CN111831275B

CN111831275B - Method, server, medium and computer equipment for arranging micro-scene script

Info

Publication number: CN111831275B
Application number: CN202010675633.8A
Authority: CN
Inventors: 浦明; 阮博男; 刘文懋; 赵粤征; 郭兰杰
Original assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Current assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Priority date: 2020-07-14
Filing date: 2020-07-14
Publication date: 2023-06-30
Anticipated expiration: 2040-07-14
Also published as: CN111831275A

Abstract

The application provides a method, a server, a medium and computer equipment for arranging micro scene scripts, wherein the method comprises the following steps: receiving a start function block for any type of micro scene, wherein the start function block is associated with a start function body; receiving a corresponding filter function block, wherein the filter function block is associated with a filter function body; receiving a corresponding action function block; the action function block is associated with the action function body; receiving an ending function block, wherein the ending function block is associated with the ending function body; generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; when arranging the micro-scene, the association relation exists between each function block and the corresponding function body, so that the arrangement of the micro-scene script can be realized by dragging the corresponding function block; the method for generating the script by constructing each function block on the programming interface does not need to input a large number of codes, so that a complicated coding process can be separated, and the complexity and difficulty of programming the micro-scene script are reduced.

Description

Method, server, medium and computer equipment for arranging micro-scene script

Technical Field

The application belongs to the technical field of network security, and particularly relates to a method, a server, a medium and computer equipment for arranging micro-scene scripts.

Background

In the internet field, various security risk problems may occur in a system in operation, and the security risk is generally called as a security event, for example: network attack, virus invasion, mining, etc.; each security event may be considered a micro-scene. To ensure that the system can operate safely, the script system corresponding to the concept of the automatic response (SOAR, security Orchestration, automation and Response) is generally pre-programmed for safety protection based on the safety programming so as to solve various safety risk problems.

The core idea of the SOAR is mainly to collect security threat and information data from different data sources, analyze and classify accidents, if the existence of a security event is determined, execute processing logic of a script to form a response action, send the response action to security equipment to carry out linkage response, realize standard reaction activity on the security event, and further form a flow of standardized response on the security event.

However, in the prior art, when the micro scene script is arranged, the code is usually manually input by a user. The micro scene arrangement relates to the scheduling of multiple scripts, the writing process is complex, the writing difficulty is high and the writing is easy to make mistakes for users without good programming capability, and the writing efficiency and accuracy are difficult to ensure.

Disclosure of Invention

Aiming at the problems existing in the prior art, the embodiment of the application provides a method, a server, a medium and computer equipment for arranging micro-scene scripts, which are used for solving the technical problems that the arrangement efficiency and accuracy cannot be ensured due to the mode of manually writing script codes when arranging the micro-scene scripts in the prior art.

In a first aspect of the present application, there is provided a method of composing a micro scene scenario, the method comprising:

for any type of micro-scene, receiving a start function block, the start function block being associated with a start function in a function template library;

receiving a corresponding filter function block; the filtering function block comprises at least one filtering function block and a filtering function body in the function template library, wherein the filtering function block is used for filtering data source information of the micro scene to obtain safety log information corresponding to the micro scene, and generating a safety event based on the safety log information;

receiving a corresponding action function block; the action function block comprises at least one action function block, the action function block is related to action functions in the function template library, and the action function block comprises an execution action for responding to the security event;

Receiving an ending function block, wherein the ending function block is associated with an ending function body in the function template library;

generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; the filtering function blocks and the action function blocks are draggable function blocks on a programming interface.

Optionally, before the receiving the start function block, the method further includes:

mapping the starting function body with an API of a preset first user interface, wherein the first user interface is a user interface corresponding to the starting function block;

mapping the filtering function body with an API of a preset second user interface, wherein the second user interface is a user interface corresponding to the filtering function block;

mapping the action function body with a preset API of a third user interface; the third user interface is a user interface corresponding to the action function block;

mapping the ending function body with a preset API of a fourth user interface; and the fourth user interface is a user interface corresponding to the ending function block.

Optionally, before mapping the action function body with the API of the preset third user interface, the method further includes:

Receiving at least one preset plug-in;

calling an API of the at least one plug-in to obtain the action function body corresponding to the safety equipment, the IP address and the ID of the safety equipment, wherein the safety equipment is used for executing the action function body.

Optionally, after receiving the filter function block, the method includes:

receiving a first configuration parameter for the filter function block;

displaying the first configuration parameters in a first configuration parameter page of the filter function block; the first configuration parameters include: scene type of the micro scene.

Optionally, after receiving the corresponding action function block, the method further includes:

popping up a second parameter configuration page according to the received parameter configuration instruction;

receiving a second configuration parameter for the corresponding action function block;

displaying the second configuration parameters in the second parameter configuration page; the second configuration parameters include: and identifying an object to be executed in the action function block, wherein the object to be executed is determined according to the type of the action function body.

capturing an event object with the event type of move type based on a monitoring event corresponding to any current action function block;

Obtaining a father node ID attribute of the event object;

searching a corresponding action function block name in a preset cache based on the father node ID attribute, and setting the searched action function block name as a value of the father block attribute of the current action function block; and the names of the received action function blocks are stored in the cache.

