CN111786981A - Public cloud network service management method and system - Google Patents

Public cloud network service management method and system Download PDF

Info

Publication number
CN111786981A
CN111786981A CN202010591313.4A CN202010591313A CN111786981A CN 111786981 A CN111786981 A CN 111786981A CN 202010591313 A CN202010591313 A CN 202010591313A CN 111786981 A CN111786981 A CN 111786981A
Authority
CN
China
Prior art keywords
component
action
data
service
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010591313.4A
Other languages
Chinese (zh)
Other versions
CN111786981B (en
Inventor
金锴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Fuyun'an Operation Technology Co ltd
Original Assignee
Beijing Fuyun'an Operation Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Fuyun'an Operation Technology Co ltd filed Critical Beijing Fuyun'an Operation Technology Co ltd
Priority to CN202010591313.4A priority Critical patent/CN111786981B/en
Publication of CN111786981A publication Critical patent/CN111786981A/en
Application granted granted Critical
Publication of CN111786981B publication Critical patent/CN111786981B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Software Systems (AREA)
  • Economics (AREA)
  • Physics & Mathematics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Medical Informatics (AREA)
  • Tourism & Hospitality (AREA)
  • Artificial Intelligence (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Game Theory and Decision Science (AREA)
  • Educational Administration (AREA)
  • General Business, Economics & Management (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Marketing (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Development Economics (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a public cloud network service management method and a public cloud network service management system, which solve the problems of low resource utilization rate and a large amount of repeated actions of the conventional public cloud multi-client system.

