safety regulation conflict, identification equipment and storage medium Pending CN110505186A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810485801.XA CN110505186A (en) 2018-05-18 2018-05-18 A kind of recognition methods of safety regulation conflict, identification equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810485801.XA CN110505186A (en) 2018-05-18 2018-05-18 A kind of recognition methods of safety regulation conflict, identification equipment and storage medium

Publications (1)

Publication Number Publication Date
CN110505186A true CN110505186A (en) 2019-11-26

Family

ID=68584179

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810485801.XA Pending CN110505186A (en) 2018-05-18 2018-05-18 A kind of recognition methods of safety regulation conflict, identification equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110505186A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472756A (en) * 2021-06-18 2021-10-01 深信服科技股份有限公司 Policy conflict detection method and device and storage medium
CN114285657A (en) * 2021-12-28 2022-04-05 中国工商银行股份有限公司 Firewall security policy change verification method and device
CN114285657B (en) * 2021-12-28 2024-05-17 中国工商银行股份有限公司 Firewall security policy change verification method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008009990A1 (en) * 2006-07-19 2008-01-24 Chronicle Solutions (Uk) Limited System
CN107508836A (en) * 2017-09-27 2017-12-22 杭州迪普科技股份有限公司 The method and device that a kind of acl rule issues
CN107800640A (en) * 2017-09-19 2018-03-13 北京邮电大学 A kind of method for detection and the processing for flowing rule

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008009990A1 (en) * 2006-07-19 2008-01-24 Chronicle Solutions (Uk) Limited System
CN107800640A (en) * 2017-09-19 2018-03-13 北京邮电大学 A kind of method for detection and the processing for flowing rule
CN107508836A (en) * 2017-09-27 2017-12-22 杭州迪普科技股份有限公司 The method and device that a kind of acl rule issues

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472756A (en) * 2021-06-18 2021-10-01 深信服科技股份有限公司 Policy conflict detection method and device and storage medium
CN114285657A (en) * 2021-12-28 2022-04-05 中国工商银行股份有限公司 Firewall security policy change verification method and device
CN114285657B (en) * 2021-12-28 2024-05-17 中国工商银行股份有限公司 Firewall security policy change verification method and device

Similar Documents

Publication Publication Date Title
EP3178011B1 (en) Method and system for facilitating terminal identifiers
US7592906B1 (en) Network policy evaluation
US10498731B2 (en) Apparatus and method for controlling wireless network access and wireless data traffic
TW201830929A (en) Context-based detection of anomalous behavior in network traffic patterns
CN105049502B (en) The method and apparatus that device software updates in a kind of cloud network management system
CN111464355A (en) Method and device for controlling expansion capacity of Kubernetes container cluster and network equipment
EP3493472B1 (en) Network function (nf) management method and nf management device
WO2016004981A1 (en) Network topology estimation based on event correlation
CN109284140B (en) Configuration method and related equipment
CN109829287A (en) Api interface permission access method, equipment, storage medium and device
CN103905464A (en) Network security strategy verification system and method on basis of formalizing method
EP2989543A1 (en) Method and device for updating client
CN111258627A (en) Interface document generation method and device
KR20170057030A (en) Method and apparatus for detecting attaks and generating attack signatures based on signature merging
CN111901317B (en) Access control policy processing method, system and equipment
CN112565334A (en) Access method and device of Internet of things equipment and MQTT gateway
US8060592B1 (en) Selectively updating network devices by a network management application
CN106909197B (en) Virtualization host time management method and virtualization host system
CN113127023A (en) Method, device and system for upgrading service
CN102281189A (en) Service implementation method and device based on private attribute of third-party equipment
CN109428788B (en) Function testing method and system
CN110505186A (en) A kind of recognition methods of safety regulation conflict, identification equipment and storage medium
CN113918352A (en) Service resource allocation method, computing device and storage medium
CN114492849B (en) Model updating method and device based on federal learning
CN110888892A (en) Block synchronization method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191126

RJ01 Rejection of invention patent application after publication