Optionally, after generating the scenario corresponding to the micro scene according to the start function block, the filter function block, the action function block and the end function block, the method further includes:

when the security events corresponding to the micro scenes are received, searching the script corresponding to the security events;

creating a corresponding subprocess for each scenario, and calling a corresponding scenario entry function based on each subprocess so as to load the scenario corresponding to each micro-scenario;

when executing each script in parallel, calling a preset toolkit to create at least one sub-thread for each sub-process of the script, and returning to a main thread of the toolkit;

and executing each action function body in the corresponding script based on the at least one sub-thread.

In a second aspect of the present application, there is provided a server for composing a micro-scene scenario, the server comprising:

A first receiving unit, configured to receive a start function block for any type of micro scene, where the start function block is associated with a start function of a function template library;

the second receiving unit is used for receiving the corresponding filtering function block; the filtering function block comprises at least one filtering function block, the filtering function block is related to a filtering function in the function template library, the filtering function is used for filtering data source information of the micro scene to obtain safety log information corresponding to the micro scene, and a safety event is generated based on the safety log information;

the third receiving unit is used for receiving the corresponding action function block; the action function block comprises at least one action function block, the action function block is related to action functions in the function template library, and the action function block comprises an execution action for responding to the security event; the filtering function block and the action function block are draggable function blocks;

a fourth receiving unit, configured to receive an end function block, where the end function block is associated with an end function in the function template library;

and the generating unit is used for generating the script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block.

In a third aspect of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method according to any of the first aspects.

In a fourth aspect of the present application, there is provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of the first aspects when executing the program.

When the micro scene is arranged, the association relation exists between each function block and the corresponding function body, so that the arrangement of the micro scene can be realized by dragging and filtering the function blocks and the action function blocks (the starting function block and the ending function block are arranged on an arrangement interface by default); according to the method for generating the script by constructing each function block (similar to building blocks) on the programming interface, a user only needs to consider the logicalness among each function block in the construction process, a large number of codes are not required to be input, a complex coding process can be eliminated, the complexity and difficulty of the script arrangement of the micro-scene are reduced, and the accuracy and arrangement efficiency of the script arrangement of the micro-scene can be further improved.

Drawings

Fig. 1 is a schematic flow chart of a method for editing a micro scene scenario according to an embodiment of the present application;

fig. 2 is a schematic diagram of a scenario constructed when the micro scene type is the lux virus according to the embodiment of the present application;

FIG. 3 is a toolbar illustration on a micro-scene orchestration interface provided according to embodiments of the present application;

fig. 4 is a schematic diagram of a first parameter configuration page of a filter function block according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a filtering function body in a Wannacry scene of the lux virus according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a killprocess action function block provided by an embodiment of the present application;

FIG. 7 is a schematic diagram of a second parameter configuration page corresponding to a killprocess action function block according to an embodiment of the present application;

FIG. 8 is an interface schematic diagram of scenario codes generated according to each set up function block provided in the embodiment of the present application;

FIG. 9 is a schematic flow chart of responding to a security event based on a micro-scene of programming according to an embodiment of the present application;

fig. 10 is a schematic diagram of a server structure for editing a micro scene scenario according to an embodiment of the present application;

FIG. 11 is a schematic structural diagram of a computer device for editing a micro-scene scenario according to an embodiment of the present application;

Fig. 12 is a schematic diagram of a computer medium structure for editing a micro-scene scenario according to an embodiment of the present application.

Detailed Description

The method aims at solving the technical problem that in the prior art, when the micro-scene script is compiled, the script code is compiled manually, and the compiling efficiency and accuracy cannot be ensured. The application provides a method, a server, a medium and computer equipment for arranging micro scene scripts, wherein the method comprises the following steps: for any type of micro-scene, receiving a start function block, wherein the start function block is related to a start function in a function template library; receiving a corresponding filtering function block, wherein the filtering function block comprises at least one filtering function block and a filtering function body in a function template library, the filtering function body is used for filtering data source information of a micro scene to obtain safety log information corresponding to the micro scene, and generating a safety event based on the safety log information; receiving a corresponding action function block; the action function block comprises at least one action function block, the action function block is associated with an action function body in the function template library, and the action function body comprises an execution action for responding to the security event; receiving an ending function block, wherein the ending function block is related to an ending function body in a function template library; generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; the filtering function block and the action function block are draggable function blocks.

The technical scheme of the present application is further described in detail through the accompanying drawings and specific embodiments.

The micro-scene scenario arranged by the method is mainly realized based on the concept of the SOAR, and when the security event is automatically standardized, the corresponding scenario is generally subjected to logic solidification, and the execution engine based on the SOAR executes the logic of the scenario. A scenario typically contains all Action function actions that process a security event in a micro-scenario, where the Action functions are combined in series or parallel, so as to implement a process of automatically processing the security event in the micro-scenario.

It can be seen that the arrangement of micro-scene scripts is an important factor in automatically responding to security events in various different types of micro-scenes; only if the script suitable for various micro scenes is arranged, the security events under various micro scenes can be efficiently and automatically processed.

When the micro-scene script is arranged, in order to reduce the difficulty and complexity of manually inputting script codes and improve the arrangement efficiency and accuracy, the method for arranging the micro-scene script is provided, and the first embodiment is described in detail.

Example 1

The embodiment provides a method for arranging a micro-scene script, which is a visual arranging method, and mainly comprises the steps of constructing various function blocks required by the micro-scene script in an arranging interface in a dragging mode so as to construct the script; wherein the orchestration interface is a Web interface. As shown in fig. 1, the method includes:

s110, receiving a start function block aiming at any type of micro scene, wherein the start function block is associated with a start function in a function template library;

generally, a script is an executable piece of python code, the content typically including four functions, a start function on_start, an end function on_finish, a Filter function, and an Action function Action. Wherein, different types of micro scenes correspond to different scripts, in the different scripts, the start function and the end function are the same and comprise one; the filtering function and the action function may be different and may include a plurality. For example, micro scene types may include: worm viruses, mining viruses, network attacks, remote trojans, etc.

The script comprises: when the micro-scene scenario is arranged, corresponding function blocks need to be built according to the content structure of the scenario.

Specifically, in order to implement setting up a scenario by dragging a function block, before receiving a start function block, the method further includes:

mapping the starting function body with a preset API of a first user interface so that the starting function body can be associated with the first user interface, wherein the first user interface is a user interface corresponding to a starting function block;

mapping the filtering function body with a preset API of a second user interface so that the filtering function body can be associated with the second user interface, wherein the second user interface is a user interface corresponding to the filtering function block;

mapping the action function body with a preset API of a third user interface so that the action function body can be associated with the third user interface; the third user interface is a user interface corresponding to the action function block;

mapping the ending function body with a preset API of the fourth user interface so that the ending function body can be associated with the fourth user interface; the fourth user interface is the user interface corresponding to the ending function block.

Thus, the filter function block and the action function block become draggable function blocks. The start function block, the filter function block, the action function block and the end function block are shown in fig. 2. In fig. 2, a symbol 21 represents a start function block, a symbol 22 represents a filter function block, a symbol 23 represents an action function block, and a symbol 24 represents an end function block.

When a user builds the micro-scene script, a corresponding function block can be selected from a toolbar on the visual arrangement interface for building; wherein a schematic diagram of the toolbar is shown in fig. 3.

As an alternative embodiment, before mapping the action function body with the API of the preset third user interface, the method further includes:

receiving at least one preset plug-in;

calling an API of at least one plug-in to obtain an action function body corresponding to the safety equipment, an IP address of the safety equipment and an identification ID.

The safety equipment is equipment for executing the action function body, and finally linkage response to the safety event is realized. The security devices may include terminal devices (computers, cell phones, tablets, etc.) and may also include network devices (hubs, routers, gateways, repeaters, etc.).

Specifically, before mapping the action function body with the preset API of the third user interface, all action function bodies included in each security device need to be acquired first, so that the action function and the API of the third user interface can be mapped.

Because the SOAR supports the action function body in a plug-in mode, each plug-in is predefined with the safety equipment under the corresponding type of micro scene and the action function body which needs to be executed by each safety equipment; therefore, the method and the device can acquire the corresponding action function body based on the preset plug-in, and one plug-in corresponds to one safety device. The user can import at least one plug-in advance, and when the server receives the at least one plug-in, the server can call the API of the corresponding plug-in to acquire the action function body under the corresponding security device, the IP address and the ID of the security device. Then the security device IP and security device ID corresponding to each action function body can be finally determined. For example, if the action function body is a kill process, the corresponding security device includes: big data analysis platform, terminal experiment bureau, firewall system and intelligent safe operation platform; the IP of the big data analysis platform is 192.168.19.38 (ID 88), the IP of the terminal laboratory is 10.65.150.52 (ID 86), the IP of the firewall system is 10.65.132.252 (ID 85), and the IP of the intelligent security operation platform is 10.65.133.17 (ID 83).

Referring to fig. 3, the plug-in is displayed as a first level on the toolbar, and the second level is displayed as an action function body included in the security device corresponding to the plug-in. The following is JSON data of a set of action function bodies obtained through a certain plug-in:

here, the start function body may be understood as a function body corresponding to the start function, the filter function body may be understood as a function body corresponding to the filter function, the action function body may be understood as a function body corresponding to the action function, and the end function body may be understood as a function body corresponding to the end function.

When arranging the micro scene script, a user can drag the start function block in the visual tool bar aiming at any type of micro scene, and when dragging the start function block to an arranging interface, the server can receive the start function block, and the start function block is related to the start function in the function template library, so that a start function body can be acquired according to the start function block. The function template library comprises a starting function body, a filtering function body, an action function body and an ending function body, wherein each function body is pre-written.

It should be noted that, because the start function is the same for different types of micro scenes, when the micro scene scenario is programmed and initialized, the start function block can also be preset in the programming interface, and the user does not need to drag the start function block again later.

S111, receiving a corresponding filtering function block, wherein the filtering function block comprises at least one filtering function block, the filtering function block is related to a filtering function body of a function template library, the filtering function body is used for filtering data source information of the micro scene to obtain safety log information corresponding to the micro scene, and generating a safety event based on the safety log information;

in the same way, because the script structure further comprises a filtering function, the user also needs to drag the filtering function block in the toolbar, and then the server receives the filtering function block, wherein the filtering function block is associated with the filtering function body of the function template library, and the filtering function body is used for filtering the data source information of the micro scene to obtain the security log information under the corresponding micro scene, and generating the security event based on the security log information.

For example, if the micro scene is a remote Trojan event, filtering the data source information of the event to obtain safety log information related to the Trojan event, matching the safety log information with a preset event rule, and if the matching is successful, generating a safety event.

Since the micro scene types include multiple types, in order to determine the filtering function body required to fit the corresponding micro scene type, as an alternative embodiment, after receiving the corresponding filtering function block, the method further includes:

Receiving a first configuration parameter for a filter function block;

displaying the first configuration parameters in a first parameter configuration page of the filter function block; the first configuration parameters include: scene type of micro scene.

Referring to fig. 4, the user may receive the first configuration parameter by inputting the first configuration parameter in the first parameter configuration page 41 of fig. 4. Such as: if the micro scene type is the lux virus, the first configuration parameter may be Wannacry.

And after the first configuration parameters are received, matching the filter function body suitable for the micro scene in the filter function body database according to the first configuration parameters.

Here, referring to fig. 5, fig. 5 is a filtering function body required in the finbacry scenario of the lux virus; it can be seen that the structure of the filter function body in the scenario includes three parts: the filter body 51, a first filter condition (condition) and a second filter condition (subcondition). In practical application, the data source information in the micro scene can be filtered by setting specific contents of the condition and the subcontent.

The structure of the filter function block needs to correspond to the structure of the filter function body and with continued reference to fig. 2, reference numeral 22 represents a second user interface comprising 3 sub-interfaces: when the data source satisfies the interface 211, the condition rule interface 212 and the sub-condition logic relation interface 213; wherein, the data source satisfying interface 211 is associated with a function corresponding to the filter body 51 in the filtering function body, the condition rule interface 212 is associated with a function corresponding to the first filtering condition (condition), and the sub-condition logic relation interface 213 is associated with a function corresponding to the second filtering condition (sub-condition). Thus, when the micro scene script is built by dragging the filter function block, the filter function body corresponding to the filter function block can be correspondingly obtained.

Since a scenario may need to include multiple sets of filter functions, multiple filter entities, multiple first filter conditions (conditions), and multiple second filter conditions (subcontends) may be included; when the user drags a plurality of filter function blocks, the server numbers the filter function blocks sequentially when the corresponding filter function blocks are generated and displayed later. Such as: if the user drags two Filter function blocks, the Filter function body is displayed as filter_1 and filter_2.

S112, receiving a corresponding action function block; the action function block comprises at least one action function block, the action function block is associated with an action function body of a function template library, and the action function body comprises an execution action for responding to the security event;

for the same reason, because the script structure further includes action functions, the user also needs to drag the action function blocks on the programming interface, so that the server can receive the corresponding action function blocks, the action function blocks include at least one action function block, the action function blocks are associated with the action function blocks of the function template library, and the action function body includes execution actions for automatically responding to the security events.

As an alternative embodiment, after receiving the corresponding action function block, the method further includes:

displaying the second configuration parameters in a second parameter configuration page; the second configuration parameters include: identification of the object to be executed in the action function block. The object to be executed is determined according to the type of the action function body, for example, the action function body is: killprocess, then the object to be executed may include process IP; if the action function body is delete_file, the object to be executed may include: file name.

Specifically, referring to fig. 6, fig. 6 is a killprocess action function block, and when a parameter configuration instruction input by a user is received, a second parameter configuration page is popped up, where the second parameter configuration page is shown in fig. 7, and as can be seen from fig. 7, the second parameter configuration page includes: an asset list configuration page and an object configuration page to be executed; the second configuration parameters include: asset list and object to be executed; wherein the asset list is the device IP of all security devices corresponding to the action function body.

Here, since the plug-in can determine the IP and ID of all security devices corresponding to a certain action function, the asset list is automatically acquired by the plug-in, and the user is not required to perform configuration; the object to be executed is a parameter that requires user configuration. As can be seen from FIG. 7, the object to be executed is endpoint_ip.

In order to facilitate configuration of the asset list and the object to be executed at the same time, variables corresponding to the asset list and variables corresponding to the object to be executed are uniformly placed in a preset component to be processed, so that the second parameter configuration page comprises an asset list configuration page and an object to be executed configuration page at the same time. Wherein the assembly may comprise: an ant-design component.

Because a scenario may include a plurality of action functions, each action function has a logical association, in order to ensure association logic between action function blocks dragged to the orchestration interface, as an alternative embodiment, after receiving a corresponding action function block, the method further includes:

for any current action function block, capturing an event object with the event type of move type based on a monitoring event corresponding to the current action function block;

obtaining a father node ID attribute of an event object;

searching a corresponding action function block name in a preset cache based on the father node ID attribute, and setting the searched action function block name as a value of the father block parentActionName attribute of the current action function block; the name of the received action function block and the second configuration parameter are stored in the cache.

If the parameter information of the previous-stage action function block of the current action function block needs to be obtained, the previous-stage action function block can be searched in the cache according to the value of the parent block parentActionName attribute of the current block, and the parameter information of the previous-stage action function block can be obtained.

S113, receiving an ending function block, wherein the ending function block is associated with an ending function body of a function template library;

because the structure of the script comprises the ending function, the user also needs to drag the ending function block to the programming interface, and the ending function block is associated with the ending function of the function template library. The server may receive an end function block.

It should be noted that, because the end function is the same for different types of micro scenes, when the micro scene scenario is initialized, the end function block may be preset in the programming interface, and the user does not need to drag the end function block any more.

S114, generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block.

And dragging the starting function block, the filtering function block, the action function block and the ending function block to the programming interface, and completing the setting up of the script. When the micro scene type is the lux virus, the finally built scenario is shown in fig. 2.

And receiving a generating instruction, and generating a script corresponding to the micro scene based on the starting function block, the filtering function block, the action function block and the ending function block according to the generating instruction.

Specifically, a start function body is obtained based on the mapping relation between the start function block and the start function body; obtaining a filtering function body based on the mapping relation between the filtering function block and the filtering function body; obtaining an action function body based on the mapping relation between the action function block and the action function body; obtaining an end function body based on the mapping relation between the end function block and the end function body; this converts the corresponding function block into the corresponding code. Wherein the converted code is shown in fig. 8.

With continued reference to fig. 8, the converted code is the transcript content of fig. 8, and the user may add names, labels, status, owner information to the generated transcript and then submit it. The server receives the name of the transcript. And after marking, state and owner information, submitting the script to a script micro scene library according to the received submitting instruction.

Aiming at various types of micro scenes, the micro scene scripts can be arranged by using the same method, and finally, a script micro scene library is formed, so that large-scale security events can be freely handled.

The method for arranging the micro-scene provided by the embodiment provides an arranging interface, abstracts functions included in the script into function blocks of different types, and realizes arranging the micro-scene script by dragging a start function block, a filter function block, an action function block and an end function block because of the association relation between each function block and a corresponding function body; according to the method for generating the script by constructing each function block (similar to building blocks) on the programming interface, a user only needs to consider the logicalness among each function block in the construction process, does not need to input a large number of codes, can break away from a complex coding process, is focused on logic realization, reduces the complexity and difficulty of the script arrangement of the micro-scene, and further can improve the accuracy and arrangement efficiency of the script arrangement of the micro-scene and save time cost. And the output object at the end of the construction flow is an understandable function block jigsaw and a code generated therewith, so that a user can operate the function block at any time, and the generated code can be changed in real time, thereby being convenient for backtracking.

Here, in order to cope with a large-scale security event, as an alternative embodiment, after generating a scenario corresponding to the micro-scenario according to the start function block, the filter function block, the action function block, and the end function block, the method further includes:

When receiving the security event corresponding to each micro scene, storing the security event into a preset event queue;

sequentially extracting security events to be processed from an event queue based on a preset extraction strategy, and searching the scenario corresponding to each micro scene;

when executing each script in parallel, calling a preset toolkit to create at least one sub-thread for the sub-process of each script, and returning to the main thread of the toolkit; the toolkit may be an SDK;

and executing each action function body in the corresponding script based on the at least one sub-thread so as to request to call the external security equipment to respond to the corresponding security event by utilizing the action function body.

Here, the remote procedure call protocol (RPC, remote Procedure Call Protocol) based service receives a security event, and after receiving the security event, the security event is not immediately processed but stored in a preset event queue. When processing the security event, extracting according to the extraction strategy sequence so as to avoid the condition of missing.

For any type of micro-scene, after the scenario corresponding to the micro-scene is found, a corresponding sub-process is required to be created for each scenario, and a corresponding scenario entry function is called based on each sub-process so as to dynamically load the scenario corresponding to each micro-scene in the corresponding sub-process. Thus, if there are multiple scripts, the multiple scripts can be executed in parallel.

Meanwhile, considering that the storage capacity and the computing capacity of the hardware deployment environment are different, before creating a corresponding sub-process for each scenario in order to ensure the optimal processing capacity, the method further comprises:

judging whether the number of the obtained scripts reaches a preset script number threshold, if so, controlling the subsequent scripts to be in a blocking waiting state until the execution of the existing scripts is finished; the preset script quantity threshold value can be determined according to the maximum value of the script quantity which can be executed by the hardware system at the same time.

For any scenario, when executing an action function in the scenario, an execution function in a toolkit is called to create at least one sub-thread for a sub-process of the scenario. For example, if a scenario includes n Action functions, action1 and Action2 … …, action n (which need to be executed in parallel), then n sub-threads are created for the sub-processes of the scenario.

It is noted that, for the current Action function, after creating a sub-thread for the current Action function, the main thread of the tool package needs to be returned immediately, so that the control flow for creating the sub-thread can be transferred to the sub-process of the script, and then the sub-thread is created immediately for the Action2, so that the time for successful creation of the sub-thread corresponding to the Action1 and the sub-thread corresponding to the Action2 is different by a few ms, and further, a plurality of sub-threads corresponding to the script can be executed in parallel.

In this way, multiple scenarios may be executed in parallel, and the action functions in each scenario may also be executed in parallel, thus enabling automatic response to large-scale security events.

For example, in practical application, when the micro-scene based arrangement is applied to a large-scale security event, the following is specifically implemented:

referring to fig. 9, fig. 9 is a flow of responding to a security event based on an orchestrated micro scene. Notably, the running log needs to be monitored, analyzed, and the micro-scene type determined before responding to the security event based on the scenario.

Specifically, after analyzing the operation log, confirming whether the operation log is sagged; if the collapse is confirmed, judging the collapse type, and calling a corresponding scenario according to the collapse type to automatically respond to the security event; the collapse type is a micro scene type, and includes: scanning, brute force cracking, distributed denial of service (DDoS, distributed Denial of Service) attacks, exploitation of vulnerabilities, mining viruses, lux viruses, remote trojans, malicious programs, weak passwords, unknown types, and so forth.

Here, the operation log includes: security log, network traffic, running server log, host log, etc. In the analysis process, the data characteristics (such as unknown URL, unknown IP, malicious data packet, malicious traffic, suspicious program process, malicious file and ultra-high CPU utilization) of the running log can be extracted, and then the data characteristics are analyzed according to the corresponding analysis strategy to determine whether to collapse. For example, the unknown IP may be analyzed based on the threat intelligence IP domain to confirm whether the unknown IP is malicious; analyzing the suspicious malicious files based on the POMA sandbox, and confirming whether the suspicious malicious files are malicious files or not; feature matching is performed based on a (IRS, incidentResponseSystem) knowledge base of the event response system to perform association analysis and the like on suspicious program processes, suspicious services, suspicious startup items, CPUs.

If the failure is confirmed, judging whether the failure is false, if so, generating a false report work order and optimizing an analysis strategy. If the judgment is not false, performing boundary blocking, such as blocking suspicious URLs or suspicious IPs; and generating a plugging result report.

If the collapse type is unknown, analyzing (such as sample analysis, attack analysis and cleaning treatment script) by a manual team, and then adding an analysis result to an IRS knowledge base; and regenerating a treatment script based on the analysis result, and generating a treatment policy based on the treatment script.

If the collapse type is the known type, judging whether a corresponding disposal strategy exists, and if so, calling a scenario corresponding to the disposal strategy to automatically respond to a security event corresponding to the collapse type. Wherein the type of collapse determined in fig. 9 is a mining virus.

Calling a corresponding scenario according to the collapse type to automatically respond to the security event, wherein the method comprises the following steps:

and calling a corresponding scenario based on a sub-process created in advance for the scenario to execute a global blocking strategy, a strategy for eliminating infected equipment and a strategy for reinforcing uninfected equipment in parallel.

When the global plugging strategy is executed, the global plugging strategy is executed based on Action functions such as plugging IP, plugging URL, isolating host computer and the like; when executing the elimination strategy for the infected equipment, the elimination strategy is executed based on Action function actions such as killing processes, inquiring a registry, terminating services, deleting folders, deleting files, executing system commands and the like; when executing the strategy for reinforcing the uninfected equipment, the method is executed according to actions such as patches, firewall strategies, service prohibition and the like.

After the execution is finished, an execution result is obtained, the execution result is checked, and if the check is successful, an execution result report is generated; if the verification fails, the disposal script needs to be reproduced or updated according to the verification result.

Of course, if it is determined that the collapse type includes multiple collapse types (for example, including a mine digging virus, a lux virus, and a worm virus), the corresponding scenario may be called based on each sub-process created in advance, so that each scenario may be processed in parallel.

And for each script, processing action functions in the script in parallel based on at least one sub-thread in each sub-process. Thus, even in the face of massive security events, the arranged micro-scenes can be freely dealt with.

Based on the same inventive concept, the application also provides a server for arranging micro scenes, and the details are shown in the second embodiment.

Example two

The embodiment provides a server for arranging micro scenes, the server provides an arranging interface which is a Web interface, so that various function blocks required in the micro scene script can be built in the arranging interface in a dragging mode, and the script is built. As shown in fig. 10, the server includes: a first receiving unit 101, a second receiving unit 102, a third receiving unit 103, a fourth receiving unit 104, and a generating unit 105; wherein, the liquid crystal display device comprises a liquid crystal display device,

a first receiving unit 101, configured to receive, for any type of micro scene, a start function block, where the start function block is associated with a start function of a function template library;

A second receiving unit 102, configured to receive a corresponding filter function block, where the filter function block includes at least one; the filtering function block is associated with a filtering function body in the function template library, and the filtering function is used for filtering data source information of the micro scene to obtain safety log information corresponding to the micro scene and generating a safety event based on the safety log information;

a third receiving unit 103, configured to receive a corresponding action function block; the action function block comprises at least one action function block, the action function block is associated with an action function body in the function template library, and the action function body comprises an execution action for responding to the security event; the filtering function block and the action function block are draggable function blocks;

a fourth receiving unit 104, configured to receive an end function block, where the end function block is associated with an end function body in the function template library;

and the generating unit 105 is used for generating the scenario corresponding to the micro scene according to the start function block, the filter function block, the action function block and the end function block.

Specifically, in order to implement setting up a scenario by dragging a function block, the server further includes: mapping unit 106, before receiving the start function block, mapping unit 106 is configured to:

As an alternative embodiment, before mapping the action function body with the API of the preset third user interface, the third receiving unit 103 is further configured to:

receiving at least one preset plug-in;

/>

When arranging the micro scene scenario, for any one micro scene, the user may drag the start function block in the visualization tool bar, and drag the start function block to the arranging interface, the first receiving unit 101 may receive the start function block, and since the start function block is associated with the start function of the function template library, the start function body may be obtained according to the start function block. The function template library comprises a starting function body, a filtering function body, an action function body and an ending function body, wherein each function body is pre-written.

It should be noted that, because the start function is the same for different types of micro scenes, when the micro scene scenario is programmed and initialized, the start function block may be preset in the programming interface, and the user does not need to drag the start function block any more.

In the same way, since the scenario structure further includes a filtering function, the user also needs to drag the filtering function block in the toolbar, and then the second receiving unit 102 receives the filtering function block, where the filtering function block is associated with a filtering function body of the function template library, and the filtering function body is used to filter the data source information of the micro scene, obtain the security log information corresponding to the micro scene, and generate a security event based on the security log information.

receiving a first configuration parameter for a filter function block;

displaying the first configuration parameters in a first configuration parameter page of the filter function block; the first configuration parameters include: scene type of micro scene.

Referring to fig. 4, the user only needs to input the first configuration parameter in the first parameter configuration page after the name in fig. 4, and the second receiving unit 102 may receive the first configuration parameter. Such as: if the micro scene type is the lux virus, the first configuration parameter may be Wannacry.

When the second receiving unit 102 receives the first configuration parameter, a filtering function body suitable for the micro scene is matched in the filtering function body database according to the first configuration parameter.

For the same reason, since the structure of the scenario further includes an action function, the user also needs to drag the action function block on the editing interface, and then the third receiving unit 103 may receive the corresponding action function block, where the action function block includes at least one action function block, and the action function block is associated with an action function body of the function template library, and the action function body includes an execution action for automatically responding to the security event.

As an alternative embodiment, after receiving the corresponding action function block, the third receiving unit 103 is further configured to:

Displaying a second configuration parameter in the second parameter configuration page; the second configuration parameters include: identification of the object to be executed in the action function block. The object to be executed is determined according to the type of the action function body, for example, the action function body is: killprocess, then the object to be executed may include process IP; if the action function body is delete_file, the object to be executed may include: file name.

Here, because the IP and ID of all security devices corresponding to a certain action function can be determined based on the plugin, the asset list is automatically acquired by the plugin, and the user is not required to perform configuration; the object to be executed is a parameter that requires user configuration. As can be seen from FIG. 7, the object to be executed is endpoint_ip.

Since a scenario may include a plurality of action functions, each action function has a logical association, in order to ensure association logic between action function blocks dragged to the editing interface, as an alternative embodiment, the third receiving unit 103 is further configured to, after receiving the corresponding action function blocks:

obtaining a father node ID attribute of an event object;

Because the structure of the script comprises the ending function, the user also needs to drag the ending function block to the programming interface, and the ending function block is associated with the ending function of the function template library. The fourth receiving unit 104 may receive the end function block.

The generating unit 105 is configured to receive a generating instruction, and generate a scenario corresponding to the micro scene based on the start function block, the filter function block, the action function block, and the end function block according to the generating instruction.

Specifically, the generating unit 105 obtains a start function body based on the mapping relation of the start function block and the start function body; obtaining a filtering function body based on the mapping relation between the filtering function block and the filtering function body; obtaining an action function body based on the mapping relation between the action function block and the action function body; obtaining an end function body based on the mapping relation between the end function block and the end function body; this converts the corresponding function block into the corresponding code. Wherein the converted code is shown in fig. 8.

With continued reference to fig. 8, the user may add names, tags, status, owner information to the generated transcript and then submit. The server receives the name of the transcript. And after marking, state and owner information, submitting the script to a script micro scene library according to the received submitting instruction.

The server for arranging the micro-scene provides an arranging interface, abstracts functions included in the script into function blocks of different types, and can realize arranging the micro-scene script by dragging a start function block, a filter function block, an action function block and an end function block because of the association relation between each function block and a corresponding function body; according to the method for generating the script by constructing each function block (similar to building blocks) on the programming interface, a user only needs to consider the logicalness among each function block in the construction process, does not need to input a large number of codes, can break away from a complex coding process, is focused on logic realization, reduces the complexity and difficulty of the script arrangement of the micro-scene, and further can improve the accuracy and arrangement efficiency of the script arrangement of the micro-scene and save time cost. And the output object at the end of the construction flow is an understandable function block jigsaw and a code generated therewith, so that a user can operate the function block at any time, and the generated code can be changed in real time, thereby being convenient for backtracking.

when executing each script in parallel, calling a preset toolkit to create at least one sub-thread for the sub-process of each script, and returning to the main thread of the toolkit, wherein the toolkit can be an SDK;

referring to fig. 9, fig. 9 is a flow of responding to a security event based on an orchestrated micro scene. Notably, the running log needs to be monitored, analyzed, and the micro-scene type determined before responding to the security event through the scenario.

Specifically, after analyzing the operation log, confirming whether the operation log is sagged; if the collapse is confirmed, judging the collapse type, and calling a corresponding scenario according to the collapse type to automatically respond to the security event; the collapse type is a micro scene type, and includes: scanning, brute force cracking, DDoS attacks, exploitation of vulnerabilities, mining viruses, lux viruses, remote trojans, malicious programs, weak passwords, unknown types, and the like.

Here, the operation log includes: security log, network traffic, running server log, host log, etc. In the analysis process, the data characteristics (such as unknown URL, unknown IP, malicious data packet, malicious traffic, suspicious program process, malicious file and ultra-high CPU utilization) of the running log can be extracted, and then the data characteristics are analyzed according to the corresponding analysis strategy to determine whether to collapse. For example, the unknown IP may be analyzed based on the threat intelligence IP domain to confirm whether the unknown IP is malicious; analyzing the suspicious malicious files based on the POMA sandbox, and confirming whether the suspicious malicious files are malicious files or not; feature matching is performed based on the IRS knowledge base to perform association analysis and the like on suspicious program processes, suspicious services, suspicious starting items, CPU.

If the collapse type is unknown, analyzing (such as sample analysis, attack analysis and cleaning treatment script) by a manual team, and then adding an analysis result to an IRS knowledge base; and regenerates (makes or updates) the disposal script based on the analysis result, and generates the disposal policy based on the disposal script.

After the execution is finished, an execution result is obtained, the execution result is checked, and if the check is successful, an execution report is generated; if the verification fails, the disposal script needs to be reproduced or updated according to the verification result.

The method, the server, the medium and the computer equipment for arranging the micro scene have the following beneficial effects:

the application provides a method, a server, a medium and computer equipment for arranging micro scene scripts, wherein the method comprises the following steps: receiving a start function block aiming at any type of micro scene, wherein the start function block is associated with a start function body of a function template library; receiving a corresponding filtering function block, wherein the filtering function block is associated with a filtering function body of a function template library, and the filtering function body is used for filtering data source information of the micro scene; receiving a corresponding action function block; the action function block comprises at least one action function block, the action function block is associated with an action function body of the function template library, and the action function body comprises an execution action for making a safety response to the micro scene; receiving an ending function block, wherein the ending function block is related to an ending function body of a function template library; the starting function block, the filtering function block, the action function block and the ending function block are draggable function blocks; generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; in this way, the functions included in the script are abstracted into different types of function blocks, and as the association relation exists between each function block and the corresponding function body, the micro-scene script can be arranged by dragging the filtering function block and the action function block (the starting function block and the ending function block are arranged on an arranging interface by default); according to the method for generating the script by constructing each function block (similar to building blocks) on the programming interface, a user only needs to consider the logicalness among each function block in the construction process, does not need to input a large number of codes, can break away from a complex coding process, is focused on logic realization, reduces the complexity and difficulty of the script arrangement of the micro-scene, and further can improve the accuracy and arrangement efficiency of the script arrangement of the micro-scene and save time cost. And the output object at the end of the construction flow is an understandable function block jigsaw and a code generated therewith, so that a user can operate the function block at any time, and the generated code can be changed in real time, thereby being convenient for backtracking.

Example III

The present embodiment provides a computer device, as shown in fig. 11, including a memory 110, a processor 111, and a computer program 112 stored on the memory 110 and executable on the processor 111, wherein the processor 111 implements the following steps when executing the computer program 112:

Generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; the filtering function block and the action function block are draggable function blocks on a programming interface.

In a specific implementation, when the processor 111 executes the computer program 112, any implementation of the first embodiment may be implemented.

Since the computer device described in this embodiment is a device for arranging the micro scenario in the first embodiment of the present application, based on the method described in the first embodiment of the present application, those skilled in the art can understand the specific implementation of the computer device in this embodiment and various modifications thereof, so how the server implements the method in the embodiment of the present application will not be described in detail herein. The apparatus used to implement the methods of the embodiments of the present application are within the scope of what is intended to be protected by the present application.

Based on the same inventive concept, the application provides a storage medium corresponding to the first embodiment, and the details of the fourth embodiment are described in detail.

Example IV

The present embodiment provides a computer readable storage medium 120, as shown in fig. 12, having stored thereon a computer program 121, which computer program 121 when executed by a processor performs the steps of:

In a specific implementation, the computer program 121 may implement any of the embodiments when executed by a processor.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.

The foregoing description of the preferred embodiments of the present application is not intended to limit the scope of the present application, but is intended to cover any modifications, equivalents, and alternatives falling within the spirit and principles of the present application.

Claims

1. A method of composing a micro-scene script, the method comprising:

generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; the filtering function block and the action function block are draggable function blocks on a programming interface; the starting function block and the ending function block are function blocks which can be dragged on the programming interface or function blocks which are preset in the programming interface.

2. The method of claim 1, wherein prior to receiving the start function block, further comprising:

3. The method of claim 2, wherein before mapping the action function body with a preset API of a third user interface, further comprising:

receiving at least one preset plug-in;

4. The method of claim 1, wherein said receiving the corresponding filter function block comprises:

receiving a first configuration parameter for the filter function block;

5. The method of claim 1, wherein after receiving the corresponding action function block, further comprising:

6. The method of claim 1, wherein after receiving the corresponding action function block, further comprising:

obtaining a father node ID attribute of the event object;

7. The method of claim 1, wherein after generating the scenario corresponding to the micro-scene according to the start function block, the filter function block, the action function block, and the end function block, further comprises:

8. A server for composing a micro-scene script, the server comprising:

the third receiving unit is used for receiving the corresponding action function block; the action function block comprises at least one action function block, the action function block is related to action functions in the function template library, and the action function block comprises an execution action for responding to the security event;

the generating unit is used for generating a script corresponding to the micro scene according to the starting function block, the filtering function block, the action function block and the ending function block; wherein the filtering function block and the action function block are draggable function blocks; the starting function block and the ending function block are function blocks which can be dragged on the programming interface or function blocks which are preset in the programming interface.

9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method of any of claims 1 to 7.

10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 7 when executing the program.