Description

Public cloud network service management method and system
Technical Field
The application relates to the technical field of network security, in particular to a public cloud network service management method and system.
Background
The existing cloud resources usually store a plurality of client systems at the same time, each client system also includes a plurality of different services, and it is common practice to separate different client systems, resulting in low utilization rate of the cloud resources and a large number of repeated actions. If the services of different client systems are opened, the security problem of different system data is brought.
Therefore, a method and a system for targeted public cloud network service management are urgently needed.
Disclosure of Invention
The invention aims to provide a public cloud network service management method and a public cloud network service management system, which solve the problems of low resource utilization rate and a large amount of repeated actions of the conventional public cloud multi-client system.
In a first aspect, the present application provides a method for managing a public cloud network service, where the method includes:
receiving service information submitted by one or more user sources, wherein the service information of each user source comprises related data of a plurality of services, and the related data comprises one or a combination of a request action, a handling action, a tabulation action, an approval action, a calling action, an expiration stopping action and an encryption action;
clustering and virtualizing related data of each service into a single component according to the type of the action, and storing the single component on a public cloud, wherein the component carries one or a plurality of combined component identifications of a user identification, a supportable service identification, a use range identification and a use period identification, and the corresponding component can be called only when the requirement of the component identification is met;
one component can support multiple services, one service needs to call the multiple components, and one user source comprises the multiple services;
receiving a service request sent by a client, analyzing the service request to obtain a service identifier, obtaining a positioning position from the client, searching a corresponding user identifier and a supportable request action component according to the service identifier and the positioning position, extracting data in the service request, storing the data in a temporary storage area divided according to the user identifier, calling an encryption component supportable by the user identifier for encryption, and shielding other unsupported request action components from calling the data;
after the request action is completed, the supportable request action component transmits the encrypted data to the corresponding supportable transaction action component, and the supportable request action component determines the corresponding supportable transaction action component according to the service identifier, the user identifier and the positioning position;
the action handling component calls the corresponding encryption component to decrypt data, calls one or more of the corresponding tabulation action component, the action approving component and the action stopping component due to expiration according to business needs, sends a response message to the client after the completion, calls the corresponding encryption component for encrypting the intermediate data generated in the handling process, stores the encrypted data in the temporary storage area divided according to the user identification, and shields all other component calling data except the current action handling component;
receiving a response confirmation message returned by the client, analyzing the response confirmation message to acquire a service identifier and a user identifier, deleting the intermediate data ciphertext in the temporary storage area according to the service identifier and the user identifier by the current handling action component if the response confirmation message indicates that the receiving of the service is completed, and recalling the intermediate data ciphertext in the temporary storage area for second handling by the current handling action component according to the service identifier and the user identifier if the response confirmation message indicates that the receiving of the service is not completed;
if the data in the temporary storage area is empty, releasing the resources of the temporary storage area;
dynamically determining corresponding detection parameters and detection rules according to the service identification or the user identification, determining the type and weight of a feature vector to be extracted by the detection parameters and the detection rules, extracting the feature vector of the data in the temporary storage area, forming a multi-dimensional detection sample by the obtained feature vector, sending the multi-dimensional detection sample into a machine learning model, and detecting whether the multi-dimensional detection sample comprises an attack vector;
when the multidimensional detection sample is detected to comprise the attack vector, splitting corresponding data into a plurality of data fragments, sending the data fragments into a machine learning model again, and detecting whether the data fragments comprise the attack vector; if the data segments are detected to comprise attack vectors, the data segments are marked as abnormal, components to which the abnormal data segments belong are marked as abnormal points, and whether logic association exists among a plurality of abnormal data segments or not is analyzed; if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in an attack track;
according to the front-back incidence relation and the path points, attack tracks corresponding to different services or different users are obtained, a network attack surface is formed by the path points and attack track lines, an attack tracing graph is formed, components on the attack tracks are stopped, the services corresponding to the components are suspended, or the components are virtualized again for the specified services, and the users are informed.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the splitting the corresponding data into a plurality of data fragments may determine a splitting length according to a service type and an access action.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the notifying the user includes one or a combination of instant messaging, email, short message and telephone.
With reference to the first aspect, in a third possible implementation manner of the first aspect, after the forming of the attack tracing graph, the method further includes: and obtaining risk assessment and defense strategies aiming at different services or different users, and guiding an administrator to carry out targeted risk elimination aiming at the services or the users.
In a second aspect, the present application provides a public cloud network service management system, including: the system comprises a component generating unit, a service processing unit, a detecting unit and a defense unit;
the component generation unit is used for receiving service information submitted by one or more user sources, wherein the service information of each user source comprises related data of a plurality of services, and the related data comprises one or a combination of a request action, a handling action, a tabulation action, an approval action, a calling action, an expiration stopping action and an encryption action;
clustering and virtualizing related data of each service into a single component according to the type of the action, and storing the single component on a public cloud, wherein the component carries one or a plurality of combined component identifications of a user identification, a supportable service identification, a use range identification and a use period identification, and the corresponding component can be called only when the requirement of the component identification is met;
one component can support multiple services, one service needs to call the multiple components, and one user source comprises the multiple services;
the service processing unit is used for receiving a service request sent by a client, analyzing the service request to obtain a service identifier, obtaining a positioning position from the client, searching a corresponding user identifier and a supportable request action component according to the service identifier and the positioning position, extracting data in the service request, storing the data in a temporary storage area divided according to the user identifier, calling the supportable encryption component of the user identifier for encryption, and shielding other supportable request action components from calling the data;
after the request action is completed, the supportable request action component transmits the encrypted data to the corresponding supportable transaction action component, and the supportable request action component determines the corresponding supportable transaction action component according to the service identifier, the user identifier and the positioning position;
the action handling component calls the corresponding encryption component to decrypt data, calls one or more of the corresponding tabulation action component, the action approving component and the action stopping component due to expiration according to business needs, sends a response message to the client after the completion, calls the corresponding encryption component for encrypting the intermediate data generated in the handling process, stores the encrypted data in the temporary storage area divided according to the user identification, and shields all other component calling data except the current action handling component;
receiving a response confirmation message returned by the client, analyzing the response confirmation message to acquire a service identifier and a user identifier, deleting the intermediate data ciphertext in the temporary storage area according to the service identifier and the user identifier by the current handling action component if the response confirmation message indicates that the receiving of the service is completed, and recalling the intermediate data ciphertext in the temporary storage area for second handling by the current handling action component according to the service identifier and the user identifier if the response confirmation message indicates that the receiving of the service is not completed;
if the data in the temporary storage area is empty, releasing the resources of the temporary storage area;
the detection unit is used for dynamically determining corresponding detection parameters and detection rules according to the service identification or the user identification, determining the type and weight of a feature vector to be extracted according to the detection parameters and the detection rules, extracting the feature vector of the data in the temporary storage area, forming a multi-dimensional detection sample by the obtained feature vector, sending the multi-dimensional detection sample to a machine learning model, and detecting whether the multi-dimensional detection sample comprises an attack vector;
when the multidimensional detection sample is detected to comprise the attack vector, splitting corresponding data into a plurality of data fragments, sending the data fragments into a machine learning model again, and detecting whether the data fragments comprise the attack vector; if the data segments are detected to comprise attack vectors, the data segments are marked as abnormal, components to which the abnormal data segments belong are marked as abnormal points, and whether logic association exists among a plurality of abnormal data segments or not is analyzed; if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in an attack track;
and the defense unit is used for obtaining attack tracks corresponding to different services or different users according to the front-back association relation and the path points, displaying a network attack surface formed by the path points and the attack track lines, forming an attack tracing source diagram, stopping the components on the attack tracks, suspending the services corresponding to the components, or virtualizing the components again for the specified services, and informing the users.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the splitting of the corresponding data into a plurality of data fragments may determine a split length according to a service type and an access action.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the notifying the user includes one or a combination of instant messaging, email, short message and telephone.
With reference to the second aspect, in a third possible implementation manner of the second aspect, after the forming of the attack tracing graph, the method further includes: and obtaining risk assessment and defense strategies aiming at different services or different users, and guiding an administrator to carry out targeted risk elimination aiming at the services or the users.
The invention provides a public cloud network service management method and a public cloud network service management system, which solve the problems of low resource utilization rate and a large amount of repeated actions of the conventional public cloud multi-client system.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a general flow chart of a public cloud network traffic management method of the present invention;
fig. 2 is an architecture diagram of the public cloud network service management system according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a general flowchart of a public cloud network service management method provided in the present application, where the method includes:
receiving service information submitted by one or more user sources, wherein the service information of each user source comprises related data of a plurality of services, and the related data comprises one or a combination of a request action, a handling action, a tabulation action, an approval action, a calling action, an expiration stopping action and an encryption action;
clustering and virtualizing related data of each service into a single component according to the type of the action, and storing the single component on a public cloud, wherein the component carries one or a plurality of combined component identifications of a user identification, a supportable service identification, a use range identification and a use period identification, and the corresponding component can be called only when the requirement of the component identification is met;
one component can support multiple services, one service needs to call the multiple components, and one user source comprises the multiple services;
receiving a service request sent by a client, analyzing the service request to obtain a service identifier, obtaining a positioning position from the client, searching a corresponding user identifier and a supportable request action component according to the service identifier and the positioning position, extracting data in the service request, storing the data in a temporary storage area divided according to the user identifier, calling an encryption component supportable by the user identifier for encryption, and shielding other unsupported request action components from calling the data;
after the request action is completed, the supportable request action component transmits the encrypted data to the corresponding supportable transaction action component, and the supportable request action component determines the corresponding supportable transaction action component according to the service identifier, the user identifier and the positioning position;
the action handling component calls the corresponding encryption component to decrypt data, calls one or more of the corresponding tabulation action component, the action approving component and the action stopping component due to expiration according to business needs, sends a response message to the client after the completion, calls the corresponding encryption component for encrypting the intermediate data generated in the handling process, stores the encrypted data in the temporary storage area divided according to the user identification, and shields all other component calling data except the current action handling component;
receiving a response confirmation message returned by the client, analyzing the response confirmation message to acquire a service identifier and a user identifier, deleting the intermediate data ciphertext in the temporary storage area according to the service identifier and the user identifier by the current handling action component if the response confirmation message indicates that the receiving of the service is completed, and recalling the intermediate data ciphertext in the temporary storage area for second handling by the current handling action component according to the service identifier and the user identifier if the response confirmation message indicates that the receiving of the service is not completed;
if the data in the temporary storage area is empty, releasing the resources of the temporary storage area;
dynamically determining corresponding detection parameters and detection rules according to the service identification or the user identification, determining the type and weight of a feature vector to be extracted by the detection parameters and the detection rules, extracting the feature vector of the data in the temporary storage area, forming a multi-dimensional detection sample by the obtained feature vector, sending the multi-dimensional detection sample into a machine learning model, and detecting whether the multi-dimensional detection sample comprises an attack vector;
when the multidimensional detection sample is detected to comprise the attack vector, splitting corresponding data into a plurality of data fragments, sending the data fragments into a machine learning model again, and detecting whether the data fragments comprise the attack vector; if the data segments are detected to comprise attack vectors, the data segments are marked as abnormal, components to which the abnormal data segments belong are marked as abnormal points, and whether logic association exists among a plurality of abnormal data segments or not is analyzed; if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in an attack track;
according to the front-back incidence relation and the path points, attack tracks corresponding to different services or different users are obtained, a network attack surface is formed by the path points and attack track lines, an attack tracing graph is formed, components on the attack tracks are stopped, the services corresponding to the components are suspended, or the components are virtualized again for the specified services, and the users are informed.
In some preferred embodiments, the splitting of the corresponding data into several data fragments may determine the split length according to the service type and the access action.
In some preferred embodiments, the notifying the user includes one or several of instant messaging, mail, short message and telephone.
In some preferred embodiments, the forming the attack tracing graph further includes: and obtaining risk assessment and defense strategies aiming at different services or different users, and guiding an administrator to carry out targeted risk elimination aiming at the services or the users.
The virtualization of the clusters into a single component comprises the virtualization of actions of the same type into one component, and also comprises the virtualization of actions of the same type, different usage rights or different usage ranges into a plurality of different components.
In some preferred embodiments, after forming the attack tracing graph, the method may further include: the method comprises the following steps of (1) combing out the occurrence context and the attack path of an attack event, specifically:
performing depth correlation analysis and data mining on the collected log information from multiple dimensions of time and space, and establishing a rule base;
comparing the tracing information of the suspected attack with the information in the rule base, constructing a tracing graph by transmitting query and tracing query, and acquiring the occurrence venation and the attack path of the attack event according to the tracing graph.
Fig. 2 is an architecture diagram of a public cloud network service management system provided in the present application, where the system includes: the system comprises a component generating unit, a service processing unit, a detecting unit and a defense unit;
the component generation unit is used for receiving service information submitted by one or more user sources, wherein the service information of each user source comprises related data of a plurality of services, and the related data comprises one or a combination of a request action, a handling action, a tabulation action, an approval action, a calling action, an expiration stopping action and an encryption action;
clustering and virtualizing related data of each service into a single component according to the type of the action, and storing the single component on a public cloud, wherein the component carries one or a plurality of combined component identifications of a user identification, a supportable service identification, a use range identification and a use period identification, and the corresponding component can be called only when the requirement of the component identification is met;
one component can support multiple services, one service needs to call the multiple components, and one user source comprises the multiple services;
the service processing unit is used for receiving a service request sent by a client, analyzing the service request to obtain a service identifier, obtaining a positioning position from the client, searching a corresponding user identifier and a supportable request action component according to the service identifier and the positioning position, extracting data in the service request, storing the data in a temporary storage area divided according to the user identifier, calling the supportable encryption component of the user identifier for encryption, and shielding other supportable request action components from calling the data;
after the request action is completed, the supportable request action component transmits the encrypted data to the corresponding supportable transaction action component, and the supportable request action component determines the corresponding supportable transaction action component according to the service identifier, the user identifier and the positioning position;
the action handling component calls the corresponding encryption component to decrypt data, calls one or more of the corresponding tabulation action component, the action approving component and the action stopping component due to expiration according to business needs, sends a response message to the client after the completion, calls the corresponding encryption component for encrypting the intermediate data generated in the handling process, stores the encrypted data in the temporary storage area divided according to the user identification, and shields all other component calling data except the current action handling component;
receiving a response confirmation message returned by the client, analyzing the response confirmation message to acquire a service identifier and a user identifier, deleting the intermediate data ciphertext in the temporary storage area according to the service identifier and the user identifier by the current handling action component if the response confirmation message indicates that the receiving of the service is completed, and recalling the intermediate data ciphertext in the temporary storage area for second handling by the current handling action component according to the service identifier and the user identifier if the response confirmation message indicates that the receiving of the service is not completed;
if the data in the temporary storage area is empty, releasing the resources of the temporary storage area;
the detection unit is used for dynamically determining corresponding detection parameters and detection rules according to the service identification or the user identification, determining the type and weight of a feature vector to be extracted according to the detection parameters and the detection rules, extracting the feature vector of the data in the temporary storage area, forming a multi-dimensional detection sample by the obtained feature vector, sending the multi-dimensional detection sample to a machine learning model, and detecting whether the multi-dimensional detection sample comprises an attack vector;
when the multidimensional detection sample is detected to comprise the attack vector, splitting corresponding data into a plurality of data fragments, sending the data fragments into a machine learning model again, and detecting whether the data fragments comprise the attack vector; if the data segments are detected to comprise attack vectors, the data segments are marked as abnormal, components to which the abnormal data segments belong are marked as abnormal points, and whether logic association exists among a plurality of abnormal data segments or not is analyzed; if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in an attack track;
and the defense unit is used for obtaining attack tracks corresponding to different services or different users according to the front-back association relation and the path points, displaying a network attack surface formed by the path points and the attack track lines, forming an attack tracing source diagram, stopping the components on the attack tracks, suspending the services corresponding to the components, or virtualizing the components again for the specified services, and informing the users.
In some preferred embodiments, the splitting of the corresponding data into several data fragments may determine the split length according to the service type and the access action.
In some preferred embodiments, the notifying the user includes one or several of instant messaging, mail, short message and telephone.
In some preferred embodiments, the forming the attack tracing graph further includes: and obtaining risk assessment and defense strategies aiming at different services or different users, and guiding an administrator to carry out targeted risk elimination aiming at the services or the users.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (8)

1. A public cloud network service management method is characterized by comprising the following steps:
receiving service information submitted by one or more user sources, wherein the service information of each user source comprises related data of a plurality of services, and the related data comprises one or a combination of a request action, a handling action, a tabulation action, an approval action, a calling action, an expiration stopping action and an encryption action;
clustering and virtualizing related data of each service into a single component according to the type of the action, and storing the single component on a public cloud, wherein the component carries one or a plurality of combined component identifications of a user identification, a supportable service identification, a use range identification and a use period identification, and the corresponding component can be called only when the requirement of the component identification is met;
one component can support multiple services, one service needs to call the multiple components, and one user source comprises the multiple services;
receiving a service request sent by a client, analyzing the service request to obtain a service identifier, obtaining a positioning position from the client, searching a corresponding user identifier and a supportable request action component according to the service identifier and the positioning position, extracting data in the service request, storing the data in a temporary storage area divided according to the user identifier, calling an encryption component supportable by the user identifier for encryption, and shielding other unsupported request action components from calling the data;
after the request action is completed, the supportable request action component transmits the encrypted data to the corresponding supportable transaction action component, and the supportable request action component determines the corresponding supportable transaction action component according to the service identifier, the user identifier and the positioning position;
the action handling component calls the corresponding encryption component to decrypt data, calls one or more of the corresponding tabulation action component, the action approving component and the action stopping component due to expiration according to business needs, sends a response message to the client after the completion, calls the corresponding encryption component for encrypting the intermediate data generated in the handling process, stores the encrypted data in the temporary storage area divided according to the user identification, and shields all other component calling data except the current action handling component;
receiving a response confirmation message returned by the client, analyzing the response confirmation message to acquire a service identifier and a user identifier, deleting the intermediate data ciphertext in the temporary storage area according to the service identifier and the user identifier by the current handling action component if the response confirmation message indicates that the receiving of the service is completed, and recalling the intermediate data ciphertext in the temporary storage area for second handling by the current handling action component according to the service identifier and the user identifier if the response confirmation message indicates that the receiving of the service is not completed;
if the data in the temporary storage area is empty, releasing the resources of the temporary storage area;
dynamically determining corresponding detection parameters and detection rules according to the service identification or the user identification, determining the type and weight of a feature vector to be extracted by the detection parameters and the detection rules, extracting the feature vector of the data in the temporary storage area, forming a multi-dimensional detection sample by the obtained feature vector, sending the multi-dimensional detection sample into a machine learning model, and detecting whether the multi-dimensional detection sample comprises an attack vector;
when the multidimensional detection sample is detected to comprise the attack vector, splitting corresponding data into a plurality of data fragments, sending the data fragments into a machine learning model again, and detecting whether the data fragments comprise the attack vector; if the data segments are detected to comprise attack vectors, the data segments are marked as abnormal, components to which the abnormal data segments belong are marked as abnormal points, and whether logic association exists among a plurality of abnormal data segments or not is analyzed; if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in an attack track;
according to the front-back incidence relation and the path points, attack tracks corresponding to different services or different users are obtained, a network attack surface is formed by the path points and attack track lines, an attack tracing graph is formed, components on the attack tracks are stopped, the services corresponding to the components are suspended, or the components are virtualized again for the specified services, and the users are informed.
2. The method of claim 1, wherein: the corresponding data is split into a plurality of data fragments, and the splitting length can be determined according to the service type and the access action.
3. The method according to any one of claims 1-2, wherein: the informing user comprises one or a plurality of combined modes of instant messaging, mails, short messages and telephones.
4. A method according to any one of claims 1-3, characterized in that: after the attack tracing graph is formed, the method further comprises the following steps: and obtaining risk assessment and defense strategies aiming at different services or different users, and guiding an administrator to carry out targeted risk elimination aiming at the services or the users.
5. A public cloud network traffic management system, the system comprising: the system comprises a component generating unit, a service processing unit, a detecting unit and a defense unit;
the component generation unit is used for receiving service information submitted by one or more user sources, wherein the service information of each user source comprises related data of a plurality of services, and the related data comprises one or a combination of a request action, a handling action, a tabulation action, an approval action, a calling action, an expiration stopping action and an encryption action;
clustering and virtualizing related data of each service into a single component according to the type of the action, and storing the single component on a public cloud, wherein the component carries one or a plurality of combined component identifications of a user identification, a supportable service identification, a use range identification and a use period identification, and the corresponding component can be called only when the requirement of the component identification is met;
one component can support multiple services, one service needs to call the multiple components, and one user source comprises the multiple services;
the service processing unit is used for receiving a service request sent by a client, analyzing the service request to obtain a service identifier, obtaining a positioning position from the client, searching a corresponding user identifier and a supportable request action component according to the service identifier and the positioning position, extracting data in the service request, storing the data in a temporary storage area divided according to the user identifier, calling the supportable encryption component of the user identifier for encryption, and shielding other supportable request action components from calling the data;
after the request action is completed, the supportable request action component transmits the encrypted data to the corresponding supportable transaction action component, and the supportable request action component determines the corresponding supportable transaction action component according to the service identifier, the user identifier and the positioning position;
the action handling component calls the corresponding encryption component to decrypt data, calls one or more of the corresponding tabulation action component, the action approving component and the action stopping component due to expiration according to business needs, sends a response message to the client after the completion, calls the corresponding encryption component for encrypting the intermediate data generated in the handling process, stores the encrypted data in the temporary storage area divided according to the user identification, and shields all other component calling data except the current action handling component;
receiving a response confirmation message returned by the client, analyzing the response confirmation message to acquire a service identifier and a user identifier, deleting the intermediate data ciphertext in the temporary storage area according to the service identifier and the user identifier by the current handling action component if the response confirmation message indicates that the receiving of the service is completed, and recalling the intermediate data ciphertext in the temporary storage area for second handling by the current handling action component according to the service identifier and the user identifier if the response confirmation message indicates that the receiving of the service is not completed;
if the data in the temporary storage area is empty, releasing the resources of the temporary storage area;
the detection unit is used for dynamically determining corresponding detection parameters and detection rules according to the service identification or the user identification, determining the type and weight of a feature vector to be extracted according to the detection parameters and the detection rules, extracting the feature vector of the data in the temporary storage area, forming a multi-dimensional detection sample by the obtained feature vector, sending the multi-dimensional detection sample to a machine learning model, and detecting whether the multi-dimensional detection sample comprises an attack vector;
when the multidimensional detection sample is detected to comprise the attack vector, splitting corresponding data into a plurality of data fragments, sending the data fragments into a machine learning model again, and detecting whether the data fragments comprise the attack vector; if the data segments are detected to comprise attack vectors, the data segments are marked as abnormal, components to which the abnormal data segments belong are marked as abnormal points, and whether logic association exists among a plurality of abnormal data segments or not is analyzed; if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in an attack track;
and the defense unit is used for obtaining attack tracks corresponding to different services or different users according to the front-back association relation and the path points, displaying a network attack surface formed by the path points and the attack track lines, forming an attack tracing source diagram, stopping the components on the attack tracks, suspending the services corresponding to the components, or virtualizing the components again for the specified services, and informing the users.
6. The apparatus of claim 5, wherein the corresponding data is split into a plurality of data segments, and a split length is determined according to a service type and an access action.
7. The device according to any one of claims 5-6, wherein the notifying the user comprises one or several combinations of instant messaging, email, sms and telephone.
8. The apparatus according to any one of claims 5-7, wherein the forming of the attack tracing graph further comprises: and obtaining risk assessment and defense strategies aiming at different services or different users, and guiding an administrator to carry out targeted risk elimination aiming at the services or the users.
CN202010591313.4A 2020-06-24 2020-06-24 Public cloud network service management method and system Active CN111786981B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010591313.4A CN111786981B (en) 2020-06-24 2020-06-24 Public cloud network service management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010591313.4A CN111786981B (en) 2020-06-24 2020-06-24 Public cloud network service management method and system

Publications (2)

Publication Number Publication Date
CN111786981A true CN111786981A (en) 2020-10-16
CN111786981B CN111786981B (en) 2022-03-25

Family

ID=72759743

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010591313.4A Active CN111786981B (en) 2020-06-24 2020-06-24 Public cloud network service management method and system

Country Status (1)

Country Link
CN (1) CN111786981B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102222005A (en) * 2011-07-12 2011-10-19 铜陵玉成软件科技有限责任公司 Service model-oriented software running platform and running mode thereof
CN103096030A (en) * 2011-11-03 2013-05-08 中国移动通信集团江苏有限公司 Video monitoring multi-service convergence platform and solution
CN107766205A (en) * 2017-10-10 2018-03-06 武汉大学 A kind of monitoring system and method towards the tracking of micro services invoked procedure
US20190370477A1 (en) * 2017-05-17 2019-12-05 Threatmodeler Software Inc. Systems & Methods for Automated Threat Model Generation from Third Party Diagram Files
CN111176795A (en) * 2020-01-09 2020-05-19 武汉思普崚技术有限公司 Dynamic migration method and system of distributed virtual network
CN111212079A (en) * 2020-01-09 2020-05-29 武汉思普崚技术有限公司 Service-based micro-isolation flow traction method and system
CN111224989A (en) * 2020-01-09 2020-06-02 武汉思普崚技术有限公司 Attack surface protection method and system for virtual micro-isolation network
CN111262840A (en) * 2020-01-09 2020-06-09 武汉思普崚技术有限公司 Attack plane transfer method and system of virtual network

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102222005A (en) * 2011-07-12 2011-10-19 铜陵玉成软件科技有限责任公司 Service model-oriented software running platform and running mode thereof
CN103096030A (en) * 2011-11-03 2013-05-08 中国移动通信集团江苏有限公司 Video monitoring multi-service convergence platform and solution
US20190370477A1 (en) * 2017-05-17 2019-12-05 Threatmodeler Software Inc. Systems & Methods for Automated Threat Model Generation from Third Party Diagram Files
CN107766205A (en) * 2017-10-10 2018-03-06 武汉大学 A kind of monitoring system and method towards the tracking of micro services invoked procedure
CN111176795A (en) * 2020-01-09 2020-05-19 武汉思普崚技术有限公司 Dynamic migration method and system of distributed virtual network
CN111212079A (en) * 2020-01-09 2020-05-29 武汉思普崚技术有限公司 Service-based micro-isolation flow traction method and system
CN111224989A (en) * 2020-01-09 2020-06-02 武汉思普崚技术有限公司 Attack surface protection method and system for virtual micro-isolation network
CN111262840A (en) * 2020-01-09 2020-06-09 武汉思普崚技术有限公司 Attack plane transfer method and system of virtual network

Also Published As

Publication number Publication date
CN111786981B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
US11722450B2 (en) Differential privacy for message text content mining
US10936717B1 (en) Monitoring containers running on container host devices for detection of anomalies in current container behavior
US20170346927A1 (en) Information processing method, client, server and computer-readable storage medium
US9306889B2 (en) Method and device for processing messages
CN106789964B (en) Cloud resource pool data security detection method and system
WO2021121244A1 (en) Alarm information generation method and apparatus, electronic device, and storage medium
US20160164893A1 (en) Event management systems
US10897520B2 (en) Connected contact identification
US10992612B2 (en) Contact information extraction and identification
US9973513B2 (en) Method and apparatus for communication number update
CN104956376A (en) Method and technique for application and device control in a virtualized environment
US9654433B2 (en) Selective message republishing to subscriber subsets in a publish-subscribe model
JP2019503533A (en) Information processing method, server, and computer storage medium
US10862845B2 (en) Mail bot and mailing list detection
US20150180747A1 (en) Determining Events by Analyzing Stored Electronic Communications
US20230269273A1 (en) Executing Real-Time Message Monitoring to Identify Potentially Malicious Messages and Generate Instream Alerts
US20230050771A1 (en) Method for determining risk level of instance on cloud server, and electronic device
WO2017019717A1 (en) Dynamic attachment delivery in emails for advanced malicious content filtering
CN114091704B (en) Alarm suppression method and device
CN111339540A (en) Computer accounting data anti-theft device and control method thereof
CN111786981B (en) Public cloud network service management method and system
CN112039874B (en) Malicious mail identification method and device
JP2015132927A (en) Information processing system, information processing device, monitoring device, monitoring method, and program
US10445381B1 (en) Systems and methods for categorizing electronic messages for compliance reviews
CN116318718A (en) Password management method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100053 Room 303, 3 / F, 315 guanganmennei street, Xicheng District, Beijing

Applicant after: Safety capability ecological aggregation (Beijing) Operation Technology Co.,Ltd.

Address before: 100053 Room 303, 3 / F, 315 guanganmennei street, Xicheng District, Beijing

Applicant before: Beijing fuyun'an Operation Technology Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant