CN111510428B - Security resource operation and maintenance platform system and control method - Google Patents
Security resource operation and maintenance platform system and control method Download PDFInfo
- Publication number
- CN111510428B CN111510428B CN202010156584.7A CN202010156584A CN111510428B CN 111510428 B CN111510428 B CN 111510428B CN 202010156584 A CN202010156584 A CN 202010156584A CN 111510428 B CN111510428 B CN 111510428B
- Authority
- CN
- China
- Prior art keywords
- security
- safety
- resource
- service
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012423 maintenance Methods 0.000 title claims abstract description 66
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000004458 analytical method Methods 0.000 claims abstract description 60
- 230000008859 change Effects 0.000 claims abstract description 59
- 230000007613 environmental effect Effects 0.000 claims abstract description 12
- 239000013589 supplement Substances 0.000 claims abstract description 6
- 239000000047 product Substances 0.000 claims description 77
- 238000011176 pooling Methods 0.000 claims description 31
- 230000006870 function Effects 0.000 claims description 18
- 238000010801 machine learning Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 8
- 238000013519 translation Methods 0.000 claims description 7
- 230000003993 interaction Effects 0.000 claims description 6
- 238000012937 correction Methods 0.000 claims description 5
- 230000007123 defense Effects 0.000 claims description 5
- 238000007689 inspection Methods 0.000 claims description 4
- 230000002787 reinforcement Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 claims description 3
- 230000008447 perception Effects 0.000 claims description 3
- 238000013461 design Methods 0.000 abstract description 11
- 238000007726 management method Methods 0.000 description 19
- 238000013070 change management Methods 0.000 description 11
- 238000012544 monitoring process Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000000586 desensitisation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a safe resource operation and maintenance platform system and a control method, wherein the system comprises a platform service module, a safe operation engine and a safe function pool; the control method comprises the following steps: acquiring a security service requirement and environmental information; performing intention analysis according to the safety service requirement and the environment information; generating a security service scheme according to the intention analysis result; acquiring security resource change information, and updating security resources according to the security resource change information; scheduling the updated security resources according to the security service scheme to complete the security capability arrangement; the system can intelligently arrange the safety service and provide the safety service capability according to the requirements of the user and the using environment of the user, and can update or supplement the safety resource according to the safety resource change information; the mode of manual design has been replaced, and is more scientific and efficient, saves fortune dimension or operation cost. The invention can be widely applied to the technical field of information security.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a secure resource operation and maintenance platform system and a control method.
Background
With the increasing of information security threat attack events, security defense tools required to be adopted by enterprises or organizations are correspondingly increased; meanwhile, the safety protection is evolved from a mode of simply integrating independent safety products and manually managing to a three-dimensional linkage type automatic operation and maintenance safety protection mode.
However, currently, there are many security product service vendors on the market, and each vendor has different types of security products, which may have both hardware and software product forms, and there are situations where multiple versions of the same product are distributed in the market at the same time. Users are in high demand for a system or platform that can uniformly manage different versions and different types of security products of various manufacturers. In addition, in the security service scheme in the prior art, it is common to organize the procurement of security devices, and to perform deployment and maintenance, and this method requires a large initial investment, and an organization needs to have a strong technical professional ability, and at the same time, a user cannot expand related services, and even cannot update the requirements more frequently.
Disclosure of Invention
To solve at least one of the above problems, the present invention is directed to: the invention provides a centralized and intelligent security resource operation and maintenance control method and a security resource operation and maintenance platform system capable of realizing intelligent arrangement of security services and automatic operation and maintenance, and in order to achieve the technical purpose, the technical scheme adopted by the embodiment of the invention comprises the following steps:
on one hand, the embodiment of the invention provides a safe resource operation and maintenance platform system, which comprises a platform service module, a safe operation engine and a safe function pool;
the platform service module of the system comprises:
the intention analysis module is used for carrying out intention analysis according to the safety service requirement and the environmental information;
the user interaction module is used for acquiring the safety service requirement and the environment information;
the secure operations engine of the system comprises:
the service arrangement module is used for generating a safety service scheme according to the intention analysis result and finishing safety capacity arrangement;
the automatic operation and maintenance module is used for acquiring the safety resource change information and updating the safety resource according to the safety resource change information;
the safety resource pooling module is used for pooling safety resources and providing safety capability;
and the safety function pool is used for storing the pooled safety resources.
Further, in an embodiment of the present invention, the platform service module of the secure resource operation and maintenance platform system further includes:
the situation perception module is used for perceiving the security threat and giving an alarm;
the risk defense module is used for carrying out security reinforcement inspection;
the detection authentication module is used for completing detection authentication and generating a detection report;
and the safety protection module is used for finishing communication encryption and safety transmission.
Further, in an embodiment of the present invention, the intention analysis module of the secure resource operation and maintenance platform system includes:
the translation module is used for acquiring natural language description required by the security service, translating the natural language description and generating an intention model;
the feedback module is used for correcting the intention model according to the safety service requirement;
a correction module to optimize the intent model by machine learning.
On the other hand, the embodiment of the invention provides a method for managing and controlling the operation and maintenance of security resources, which comprises the following steps:
acquiring a security service requirement and environmental information;
performing intention analysis according to the safety service requirement and the environment information;
generating a security service scheme according to the intention analysis result;
acquiring security resource change information, and updating security resources according to the security resource change information;
scheduling the updated security resources according to the security service scheme to complete the security capability arrangement;
the security service requirements include security protection objectives, computational performance, storage performance, network performance, and user parameters;
the security resources comprise virtual security resources and hardware security resources;
the user environment information includes network elements and network topology.
Further, the above embodiment of the present invention may further have the following additional technical features, that is, the method for managing and controlling operation and maintenance of secure resources according to the embodiment of the present invention further includes the following steps:
acquiring the use condition of security capacity arrangement on security resources;
predicting the change trend of the safety resource demand according to the use condition;
and performing safety resource supplement according to the change trend and the environmental information.
Further, in an embodiment of the present invention, the step of updating the secure resource according to the secure resource change information specifically includes:
acquiring manufacturers, version numbers and safety product characteristics of the virtual safety resources and generating hash values;
the safety resource change information is a new added resource, the registration and the storage of the virtual safety resource are completed according to the hash value, and the virtual safety resource is stored in the pool information;
the safety resource change information is a lower rack resource, the corresponding virtual safety resource is deleted according to the hash value, and the pool entering information is changed;
the safety resource change information is resource maintenance, the virtual safety resource service is stopped according to the hash value, and the maintenance operation is completed;
wherein, the pool information comprises: product morphology, product parameters, licensing, deployment requirements, technical support, cost, and product storage location.
Further, in an embodiment of the present invention, the step of updating the secure resource according to the secure resource change information may further include:
acquiring manufacturers, version numbers, safety product characteristics and hardware characteristics of hardware safety resources and generating a hash value;
the safety resource change information is a newly added resource, the registration and storage of the hardware safety resource are completed according to the hash value, and the hardware safety resource is stored in the pool information;
the safety resource change information is a lower rack resource, the corresponding hardware safety resource is deleted according to the hash value, and the pool entry information is changed;
the safety resource change information is resource maintenance, hardware safety resource service is stopped according to the hash value, and maintenance operation is completed;
wherein, the pool information comprises: product morphology, product parameters, licensing, deployment requirements, technical support, cost, and product storage location.
Further, in an embodiment of the present invention, the step of scheduling the updated security resource according to the security service scheme to complete the security capability arrangement may specifically include: deploying security resources according to the security service scheme; and (4) adding the safety resource deployment into the slice network to complete flow arrangement.
Further, in an embodiment of the present invention, the step of performing intent analysis according to the security service requirement and the environment information may specifically include: acquiring natural language description of safety service requirements; translating the natural language description and generating an intent model; optimizing an intent model through machine learning; and generating and outputting an intention analysis result according to the intention model.
Further, in an embodiment of the present invention, the step of deploying the secure resource according to the security service scheme specifically includes: generating an available resource cluster according to the updated security resource; generating a business analysis chain according to the environment information and the security service scheme; and completing the safe resource deployment according to the service analysis chain and the available resource cluster.
The invention has the advantages and beneficial effects that:
on one hand, the safety resource operation and maintenance platform system of the embodiment of the invention realizes the unified management and control of safety resources through the platform service module, the safety operation engine and the safety function pool, can perform intelligent safety service arrangement and provide safety service capability according to the requirements of users and the use environment of the users, and can update or supplement the safety resources according to the safety resource change information; the mode of manual design has been replaced, and is more scientific and efficient, saves fortune dimension or operation cost.
On the other hand, the safety resource operation and maintenance control method provided by the embodiment of the invention can quickly perform intention analysis based on the safety service requirement of the user in combination with the environment information, and provide a safety service scheme according to the intention analysis, thereby completing safety capacity deployment; meanwhile, the safety resource change information can be automatically acquired to complete the updating of the safety resource; the method is not limited by the complexity of the security resources and the technical professional ability of the user, can fully integrate and utilize various existing security resources, has better expansion ability, and realizes intelligent formulation, arrangement, deployment, operation and maintenance of the security service.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description is made on the drawings of the embodiments of the present invention or the related technical solutions in the prior art, and it should be understood that the drawings in the following description are only for convenience and clarity of describing some embodiments in the technical solutions of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is an overall framework diagram of a secure resource operation and maintenance platform system according to an embodiment of the present invention;
FIG. 2 is a flow chart of a security capability providing method for managing and controlling the operation and maintenance of security resources according to an embodiment of the present invention;
fig. 3 is a flowchart of a virtual secure resource change in a secure resource operation and maintenance control method according to an embodiment of the present invention;
fig. 4 is a flow chart of hardware security resource change of the security resource operation and maintenance control method according to the embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. The step numbers in the following embodiments are provided only for convenience of illustration, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art.
Referring to fig. 1, the secure resource operation and maintenance platform system in the embodiment of the present invention includes a platform service module, a secure operation engine, and a secure function pool;
the platform service module provides basic platform service and platform support service for the security resource operation and maintenance platform system of the embodiment, and comprises the following sub-modules:
the intention analysis module is used for acquiring the safety service requirement and carrying out intention analysis according to the safety service requirement and the environment information; it further includes specifically: the translation module is used for acquiring the natural language description required by the security service, translating the natural language description and generating an intention model; the feedback module is used for correcting the intention model according to the safety service requirement, namely, re-confirming according to the control of an administrator and/or the requirement of a user and correcting the translation result in a manual intervention mode; a correction module: perfecting an intention analysis model through a machine learning technology; for example: the user submits a demand to the system using natural language: "company has 3 platforms, as long as one platform can pass the iso-insurance three levels, where deploying products meeting the minimum iso-insurance requirement is possible, and the existing security equipment (firewall, IPS, website cloud monitoring, website cloud missing, website cloud protection, data encryption, sensitive data processing/data desensitization) is used as much as possible, and the budget cost is X yuan"; after semantic translation is performed by the translation module, the user intention is set as follows: a first-level security service target (third level of equal security, the protection range is the platform with the smallest company scale); and secondary service contents (anti-DDOS products and performance parameters, data backup and performance parameters, database audit and performance parameters, log audit and performance parameters, bastion machine and performance parameters, situation awareness and performance parameters, vulnerability scanning and performance parameters) are transmitted to the safe operation engine, the safe operation engine outputs a safe service scheme, if the user does not recognize the scheme, the feedback module feeds back negative information of the user to the correction module, and the correction module changes the secondary service contents (for example, removes vulnerability scanning items) through machine learning and updates the safe service scheme.
The user interaction module is used for acquiring the safety service requirement and the environment information; the system is responsible for human-computer interaction with users and mainly comprises a display module and a demand acquisition module; the display module comprises functions of providing log record, service display and report; wherein the demand collection module includes: a primary acquisition module: receiving manually input service requirements (mainly comprising safety protection targets, calculation/storage/network performance and user parameters), budget information and user environment (network elements and network topology) information of a user; and a second confirmation module: the corrective efforts of the security service scheme generated by the intent analysis module are accepted to reconfirm the final requirements.
The safety operation engine performs pooling treatment on safety resources, performs arrangement design on safety services according to requirements, finally provides proper safety services, and simultaneously realizes the function of automatic operation and maintenance, and comprises the following sub-modules:
the service arrangement module is used for generating a safety service scheme according to the intention analysis result and finishing safety capacity arrangement; namely, a slice network is designed and generated, and the security device and the corresponding network element (including a switch, a router, etc.) to be provided with services are added into the slice network, and meanwhile, the arrangement of the flow is realized, and the process can be further subdivided into a service arrangement design module (providing design work of service chain and security resource allocation) and a flow arrangement module (providing slice network service provision and flow arrangement services).
The automatic operation and maintenance module is used for acquiring the safety resource change information and updating the safety resource according to the safety resource change information; it can be further subdivided into: the safety equipment monitoring module is used for monitoring the state of the safety resource in real time and recording the state to a database of the safety capacity pooling module; the configuration and policy management module is used for providing authority management and unified security resource policy configuration capacity; the upgrade maintenance module is responsible for the upgrade management of the system and the security resources; the performance monitoring module is used for monitoring resource performance and application performance; the risk defense module is used for carrying out safety reinforcement and inspection on the platform; and the log analysis module is used for carrying out centralized analysis on the platform logs.
The safety resource pooling module is used for pooling safety resources and providing safety capacity; namely, the hardware security resources and the virtual security resources are managed in a unified manner, and the security capability is pooled to realize the capability of providing security service for users, and further the module comprises: the resource management module is used for acquiring the existing resource conditions including the capacity of computing/network/storage resources, the using state and position of the safety equipment and other limiting conditions; the safety equipment change management module is used for managing addition, removal and deletion of safety resources; the safety equipment deployment module is used for realizing the deployment of the selected safety resources; the safety equipment uniform interface is used for providing usable interfaces for uniform deployment and configuration of various safety equipment of various manufacturers; the safety function pool database is used for storing safety equipment pooling information of each type of safety resources, registration/addition, starting, stopping, deleting or restarting events of the safety resources and the current conditions of the safety equipment;
the safety function pool is used for storing the pooled safety resources.
As an optional implementation manner of this embodiment, the platform service module further includes:
the situation perception module is used for perceiving the security threat and giving an alarm; various logs of the system are analyzed, possible security threats are sensed and corresponding alarms are given, and situation sensing services of tenants can be provided; the risk defense module is used for carrying out security reinforcement and inspection on the environment of the user; the detection authentication module is used for detecting and authenticating the environment of the user and generating a detection report; and the safety protection module is used for finishing communication encryption and safety transmission.
Still further, the method may further include: a tenant management module: managing tenants to realize safe isolation among the tenants and effective utilization of resources; service subscription/billing module: and managing and charging services used by the tenants.
Referring to fig. 2, the present invention further provides a method for managing and controlling operation and maintenance of secure resources based on an embodiment of a secure resource operation and maintenance platform system, including steps S01-S05:
s01: acquiring a security service requirement and environmental information; specifically, firstly, obtaining a user ordering record; the method comprises the steps of obtaining a security service requirement (mainly comprising a security protection target, computing performance, storage performance, network performance and user parameters) submitted by a user from a ordering record of the user, obtaining environment information (mainly comprising a network element and network topology) of the user and obtaining budget cost information; the security service requirements mainly include security protection targets such as equal security level, network protection category, mobile security category and the like, and the security function requirements can be specifically detailed to appointed necessary or excluded manufacturers.
S02: performing intention analysis according to the safety service requirement and the environment information; in other embodiments, step S02 can be subdivided into steps S021-S024:
s021: acquiring natural language description of safety service requirements; specifically, a user interaction module of the platform service module calls a demand collection module to record information input by a user, and then transmits the information to an intention analysis module.
S022: translating the natural language description and generating an intent model; specifically, the intention analysis module carries out semantic translation on submitted requirements, and carries out intention analysis on requirements described by the natural language according to environment and safety service requirements to construct an intention model.
S023: optimizing an intent model through machine learning; specifically, a safety service scheme determined and selected by a user is obtained, a final confirmation item is recorded, an intention analysis model is perfected by machine learning, and the success rate of intention analysis is improved.
S024: generating and outputting an intention analysis result according to the intention model; specifically, the output analysis result includes: a first-level security service target (such as equal security level and protection range) and a second-level specific service content (required security equipment type and performance parameters); and transmits the analysis result to the security operation engine.
S03: generating a security service scheme according to the intention analysis result; specifically, the service orchestration module of the security operation engine calls the sub-module service orchestration design module thereof to design the security service scheme, outputs the security service scheme (1 main push scheme, and 2 other alternative schemes), and then the security operation engine transmits the security service scheme (which may be combined with the cost thereof as needed) back to the intention analysis module of the platform service module. The intention analysis module transmits the safety service scheme to a requirement acquisition module of the user interaction module, namely, a user corrects the scheme generated by the intention analysis module, confirms the final requirement and selects the safety service scheme; if the user is not satisfied, the security service scheme of the analysis module and modification information of related requirements are transmitted to a security operation engine, and the security service scheme is optimized and modified; if the user determines the business scheme and selects the safety service scheme, the final confirmation item is recorded, and the intention analysis model is perfected by machine learning, so that the success rate of intention analysis is improved.
S04: acquiring security resource change information, and updating security resources according to the security resource change information; in some embodiments, the security resources include virtual security resources and hardware security resources, then step S04 can be divided into steps S041 and S042;
s041: when the security resource is a virtual security resource; referring to fig. 3, first, the resource management submodule of the security capability pooling module generates a hash value of the security device according to the vendor, the version number, and the security product characteristics of the virtual security device; if the security resource change information is a new added resource, namely a new added device (security resource) of an administrator, the security capability pooling module finds a new virtual security device, calls the security device change management sub-module to judge whether the virtual security device is registered or not, namely whether the virtual security device is recorded in the database or not, and if the virtual security device is registered, the resource management module adds the number of licenses of the virtual security devices in the database to the number of the new virtual security devices; the flow ends. If not, the security device change management module receives the security device pooling information except the storage location, that is, the method includes: product form, product parameters, license number, deployment requirements, technical support, and cost; the resource management module stores the virtualized product to a distributed storage position which is specified by default by the system and is stored in the safety function pool, and records the position information to the product storage position of the safety equipment pool information; finally, the resource management module records the hash value of the virtualized security device and the pool information of the security device in a database; the flow ends.
If the safety resource change information is the off-shelf resource, namely, the administrator off-shelf equipment, the resource management submodule of the safety capacity pooling module inquires the database to confirm whether the resource to be off-shelf is in a state of providing safety service, if the resource to be off-shelf is in the state of providing the safety service, the service arranging module of the safety operation engine is called to smoothly transfer the safety service to other safety resources, and meanwhile, the safety resource state (current state and change event) in the database is updated; the resource management module changes the information of the safe device entering the pool (the number of the licenses minus the number of the licenses on the next shelf updates the information of the storage position of the product); the security equipment change management module of the security capability pooling module deletes the virtual security resource from the user environment and updates the security resource state (current state and change event) in the database; if the slice network of the user environment does not contain any security network element, deleting the slice network after logout; the flow ends.
If the safety resource change information is resource maintenance, namely, an administrator maintains the equipment, the safety capacity pooling module calls a service arranging module of a safety operation engine, the service provided by the equipment is smoothly transferred to other safety equipment, and meanwhile, the safety resource state (the current state and the change event) in the database is updated; the safety equipment change management module of the safety capacity pooling module disconnects the virtualized safety equipment from the user environment; then the automatic operation and maintenance module completes the maintenance work of the equipment; the safety capacity pooling module starts the safety equipment, reconnects the safety equipment to the original environment, migrates the safety equipment to the original service load, updates the safety resource state (current situation and change event) in the database and finishes the work; the flow ends.
S042: when the security resource is a hardware security resource, referring to fig. 4, similarly, the resource management submodule of the security capability pooling module generates a hash value of the security device according to the manufacturer, the version number, the security product feature and the hardware feature of the hardware security device; if the security resource change information is the new added resource, namely, the administrator newly adds equipment (security resource), the security capability pooling module finds the new added hardware security resource, and calls the security equipment change management submodule to judge whether the hardware security equipment is registered, namely whether the hardware security equipment is recorded in the database: if the hardware security resource is registered, the resource management module of the security capability pooling module extracts the security device pooling information of the hardware security resource from the database, and updates the product storage position of the security resource pooling information stored in the database, wherein the updated content is the number and the stored position information of the newly added machine of the equipment; if not, the security device change management module acquires pool entry information except the product storage location, namely: the resource management module records the position information to the product storage position of the safety equipment pool entering information, then records the hash value of the equipment and the safety resource pool entering information to the database, and after the registration is completed, the resource management module of the safety capacity pooling module is linked with the automatic operation and maintenance module of the safety operation engine to calculate and estimate the position where the safety equipment resources are the most scarce in the system; the deployment condition of the position must meet the deployment requirement in the safety equipment pool information; the safety equipment change management module of the safety capacity pooling module deploys the hardware safety resource to a safety equipment pool, and then a flow arrangement submodule of a service arrangement module of a safety operation engine is called for configuration and the pool entering work of the hardware safety resource is completed; the flow ends.
If the safety resource change information is the off-shelf resource, namely, the administrator off-shelf equipment, the resource management submodule of the safety capacity pooling module inquires the database to confirm whether the resource to be off-shelf is in a state of providing safety service, if the resource to be off-shelf is in the state of providing the safety service, the service arranging module of the safety operation engine is called to transfer the service to other safety equipment stably, and meanwhile, the safety resource state (current state and change event) in the database is updated; the resource management module changes the information of the entering pool (the license number minus the license number of the next shelf, and the information of the storage position of the product is updated); the safety equipment change management module of the safety capacity pooling module deletes the hardware safety resource from the user environment and updates the safety resource state (current state and change event) in the database; if the slice network of the user environment does not contain any security network element, deleting the slice network after logout; the safety equipment change management module informs an administrator to move the equipment away from the machine room; the flow ends.
If the safety resource change information is resource maintenance, namely, an administrator maintains the equipment, the safety capacity pooling module calls a service arranging module of the safety operation engine, the service provided by the equipment or the resource is stably transferred to other safety equipment and safety resources, and the safety resource state (the current situation and the change event) in the database is updated; the safety equipment change management module of the safety capacity pooling module disconnects the hardware safety resource from the user environment; then the automatic operation and maintenance module cooperates with an administrator (such as hardware replacement) to complete the maintenance work of the equipment; the safety capacity pooling module starts the safety equipment, reconnects the safety equipment to the original environment, migrates the safety equipment to the original service load, updates the safety resource state (the current situation and the change event) in the database and ends the process.
In the application of the present invention, a hash value capable of uniquely identifying a secure resource is generated by a hash function:
a. virtual secure device Hash value ═ Hash (manufacturer number, product version number, secure product features)
b. The secure device Hash value of the hardware secure device is Hash (manufacturer number, product version number, secure product features,
hardware characteristics)
Wherein the security product feature is a hash value of a core code of the security product.
In addition, in this embodiment, the pool entry information includes: product morphology, product parameters, licensing, deployment requirements, technical support, cost, and product storage location.
Wherein, the product form describes the product form of the security resource, if the device is a virtual security resource, the field value is: virtualization, mirroring/templates (either); if the device is a hardware security resource, the field value is: hardware.
The product parameters describe the product form of the safety equipment, if the equipment is a virtual safety resource, the field value is one of virtualization, mirror image and template; if the device is a hardware security resource, the field value is: hardware.
The license number describes the number of licenses associated with the security device, including the license of the product itself and the number of licenses of the object of security protection of the product.
The deployment requirement describes the deployment requirement of the security device, and if the device is a virtual security resource, the field value is: network requirements (e.g., bandwidth, ports, network settings), order of association with other security products; if the device is a hardware security resource, the field value is: network requirements (e.g., bandwidth, ports, network settings), power requirements, device space volume, other security product association order.
Technical support description technical support related information of the security device, such that the device is a third party product, further comprises a contact way of the technical support of the manufacturer.
The cost records the charging mode and the cost of the safety equipment, including the cost and the technical support cost of the safety equipment, wherein the self-developed product is the development cost and the operation and maintenance cost, and the third-party product is the cost agreement signed with the manufacturer.
A product storage location, describing a location where the security device is stored or stored, if the device is a virtualized security device, the field values are: virtualizing the information of the serial number and the storage position of the mirror image/template of the safety equipment; if the device is a hardware security device, the field value is: hardware equipment number and information of the stored position.
S05: scheduling the updated security resources according to the security service scheme to complete the security capability arrangement; in some embodiments, step S05 may be further subdivided into steps S051-S052:
s051: deploying security resources according to the security service scheme; specifically, the service orchestration module invokes a security device deployment sub-module of the security capability pooling module to deploy security devices from the security function pool according to the determined security service scheme to provide security capabilities (update the security resource state in the database after orchestration).
S052: the safety resource deployment is added into the slice network to complete flow arrangement; specifically, the service arranging module calls a flow arranging submodule to generate a registration slicing network, adds the security equipment and corresponding network elements (such as a switch, a router and the like) into the slicing network, and completes flow arrangement; after environment construction and debugging are successful, an automatic operation and maintenance submodule of a safety operation engine is informed; the automatic operation and maintenance module informs a service ordering/charging module of the platform service module to record and charge the service used by the user; and the automatic operation and maintenance module uses the safety equipment monitoring submodule to monitor the state of the safety resource used by the user in real time.
If a new security service requirement occurs, backtracking to step S01 to start again; if the automatic operation and maintenance module of the safe operation engine does not have new requirements for continuously monitoring the safe resources of the user, when the change is needed, arranging and adjusting the user according to the service scheme confirmed by the user and carrying out corresponding recording; meanwhile, a service ordering/charging module of the platform service module also continuously records and charges the service used by the user; if the order of the safety service is required to be stopped, a service order/charging module of the platform service module settles the order for the user; an automatic operation and maintenance module of the safe operation engine calls a service arrangement sub-module to disable related safety functions, and the slicing network is cancelled and deleted after network elements on the slicing network are removed; and the automatic operation and maintenance module calls the safety capacity pooling module to recycle the safety capacity resources, and finally logs are recorded, and the whole safety service scheme and the process provided by the safety capacity are ended.
As an optional implementation manner of the present invention, the method for managing and controlling operation and maintenance of secure resources further includes steps S06-S08:
s06: acquiring the use condition of safety capacity arrangement on safety resources;
s07: predicting the change trend of the safety resource demand according to the use condition;
s08: and performing safety resource supplement according to the change trend and the environmental information.
Specifically, the automatic operation and maintenance module of the safe operation engine can predict the change trend of the demand of the safe resources by monitoring the environmental information and the safe resources in real time and carrying out big data analysis based on historical data; when the shortage of the safety resources is estimated, the safety resources are supplemented in advance based on the comprehensive analysis of the user historical order record, the product cost, the deployment cost and other parameters.
Firstly, an automatic operation and maintenance module of a safe operation engine monitors the safety resources of a platform in real time, and records that the information of a safety product i comprises product resource information Res _ PH in a hardware form i And product resource information Res _ PV in the form of software i (ii) a Where Res _ PH i { (the remaining license number of the security product i of the manufacturer j, the deployment location information of the security product i of the manufacturer j, the remaining security capability information of the security product i of the manufacturer j) }, Res _ PV i { (the remaining number of licenses of the secure product i of vendor j, the remaining security capability information of the secure product i of vendor j) }.
Secondly, big data analysis is carried out based on a historical order List _ H of the safety product i of the manufacturer j, and the time T of purchasing the safety product i of the manufacturer j at the current time is estimated ji Wherein the data items of the historical order are as follows: if the security resource is a hardware security resource, the data item of the historical order is (the time of placing an order to the manufacturer and receiving the hardware and the license, the hardware deployment time and the order placing time), wherein the order placing time comprises year, month, day, hour and minute; the safety resource is a virtual safety resource, and a data item of a historical order is (time for placing an order to a manufacturer and obtaining a license, virtual form deployment time and order placing time), wherein the order placing time record comprises year, month, day, hour and minute;
historical usage _ H of user usage of security resources: data items of historical use conditions are (resource information used by the security product i, resource use time), wherein the next list time record comprises year, month and day;
the user environment EnvC is: user environment { (user k percentage of safe resource usage, user k percentage of traffic resource growth); }
Formula F Security resource alert (Res _ PH) i ,Res_PV i List _ H, Used _ H, EnvC) senses the requirement change trend of the security resource according to the parameters; when the shortage of the safety resources is estimated, the safety resources are supplemented in advance.
As an optional implementation manner of the present invention, the step S051 of deploying security resources according to a security service scheme specifically includes steps S0511 to S0513:
s0511: generating an available resource cluster according to the updated security resource; specifically, the currently available security resources of the platform are selected according to the classes, and the information of the security resources is put into a cluster SecPro (the cluster SecPro is the union of the cluster VirSecPro and the cluster HarSecPro), wherein the virtual resources are put into the VirSecPro cluster, and the hardware resources are put into the cluster HarSecPro; if the user specifies the optional manufacturer, the cluster SecPro only contains the manufacturer product, and if the user specifies the exclusive manufacturer, the cluster SecPro cannot contain the manufacturer product;
s0512: generating a business analysis chain according to the environment information and the safety service scheme; specifically, firstly, according to the business scheme transmitted by the client environment and the intention analysis module, analysis and calculation are carried out, and a level 1 analysis business chain is output, F level1 For level 1 service chain analysis function:
F level1 (type and performance parameters of security equipment required by a client, client environment) { security equipment deployment sequence requirement; various safety equipment logic deployment point range sets; various device morphology requirements (local hardware/local software/public cloud/private cloud); performance requirements (computing power requirements, network requirements, storage requirements) of various security devices
S0513: completing safety resource deployment according to the service analysis chain and the available resource cluster; specifically, all product combinations in the cluster SecPro corresponding to all the classes of security resources are calculated, and the following are used:
F level2 (F level1 ,C p ,C om ,C d ,P max ,P min ,[p,q],P o ) { (specific business scenario, P) x )}
The optimal solution (product mix) and 2 additional security service solutions and corresponding costs are output. Wherein, F level2 For a secondary service chain analysis function, C p For a safe resource cost, C om For operation and maintenance costs, C d For deployment cost, Px is the final cost of the solution, P max Maximum value of charge, P min Minimum cost, [ p, q ]]For profit requirements, i.e. profit ranges, P o The user expects a fee.
From the above specific implementation process, it can be concluded that the technical solution provided by the present invention has the following advantages or advantages compared to the prior art:
1. the system and the method of the embodiment carry out intelligent automatic analysis according to the safety requirements described by the user simply or in natural language, and quickly provide a safety service design scheme based on the user requirements, the current environmental situation and the budget range and in combination with the environment. In the prior art, the scheme design by manual work is usually long in period and limited by the complexity of the client environment and the platform safety capacity, and an optimal business design scheme for balancing cost and profit cannot be obtained. The scheme of the invention can greatly save the design time of the scheme, better use the existing safety resources of the platform, give consideration to larger profits and adopt the optimal safety product deployment scheme;
2. the invention carries out unified management on the safety products with different versions and different forms of different manufacturers, and the safety products are pooled into a safety resource pool with a unified interface; the user only needs to purchase the service instead of the software/hardware product, so that initial investment is saved, service risk is reduced, operation and maintenance processes of upgrading and expanding the safety product are unaware, and excellent user experience is achieved;
3. the invention monitors the environment and the safety resources in real time, and can sense the change trend of the demand of the safety resources in advance by big data analysis based on historical data; when the shortage of the safety resources is estimated, the safety resources are supplemented in advance based on the comprehensive analysis of the parameters of the user historical order record, the product cost, the deployment cost and the profit amount; therefore, automatic safe resource supplement is realized, and the operation and maintenance/operation cost is greatly saved;
4. the system of the invention provides a third party interface on the basis of the secure resource pool, and a third party manufacturer can develop an application on the third party interface to provide services for users using the platform.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (9)
1. The safe resource operation and maintenance platform system is characterized by comprising a platform service module, a safe operation engine and a safe function pool;
the platform service module comprises:
the intention analysis module is used for carrying out intention analysis according to the safety service requirement and the environment information;
the user interaction module is used for acquiring the safety service requirement and the environmental information;
the secure operations engine comprises:
the service arrangement module is used for generating a safety service scheme according to the intention analysis result and finishing safety capacity arrangement;
the automatic operation and maintenance module is used for acquiring security resource change information and updating security resources according to the security resource change information;
the safety resource pooling module is used for pooling safety resources and providing safety capability;
the safety function pool is used for storing the pooled safety resources;
the intention analysis is carried out according to the safety service requirement and the environmental information, and the intention analysis specifically comprises the following steps:
acquiring a natural language description of the security service requirement;
translating the natural language description and generating an intent model;
optimizing the intent model by machine learning;
and generating and outputting an intention analysis result according to the intention model.
2. The secure resource operation and maintenance platform system according to claim 1, wherein: the platform service module further comprises:
the situation perception module is used for perceiving the security threat and giving an alarm;
the risk defense module is used for carrying out security reinforcement inspection;
the detection authentication module is used for finishing detection authentication and generating a detection report;
and the safety protection module is used for finishing communication encryption and safety transmission.
3. The secure resource operation platform system according to claim 1, wherein the intent analysis module comprises:
the translation module is used for acquiring the natural language description of the safety service requirement, translating the natural language description and generating an intention model;
the feedback module is used for correcting the intention model according to the safety service requirement;
a correction module to optimize the intent model by machine learning.
4. The method for managing and controlling the operation and maintenance of the safety resources is characterized by comprising the following steps: the method comprises the following steps:
acquiring a security service requirement and environmental information;
performing intention analysis according to the safety service requirement and the environmental information;
generating a security service scheme according to the intention analysis result;
acquiring security resource change information, and updating security resources according to the security resource change information;
scheduling the updated security resources according to the security service scheme to complete security capability arrangement;
the security service requirements include security protection objectives, computational performance, storage performance, network performance, and user parameters;
the security resources comprise virtual security resources and hardware security resources;
the user environment information comprises network elements and network topology;
wherein, the step of performing intent analysis according to the security service requirement and the environment information specifically comprises:
acquiring a natural language description of the security service requirement;
translating the natural language description and generating an intent model;
optimizing the intent model by machine learning;
and generating and outputting an intention analysis result according to the intention model.
5. The method for managing and controlling the operation and maintenance of the secure resources according to claim 4, further comprising the following steps:
acquiring the use condition of the security capacity arrangement on the security resources;
predicting the change trend of the safety resource demand according to the use condition;
and performing security resource supplement according to the change trend and the environment information.
6. The method for managing and controlling operation and maintenance of secure resources according to claim 4, wherein the step of updating the secure resources according to the change information of the secure resources specifically includes:
acquiring manufacturers, version numbers and safety product characteristics of the virtual safety resources and generating hash values;
the safety resource change information is a newly added resource, registration and storage of the virtual safety resource are completed according to the hash value, and the virtual safety resource is stored in pool information;
the safety resource change information is a resource which is off-shelf, a corresponding virtual safety resource is deleted according to the hash value, and the information of entering the pool is changed;
the safety resource change information is resource maintenance, the virtual safety resource service is stopped according to the hash value, and the maintenance operation is completed;
the pool entry information includes: product morphology, product parameters, license, deployment requirements, technical support, cost fees, and product storage locations.
7. The method for managing and controlling operation and maintenance of secure resources according to claim 4, wherein the step of updating the secure resources according to the change information of the secure resources further includes:
acquiring manufacturers, version numbers, safety product characteristics and hardware characteristics of hardware safety resources and generating a hash value;
the security resource change information is a newly added resource, registration and storage of hardware security resources are completed according to the hash value, and the hardware security resources are stored in pool information;
the safety resource change information is a lower rack resource, a corresponding hardware safety resource is deleted according to the hash value, and the pool entering information is changed;
the safety resource change information is resource maintenance, the hardware safety resource service is stopped according to the Hash value, and the maintenance operation is completed;
the pool entry information includes: product morphology, product parameters, license, deployment requirements, technical support, cost fees, and product storage locations.
8. The method for managing and controlling operation and maintenance of security resources according to claim 4, wherein the step of scheduling updated security resources according to the security service scheme to complete security capability arrangement specifically comprises:
deploying security resources according to the security service scheme;
and adding the safety resource deployment to a slice network to complete flow arrangement.
9. The method for managing and controlling operation and maintenance of secure resources according to claim 8, wherein the step of deploying the secure resources according to the security service scheme specifically includes:
generating an available resource cluster according to the updated security resource;
generating a business analysis chain according to the environment information and the safety service scheme;
and completing the safe resource deployment according to the service analysis chain and the available resource cluster.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010156584.7A CN111510428B (en) | 2020-03-09 | 2020-03-09 | Security resource operation and maintenance platform system and control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010156584.7A CN111510428B (en) | 2020-03-09 | 2020-03-09 | Security resource operation and maintenance platform system and control method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111510428A CN111510428A (en) | 2020-08-07 |
CN111510428B true CN111510428B (en) | 2022-08-05 |
Family
ID=71863924
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010156584.7A Active CN111510428B (en) | 2020-03-09 | 2020-03-09 | Security resource operation and maintenance platform system and control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111510428B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114490006A (en) * | 2020-10-23 | 2022-05-13 | 华为技术有限公司 | Task determination method, device, equipment and storage medium |
CN113052501A (en) * | 2021-04-25 | 2021-06-29 | 深圳市位元领航科技有限公司 | Automatic safe operation and maintenance method and terminal based on assets |
CN114143065B (en) * | 2021-11-26 | 2024-07-05 | 杭州安恒信息安全技术有限公司 | Security event processing method, device, equipment and medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109302380A (en) * | 2018-08-15 | 2019-02-01 | 全球能源互联网研究院有限公司 | A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105284094B (en) * | 2014-05-15 | 2019-05-28 | 华为技术有限公司 | A kind of network function virtualization network system, data processing method and device |
CN105391687A (en) * | 2015-10-13 | 2016-03-09 | 南京联成科技发展有限公司 | System and method for supplying information security operation service to medium-sized and small enterprises |
CN108900551A (en) * | 2018-08-16 | 2018-11-27 | 中国联合网络通信集团有限公司 | SDN/NFV network safety protection method and device |
CN110740141A (en) * | 2019-11-15 | 2020-01-31 | 国网山东省电力公司信息通信公司 | integration network security situation perception method, device and computer equipment |
-
2020
- 2020-03-09 CN CN202010156584.7A patent/CN111510428B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109302380A (en) * | 2018-08-15 | 2019-02-01 | 全球能源互联网研究院有限公司 | A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system |
Non-Patent Citations (1)
Title |
---|
基于深度学习的网络安全预见路径研究;张旺;《国防科技》;20180220(第01期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN111510428A (en) | 2020-08-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111510428B (en) | Security resource operation and maintenance platform system and control method | |
JP5623271B2 (en) | Information processing apparatus, authority management method, program, and recording medium | |
US8978032B2 (en) | Host naming application programming interface | |
EP3176697B1 (en) | Type-to-type analysis for cloud computing technical components | |
US8307404B2 (en) | Policy-management infrastructure | |
US9038086B2 (en) | End to end modular information technology system | |
US8862542B2 (en) | Replicating data objects within a storage network | |
EP2675127B1 (en) | Method and device for automatically migrating system configuration item | |
CN102684903B (en) | A kind of management platform, system and method realizing the access of cloud storage multiple resource node | |
EP1978672B1 (en) | Method for implementing management software, hardware with pre-configured software and implementing method thereof | |
CN109670297B (en) | Method and device for opening service permission, storage medium and electronic equipment | |
CN110990150A (en) | Tenant management method and system of container cloud platform, electronic device and storage medium | |
CN106469068B (en) | Application program deployment method and system | |
CN108574593B (en) | The management system and management method of licensing in a kind of NFV network | |
CN104317610A (en) | Method and device for automatic installation and deployment of hadoop platform | |
KR20140068963A (en) | Coordination engine for cloud selection | |
US10261771B1 (en) | Environment mapping and patching synthesis | |
CN101657793A (en) | Method, system and computer program for configuring firewalls | |
CN116471320A (en) | Intelligent cloud management based on portrait information | |
Yan et al. | Infrastructure management of hybrid cloud for enterprise users | |
US20190354395A1 (en) | Limiting folder and link sharing | |
CN113297031B (en) | Container group protection method and device in container cluster | |
WO2019207156A1 (en) | Method and arrangement for licence management in nfv network environment | |
US20020161615A1 (en) | Workflow system | |
US20240223618A1 (en) | Auto-tuning permissions using a learning mode |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |