CN112039871A - Method and device for determining called network protection equipment - Google Patents

Method and device for determining called network protection equipment Download PDF

Info

Publication number
CN112039871A
CN112039871A CN202010882622.7A CN202010882622A CN112039871A CN 112039871 A CN112039871 A CN 112039871A CN 202010882622 A CN202010882622 A CN 202010882622A CN 112039871 A CN112039871 A CN 112039871A
Authority
CN
China
Prior art keywords
network
protection
network protection
equipment
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010882622.7A
Other languages
Chinese (zh)
Other versions
CN112039871B (en
Inventor
郭兰杰
赵粤征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202010882622.7A priority Critical patent/CN112039871B/en
Publication of CN112039871A publication Critical patent/CN112039871A/en
Application granted granted Critical
Publication of CN112039871B publication Critical patent/CN112039871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The disclosure relates to the field of network security, in particular to a method and a device for determining called network protection equipment, which solve the problems that a protection response action has strong relevance with equipment executing the protection response action, and a formulated protection response action strategy cannot be universal, and the method comprises the following steps: screening network protection equipment associated with an object to be protected, generating a candidate network protection equipment set and an explicit control network segment set, generating a controllable network segment set based on an implicit control network segment associated with each network protection equipment when the object to be protected is determined not to be included in a network segment range corresponding to the explicit control network segment set, and screening and determining target network protection equipment called to execute the protection response action when the controllable network segment set is determined to include the object to be protected. Therefore, the binding relation between the protection response action and the target network protection device is decoupled, and the protection response action determined aiming at the same network threat type is universal for different targets to be protected.

Description

Method and device for determining called network protection equipment
Technical Field
The present disclosure relates to the field of network security, and in particular, to a method and an apparatus for determining a called network protection device.
Background
The safety organization and the automatic Response (SOAR) provide a new idea for safe operation, and the SOAR supports flexible organization of the existing network safety process and access to various data sources. The scenario construction is completed by writing the scenario, and the network threat is processed by calling the network protection equipment, wherein the scenario is a series of action instructions and comprises a complete judging and disposing process required by safe operation. How to bind actions in the script arrangement flow with specific network protection equipment executing the actions becomes a technical problem to be solved urgently in security operation.
The solution proposed in the prior art is that when creating a scenario, a user is required to bind network protection devices corresponding to actions, for one user, the actions in the scenario have strong correlation with the network protection device of the user who executes the actions, and the scenario executed based on the same network threat among different users cannot be used universally.
Therefore, when the operator writes the script, the network protection devices for different users are different, the action related to the script cannot be specifically bound with the network protection devices of different users, the script must be edited again to meet the protection requirement of the user, the action in the script is bound with the network protection device executing the action, the user experience is greatly reduced, and when the script version is updated or the network protection device of the user is changed, the obtained script needs to be edited again, so that the omission and error of editing are easily caused, and the network safety protection function cannot be effectively realized.
In view of the above, a method for determining a called network defense device is needed to solve the above problems.
Disclosure of Invention
The embodiment of the invention provides a method and a device for determining called network protection equipment, which are used for solving the problems that in the prior art, a protection response action has strong relevance with equipment for executing the protection response action, and a formulated protection response action strategy cannot be used universally.
The embodiment of the invention provides the following specific technical scheme:
in a first aspect, a method for determining a called network protection device is provided, which is applied to a scenario running scene under a Security Organization and Automated Response (SOAR) architecture, and includes:
receiving a protection request containing a target to be protected and a network threat type, determining a protection response action indicated by a script, screening partial network protection equipment supporting execution of the protection response action from the network protection equipment associated with the target to be protected, and generating a candidate network protection equipment set;
acquiring an explicit control network segment associated with each network protection device in the pre-configured candidate network protection device set, and generating an explicit control network segment set including each display control network segment;
when the target to be protected is determined not to be included in the network segment range corresponding to the explicit control network segment set, acquiring implicit control network segments associated with the network protection devices respectively, and generating a controllable network segment set, wherein the controllable network segment set comprises the display control network segments and the implicit control network segments, and the implicit control network segments comprise other network segments except the associated explicit control network segments, recorded in running logs of the network protection devices, and used for executing protection response action processing;
and when the protection target is determined to be included in the network segment range corresponding to the controllable network segment set, determining the screened controllable network segment including the target to be protected as the target network protection device called to execute the protection response action.
Optionally, the screening out, from the network protection devices associated with the target to be protected, a part of network protection devices that support execution of the protection response action, and generating a candidate network protection device set includes:
determining the equipment type of the network protection equipment associated with the protection response action and the deployment mode of the network protection equipment, and screening out the network protection equipment matched with the equipment type of the network protection equipment from the network protection equipment associated with the target to be protected to obtain an initial network protection equipment set containing the network protection equipment with the same equipment type;
screening out network protection equipment with the same deployment mode as the network protection equipment in the initial network protection equipment set, and generating an intermediate network protection equipment set containing the network protection equipment with the same deployment mode;
and acquiring the respectively associated explicit control network segments of each network protection device in the preset intermediate network protection device set, screening the explicit control network segments which have intersection with the target to be protected, and generating a candidate network protection device set comprising the network protection devices corresponding to the screened explicit control network segments.
Optionally, when receiving a registration request for a network protection device to be registered associated with a protection target, the method further includes:
when the interactive interface with the network protection equipment to be registered is determined not to be installed, acquiring and installing an equipment plug-in of the network protection equipment to be registered, wherein the equipment plug-in is packaged with the equipment type and the supported response action of the network protection equipment;
acquiring explicit management and control information configured for the to-be-registered network protection device, and completing registration of the to-be-registered network protection device based on the explicit management and control information and attribute information of the to-be-registered network protection device, wherein the attribute information comprises address information and a deployment mode of the to-be-registered network protection device.
Optionally, the obtaining of the implicit control network segment associated with each network protection device includes:
for each network protection device, the following operations are respectively executed:
acquiring an operation log of a network protection device, determining an operation record recorded in the operation log for executing a protection response action, and determining a processing network segment covered by the operation record;
and determining the explicit control network segment associated with the network protection device, and determining other network segments except the explicit control network segment in the processing network segment as implicit control network segments.
Optionally, when it is determined that the target to be guarded is included in the segment range corresponding to the explicit control segment set, the method further includes:
screening the explicit control network segments containing the target to be protected in the explicit control network segment set, and using the network protection equipment corresponding to the screened explicit control network segments as the target network protection equipment called to execute the protection response action.
Optionally, when it is determined that the target to be guarded is not included in the network segment range corresponding to the manageable network segment set, the method further includes:
and determining each network protection device in the candidate network protection device set as a target network protection device called to execute the protection response action.
In a second aspect, an apparatus for determining a called network defense device, applied to a scenario running scenario under a Security Orchestration and Automated Response (SOAR) architecture, includes:
the receiving unit is used for receiving a protection request containing a target to be protected and a network threat type, determining a protection response action indicated by a script, screening partial network protection equipment supporting execution of the protection response action from the network protection equipment associated with the target to be protected, and generating a candidate network protection equipment set;
the acquisition unit is used for acquiring the display control network segments associated with the network protection devices in the candidate network protection device set which is configured in advance and generating the display control network segment set comprising the display control network segments;
a generating unit, configured to, when it is determined that the target to be protected is not included in the network segment range corresponding to the explicit control network segment set, obtain an implicit control network segment of each network protection device, and generate a controllable network segment set, where the controllable network segment set includes each display control network segment and each implicit control network segment, and the implicit control network segment includes other network segments, except for the associated explicit control network segment, recorded in an operation log of the network protection device, and used for executing protection response action processing;
and the determining unit is used for determining the screened controllable network segment containing the target to be protected as the target network protection device called to execute the protection response action when the protection target is determined to be contained in the network segment range corresponding to the controllable network segment set.
Optionally, when the network protection device associated with the target to be protected selects a part of network protection devices that support execution of the protection response action from among the network protection devices associated with the target to be protected, and generates a candidate network protection device set, the receiving unit is configured to:
determining the equipment type of the network protection equipment associated with the protection response action and the deployment mode of the network protection equipment, and screening out the network protection equipment matched with the equipment type of the network protection equipment from the network protection equipment associated with the target to be protected to obtain an initial network protection equipment set containing the network protection equipment with the same equipment type;
screening out network protection equipment with the same deployment mode as the network protection equipment in the initial network protection equipment set, and generating an intermediate network protection equipment set containing the network protection equipment with the same deployment mode;
and acquiring the respectively associated explicit control network segments of each network protection device in the preset intermediate network protection device set, screening the explicit control network segments which have intersection with the target to be protected, and generating a candidate network protection device set comprising the network protection devices corresponding to the screened explicit control network segments.
Optionally, when receiving a registration request for a network defense device to be registered associated with a defense target, the receiving unit is further configured to:
when the interactive interface with the network protection equipment to be registered is determined not to be installed, acquiring and installing an equipment plug-in of the network protection equipment to be registered, wherein the equipment plug-in is packaged with the equipment type and the supported response action of the network protection equipment;
acquiring explicit management and control information configured for the to-be-registered network protection device, and completing registration of the to-be-registered network protection device based on the explicit management and control information and attribute information of the to-be-registered network protection device, wherein the attribute information comprises address information and a deployment mode of the to-be-registered network protection device.
Optionally, when obtaining the implicit control network segments associated with the network protection devices, the generating unit is configured to:
for each network protection device, the following operations are respectively executed:
acquiring an operation log of a network protection device, determining an operation record recorded in the operation log for executing a protection response action, and determining a processing network segment covered by the operation record;
and determining the explicit control network segment associated with the network protection device, and determining other network segments except the explicit control network segment in the processing network segment as implicit control network segments.
Optionally, when it is determined that the target to be guarded is included in the segment range corresponding to the explicit control segment set, the generating unit is further configured to:
screening the explicit control network segments containing the target to be protected in the explicit control network segment set, and using the network protection equipment corresponding to the screened explicit control network segments as the target network protection equipment called to execute the protection response action.
Optionally, when it is determined that the target to be guarded is not included in the segment range corresponding to the manageable segment set, the determining unit is further configured to:
and determining each network protection device in the candidate network protection device set as a target network protection device called to execute the protection response action.
In a third aspect, a computer-readable electronic device is provided, comprising:
a memory for storing executable instructions;
a processor configured to read and execute executable instructions stored in the memory to implement the method of any of the first aspect.
In a fourth aspect, a storage medium is proposed, in which instructions are executed by an electronic device to enable the electronic device to perform the method of any one of the above first aspects.
The invention has the following beneficial effects:
in the embodiment of the disclosure, a protection request including an object to be protected and a network threat type is received, a protection response action indicated by a script is determined, partial network protection devices supporting execution of the protection response action are screened out from the network protection devices associated with the object to be protected, a candidate network protection device set is generated, then, an explicit control network segment associated with each network protection device in the pre-configured candidate network protection device set is obtained, an explicit control network segment set including each display control network segment is generated, and when it is determined that the object to be protected is not included in a network segment range corresponding to the explicit control network segment set, an implicit control network segment associated with each network protection device is obtained, a controllable network segment set is generated, the controllable network segment set includes each display control network segment and each implicit control network segment, and the implicit control network segment comprises other network segments except the associated explicit control network segment which are recorded in the running log of the network protection device and execute the protection response action processing, and when the protection target is determined to be contained in the network segment range corresponding to the controllable network segment set, the screened controllable network segment containing the target to be protected is determined as the target network protection device which is called to execute the protection response action. Therefore, by means of the explicit control network segment and the implicit control network segment, the binding relationship between the protection response actions and the target network protection devices is decoupled, and the protection response actions determined aiming at the same network threat type can be universal to different targets to be protected, so that the updating of the protection response actions is not limited to specific network protection devices any more.
Drawings
FIG. 1 is a schematic flow chart illustrating a method for determining a called network defense device according to an embodiment of the present disclosure;
FIG. 2 is a table of protection response actions and corresponding device type data in accordance with an embodiment of the present disclosure;
fig. 3 is a network protection device and a corresponding explicit control network segment data table in an embodiment of the present disclosure;
fig. 4a is a data representation intention of an implicit control network segment of a network protection device in an embodiment of the present disclosure;
fig. 4b is a table of network protection devices and corresponding implicit control network segment data in an embodiment of the present disclosure;
FIG. 5 is a data table of information related to a network defense device maintained by a network defense platform in an embodiment of the disclosure;
FIG. 6 is a schematic diagram of a virtual appliance for determining a called network defense device in an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an entity apparatus for determining a called network defense device in an embodiment of the present disclosure.
Detailed Description
The method and the device for determining the called network protection equipment are purposefully provided, after a protection request containing a target to be protected and a network threat type is received, the protection response action indicated by a script is determined, partial network protection equipment supporting execution of the protection response action is screened out from the network protection equipment related to the target to be protected, a candidate network protection equipment set is generated, and then the target network protection equipment executing the protection response action is determined based on an explicit control network segment and an implicit control network segment of each network protection equipment in the candidate network protection equipment set.
In the embodiment of the disclosure, the network protection platform receives the protection request, executes the study and judgment processing flow according to the established script, determines the protection response action to be executed, wherein, the network protection platform is built based on a Security Organization and Automatic Response (SOAR) architecture, maintains a data table between each registered network protection device and the associated information of each network protection device, the associated information includes, but is not limited to, a device type of the network defense device, a supported defense response action of the network defense device, a device address of the network defense device, an explicit management and control network segment in which the network defense device is configured, a deployment manner of the network defense device, and an implicit management and control network segment of the network defense device determined based on a real-time extracted operation log of the network defense device.
It should be noted that the embodiment of the present disclosure is applied to scenario running scenes under a security organization and an automated response SOAR architecture, a corresponding relationship is not established in advance between a protection response action indicated by a scenario and a network protection device executing the protection response action, a network protection platform receives a protection request including a target to be protected and a network threat type, after the protection response action indicated by the scenario is determined, a flow limit of the scenario is temporarily removed, and a called network protection device is determined adaptively according to the determined protection response action.
In the embodiment of the disclosure, the network protection platform provides services for assisting network protection for each user network organization, user equipment with interactive authority in each user network organization reports and registers network protection equipment associated with the user equipment to the network protection platform, the association relationship is specifically that the network protection device is installed in a user network organization where the user device is located, and is used for protecting the user network organization to which the user device belongs, and then the network protection platform determines the protection response action which can be executed by the network protection device and the corresponding protection target according to the information reported by the user equipment when registering the network protection device, and when determining that the internal network segment of the user network organization is threatened by the network, and screening out target network protection equipment from the network protection equipment associated with the user equipment to execute corresponding protection response actions.
In the embodiment of the present disclosure, the device types of the network defense device include, but are not limited to, an Anti-DDoS System (ADS) type, a Next Generation Firewall (NF) type, a Unified Threat Sensor (UTS) type, a Web Application Firewall (WAF) type, an Endpoint Detection and Response (EDR) type, and the like.
Preferred embodiments of the present disclosure are described in further detail below with reference to the accompanying drawings:
referring to fig. 1, the following describes a process for the network defense platform to determine the called network defense device.
Step 101: and the network protection platform receives a protection request containing the target to be protected and the network threat type and determines a protection response action indicated by the script.
The method comprises the steps that a network protection platform receives a protection request containing a target to be protected and a network threat type, wherein the protection request is reported by network protection equipment capable of detecting whether the network threat or abnormal conditions exist in a user network organization, when the network protection equipment with a detection function detects that an internal network segment of the associated user network organization is threatened by the network, a specific network segment with the network threat exists is used as the target to be protected, an initiator of the network threat is used as a network threat source, and the target to be protected comprises at least one Internet Protocol (IP).
Further, the network protection platform determines a protection response action indicated by the scenario, and specifically, the network protection platform may solve the protection response action of the network threat type according to the scenario indication, where the scenario does not include the network protection device that executes the protection response action, and determines that a flow of the called network protection device is not in a flow defined by the scenario.
It should be noted that, in the embodiment of the present disclosure, after receiving the protection request, the network protection platform combs the obtained information based on the determined target to be protected, the type of the network threat, the source of the network threat, and the corresponding protection response action, in order to facilitate the subsequent selection operation of the target network protection device.
For example, assume the guard response action as: IP plugging, wherein the information combed out comprises: the target to be protected is a network segment (e.g., 192.168.2.3/32) and the source of the cyber threat is an IP (e.g., 230.36.23.3). The characterization represents the further attack behavior of block 230.36.23.3 on 192.168.2.3 within the user's network organization.
Assume again that the guard response action is: and (3) blocking the domain name, wherein the information obtained by combing comprises: the target to be protected is a network segment (e.g. 192.168.2.3/32) and the source of the cyber threat is a domain name (e.g. www.xx.com). Indicating a response or further attack of block www.xx.com to 192.168.2.3 within the user's network organization;
assume again that the guard response action is: session blocking, wherein the combed information comprises: the target to be protected is an IP (e.g., 192.168.2.3/32), the protection port is an integer (e.g., protection port 8081), and the source of the cyber threat is an IP (e.g., 230.36.23.3). Indicating a request to block 230.36.23.3 for the 8081 port of 192.168.2.3 within the user's network organization.
Assume again that the guard response action is: the host machine is isolated, and the information combed out comprises: the target to be protected is a network segment (e.g. 192.168.2.3/32) and the source of the cyber threat is an IP (e.g. 192.168.1.3). Indicating that host 192.168.1.3 in the user network organization is blocked from cross-propagating infection to 192.168.2.3/32 in the user network organization.
For another example, the guard response action is: the flow traction and the carding information comprise: the target to be protected is a network segment (e.g. 192.168.2.3/32) and the source of the cyber threat is an IP (e.g. 230.36.23.3). The representation 230.36.23.3 intercepts 192.168.2.3 traffic in the user network organization, and is pulled to a black hole route to prevent attack traffic from reaching 192.168.2.3 in the user network organization.
It should be noted that, in the embodiment of the present disclosure, before determining the network protection device that executes the protection response action, it is necessary to determine the range of the network protection device to be screened, that is, to determine the network protection device that can provide network protection for the user network organization, specifically, the network protection platform determines the network protection device that can execute the protection response action according to the information associated with the network protection device when the registration is completed.
The following describes a registration process of a newly added network protection device X to be registered on the network protection platform, by taking the network protection device X as an example:
s1: the network protection platform acquires and installs the equipment plug-in corresponding to the network protection equipment X to be registered based on the received equipment information of the network protection equipment X to be registered.
Specifically, after receiving device information of a to-be-registered network protection device X reported by a user device with an interaction function in a user network organization, a network protection platform firstly judges whether an interaction interface capable of driving the to-be-registered network protection device X is installed previously based on the device information, the device information at least includes vendor information of the to-be-registered network protection device X, and acquires and installs a device plug-in of the to-be-registered network protection device when determining that the interaction interface with the to-be-registered network protection device X is not installed, the device plug-in being packaged with a device type and a supported protection response action of the network protection device.
It should be noted that, for network protection devices of the same device type developed by different manufacturers, device plug-ins corresponding to the network protection devices may be different, so that the device plug-ins need to be installed correspondingly according to device information of the driven network protection device based on actual needs.
For example, referring to FIG. 2, the network defense platform maintains a data table as shown in FIG. 2 for device plug-ins of different network defense devices to identify the device type of the network defense device and the supported defense response actions.
S2: and the network protection platform completes the registration of the network protection device X to be registered based on the received configuration information of the network protection device X to be registered.
After the network protection platform determines to install the device plug-in of the network protection device X to be registered, further, the network protection platform acquires explicit management and control information configured by the user device for the network protection device X to be registered, and based on the explicit management and control information, address information of the network protection device X to be registered and a deployment mode of a display management and control network segment for network protection, completes registration of the network protection device X, and the explicit management and control network represents a network segment for which the network protection device X to be registered is configured and which provides protection operation pertinently.
For example, referring to fig. 3, the network defense platform maintains the data table shown in fig. 3 based on the explicit control network segment of each network defense device reported by a certain user network organization.
It should be noted that, when the network protection platform does not receive the explicit control segment configured for the to-be-registered network protection device X, the explicit control segment defaults to ALL for the explicit control segment corresponding to the to-be-registered network protection device X, and indicates full-segment protection. After the network protection device X to be registered finishes registration, the network protection platform acquires an operation log of the network protection device X in real time, and takes other network segments except the associated explicit control network segment, recorded in the operation log and executed by the network protection device X to perform protection response action processing, as implicit control network segments. The operation log records an operation of the network protection device for executing the protection response action sent by the network protection platform and an operation invoked and executed based on network threat in the user network organization.
For example, referring to fig. 4a-4b, specifically, fig. 4a is a flowchart illustrating that, by obtaining the operation logs of the network protection device with IP of 192.167.1.2 and the network protection device with IP of 192.166.1.2, the network protection platform determines that the network protection device is instructed to execute the protection response action, and when the corresponding network segment to be protected is another network segment except for the associated explicit control network segment, the other network segment is used as an implicit control network segment, such as the source IP and the destination IP of the threat event occurring in the user network organization listed in fig. 4 a. Fig. 4b is a sorting result obtained after information extraction is performed on the content in fig. 4a, and further, since the source IP and the destination IP in the network protection device log obtained by the network protection platform from the network protection device at different time points may be different, the network platform updates the data table recorded in fig. 4b after obtaining a new destination IP and a new source IP.
Further, the network protection platform sorts the obtained device types, device addresses, and deployment manners of the network protection devices, and the associated explicit control network segment and implicit control network segment to obtain table data as shown in fig. 5.
It should be noted that, for an implicit control network segment, specifically, when the network protection device is manually called to process a network threat, the processing result is obtained based on the corresponding handling result of the network threat after being manually judged, where the network threat usually includes an intranet IP with the network threat and an attacked extranet IP or domain name, and these processing data can be multiplexed into the automated handling of the network protection device, so as to refine the network protection device without explicitly configuring the control network segment. In the embodiment of the disclosure, for the network protection device explicitly configured with the explicit control network segment, the implicit control network segment is invalid, and the implicit control network segment is a single IP at the beginning, and the network protection platform subsequently merges network segments aiming at continuous IPs to compress data.
Step 102: and the network protection platform screens out part of the network protection devices supporting the execution of the protection response action from the network protection devices associated with the target to be protected, and generates a candidate network protection device set.
Specifically, after the network protection platform determines the target to be protected, the network threat type and the corresponding protection response action, a part of network protection devices supporting execution of the protection response action is screened out from the network protection devices associated with the protection response action, and a candidate network protection device set is generated. The network protection device associated with the target to be protected is specifically all network protection devices reported and registered by the user device in the user network organization where the target to be protected is located.
The specific process of determining the candidate network protection device set is as follows:
a1, screening the network protection devices associated with the target to be protected based on the device types of the network protection devices associated with the protection response actions, and obtaining an initial network protection device set containing the network protection devices with the same device types.
Specifically, the network protection platform determines the device type of the network protection device associated with the protection response action and the deployment mode of the network protection device, and screens out the network protection device matched with the device type of the network protection device from the network protection devices associated with the target to be protected, so as to obtain an initial network protection device set including the network protection devices of the same device type.
It should be noted that, since one protection response action may be implemented by network protection devices of multiple device types, in the embodiment of the present disclosure, initial network protection device sets are respectively established for device types of different network protection devices, where device types of each network protection device included in one initial network protection device set are the same, and the following description only takes a case where there is one initial network protection device set as an example.
A2, screening the initial network protection device set based on the deployment mode of the network protection device associated with the protection response action, and generating an intermediate network protection device set containing the network protection devices with the same deployment mode.
Specifically, the network protection platform screens out network protection devices in the initial network protection device set, which are deployed in the same manner as the network protection devices, and generates an intermediate network protection device set including the network protection devices in the same deployment manner based on the screened network protection devices.
In some embodiments of the present disclosure, the obtained intermediate network defense device set may be directly used as a candidate network defense device set, and further operation of determining the invoked network defense device may be performed.
And A3, screening out an explicit control network segment of the network protection equipment which has intersection with the target to be protected in the intermediate network protection equipment set.
Optionally, after the network protection platform determines an intermediate network protection device set, an explicit control network segment associated with each network protection device in the intermediate network protection device set is obtained, the explicit control network segment intersecting with the target to be protected is screened, and a candidate network protection device set including the network protection device corresponding to the screened explicit control network segment is generated.
It should be noted that the explicit control network segment determined in step a3 to have an intersection with the target to be protected is a specifically configured network segment, and the network protection device that defaults to ALL for the explicit control network segment does not participate in determining whether the associated explicit control network segment intersects with the target to be protected.
Step 103: and the network protection platform acquires the pre-recorded explicit control network segments associated with the network protection devices in the candidate network protection device set and generates an explicit control network segment set comprising the display control network segments.
Specifically, after the network defense platform determines the candidate network defense device set, further, according to an explicit control network segment data table, which is indicated in fig. 3 and is pre-established and corresponding to the network defense device, the network defense platform determines an explicit control network segment, which is associated with each network defense device in the candidate network defense device set, and generates an explicit control network segment set corresponding to the candidate network defense device set.
Step 104: and judging whether the target to be protected is included in the network segment range corresponding to the explicit control network segment set, if so, executing the step 105, otherwise, executing the step 106.
Step 105: and the network protection platform screens out the explicit control network segment containing the target to be protected in the explicit control network segment set, and takes the network protection equipment corresponding to the screened explicit control network segment as the target network protection equipment called to execute the protection response action.
Specifically, when the network protection platform determines that the target to be protected is contained in the network segment range corresponding to the explicit control network segment set, the explicit control network segment containing the target to be protected is screened out from the explicit control network segment set, and the network protection device corresponding to the screened explicit control network segment is used as the target network protection device for calling and executing the protection response action.
Step 106: the network protection platform acquires implicit control network segments associated with the network protection devices respectively, and generates a controllable network segment set, wherein the controllable network segment set comprises all the display control network segments and all the implicit control network segments.
Specifically, when the network protection platform determines that a network segment range corresponding to a current explicit control network segment set cannot contain a target to be protected, in order to expand a search range, implicit control network segments of all network protection devices in a candidate network protection device set are obtained, and then a controllable network segment set is generated based on all the implicit control network segments, wherein the controllable network segment set comprises all display control network segments and all implicit control network segments, and the implicit control network segments comprise other network segments except associated explicit control network segments recorded in running logs of the network protection devices and used for executing protection response action processing.
It should be noted that the implicit control network segment is determined by obtaining an operation log of each network protection device, and various network protection operations executed by the network protection device, including a network protection operation executed by an automatic instruction and a network protection operation executed according to a manual instruction, are recorded in the log, and the obtaining of the implicit control network segment is specifically described in step 101, and is not described herein again.
Step 107: and judging whether the target to be protected is included in the network segment range corresponding to the controllable network segment set, if so, executing step 108, otherwise, executing step 109.
Step 108: and screening out a controllable network segment containing the target to be protected by the network protection platform, and determining the network protection equipment corresponding to the controllable network segment as the target network protection equipment called to execute the protection response action.
Specifically, when the network protection platform determines that the target to be protected is included in the network segment range corresponding to the controllable network segment, the controllable network segment covering the target to be protected is screened out, and the network protection device corresponding to the controllable network segment is used as the target network protection device called to execute the protection response action.
Step 109: and the network protection platform determines each network protection device in the candidate network protection device set as a target network protection device called to execute the protection response action.
Optionally, when the network protection platform determines that the network segment range corresponding to the current manageable and controllable network segment cannot contain the target to be protected, the network protection device with the largest range obtained by the selection and screening, that is, each network protection device in the candidate network protection device set, is used as the target network protection device called to execute the protection response action.
Therefore, the process that the network protection platform determines the target network protection equipment called to execute the protection response action is determined by self-adaptive configuration in the process of executing the script containing the editing action, but the network protection equipment executing the protection response action is not bound in the editing stage of the script, so that the processing flow corresponding to the same network threat is universal to different user network organizations, when the network threat outbreak occurs, the formulated network protection script can be rapidly put into use, the availability and timeliness of the network protection script are enhanced, the addition and deletion of the network protection equipment based on the user network organizations can be responded in time, and the manual configuration of the user is not needed.
Based on the same inventive concept, referring to fig. 6, an embodiment of the present disclosure provides an apparatus for determining a called network defense device, including: a receiving unit 601, an obtaining unit 602, a generating unit 603, and a determining unit 604, wherein,
a receiving unit 601, configured to receive a protection request including a target to be protected and a network threat type, determine a protection response action indicated by a scenario, screen out, from network protection devices associated with the target to be protected, a part of network protection devices that support execution of the protection response action, and generate a candidate network protection device set;
an obtaining unit 602, configured to obtain an explicit control network segment associated with each network protection device in the candidate network protection device set in advance, and generate an explicit control network segment set including each display control network segment;
a generating unit 603, configured to, when it is determined that the target to be protected is not included in the network segment range corresponding to the explicit control network segment set, obtain implicit control network segments associated with the respective network protection devices, and generate a controllable network segment set, where the controllable network segment set includes the display control network segments and the implicit control network segments, and the implicit control network segments include other network segments, except the associated explicit control network segment, recorded in an operation log of the network protection device, and used for executing protection response action processing;
a determining unit 604, configured to determine, when it is determined that the protection target is included in the network segment range corresponding to the controllable network segment set, the network protection device corresponding to the screened controllable network segment including the target to be protected is determined as the target network protection device invoked to execute the protection response action.
Optionally, when the partial network defense devices that support execution of the defense response action are screened from the network defense devices associated with the target to be protected, and a candidate network defense device set is generated, the receiving unit 601 is configured to:
determining the equipment type of the network protection equipment associated with the protection response action and the deployment mode of the network protection equipment, and screening out the network protection equipment matched with the equipment type of the network protection equipment from the network protection equipment associated with the target to be protected to obtain an initial network protection equipment set containing the network protection equipment with the same equipment type;
screening out network protection equipment with the same deployment mode as the network protection equipment in the initial network protection equipment set, and generating an intermediate network protection equipment set containing the network protection equipment with the same deployment mode;
and acquiring the respectively associated explicit control network segments of each network protection device in the preset intermediate network protection device set, screening the explicit control network segments which have intersection with the target to be protected, and generating a candidate network protection device set comprising the network protection devices corresponding to the screened explicit control network segments.
Optionally, when receiving a registration request for a network defense device to be registered associated with a defense target, the receiving unit 601 is further configured to:
when the interactive interface with the network protection equipment to be registered is determined not to be installed, acquiring and installing an equipment plug-in of the network protection equipment to be registered, wherein the equipment plug-in is packaged with the equipment type and the supported response action of the network protection equipment;
acquiring explicit management and control information configured for the to-be-registered network protection device, and completing registration of the to-be-registered network protection device based on the explicit management and control information and attribute information of the to-be-registered network protection device, wherein the attribute information comprises address information and a deployment mode of the to-be-registered network protection device.
Optionally, when obtaining the implicit control network segments associated with the network protection devices, the generating unit 603 is configured to:
for each network protection device, the following operations are respectively executed:
acquiring an operation log of a network protection device, determining an operation record recorded in the operation log for executing a protection response action, and determining a processing network segment covered by the operation record;
and determining the explicit control network segment associated with the network protection device, and determining other network segments except the explicit control network segment in the processing network segment as implicit control network segments.
Optionally, when it is determined that the target to be guarded is included in the segment range corresponding to the explicit control segment set, the generating unit 603 is further configured to:
screening the explicit control network segments containing the target to be protected in the explicit control network segment set, and using the network protection equipment corresponding to the screened explicit control network segments as the target network protection equipment called to execute the protection response action.
Optionally, when it is determined that the target to be guarded is not included in the network segment range corresponding to the manageable network segment set, the determining unit 604 is further configured to:
and determining each network protection device in the candidate network protection device set as a target network protection device called to execute the protection response action.
Based on the same inventive concept, referring to fig. 7, an electronic device according to an embodiment of the present disclosure includes a memory 701 and a processor 702, where the processor is configured to read computer instructions stored in the memory and perform the above operations.
Based on the same inventive concept, in the embodiments of the present disclosure, a computer-readable storage medium is provided, where instructions of the storage medium, when executed by an electronic device, enable the electronic device to perform the method for determining a called network defense device.
In the embodiment of the disclosure, a protection request including an object to be protected and a network threat type is received, a protection response action indicated by a script is determined, partial network protection devices supporting execution of the protection response action are screened out from the network protection devices associated with the object to be protected, a candidate network protection device set is generated, then, an explicit control network segment associated with each network protection device in the pre-configured candidate network protection device set is obtained, an explicit control network segment set including each display control network segment is generated, and when it is determined that the object to be protected is not included in a network segment range corresponding to the explicit control network segment set, an implicit control network segment associated with each network protection device is obtained, a controllable network segment set is generated, the controllable network segment set includes each display control network segment and each implicit control network segment, and the implicit control network segment comprises other network segments except the associated explicit control network segment which are recorded in the running log of the network protection device and execute the protection response action processing, and when the protection target is determined to be contained in the network segment range corresponding to the controllable network segment set, the screened controllable network segment containing the target to be protected is determined as the target network protection device which is called to execute the protection response action. Therefore, by means of the explicit control network segment and the implicit control network segment, the binding relationship between the protection response actions and the target network protection devices is decoupled, and the protection response actions determined aiming at the same network threat type can be universal to different targets to be protected, so that the updating of the protection response actions is not limited to specific network protection devices any more.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.

Claims (10)

1. A method for determining called network protection equipment, which is applied to script running scenes under a Security Organization and Automated Response (SOAR) architecture, comprises the following steps:
receiving a protection request containing a target to be protected and a network threat type, determining a protection response action indicated by a script, screening partial network protection equipment supporting execution of the protection response action from the network protection equipment associated with the target to be protected, and generating a candidate network protection equipment set;
acquiring an explicit control network segment associated with each network protection device in the pre-configured candidate network protection device set, and generating an explicit control network segment set including each display control network segment;
when the target to be protected is determined not to be included in the network segment range corresponding to the explicit control network segment set, acquiring implicit control network segments associated with the network protection devices respectively, and generating a controllable network segment set, wherein the controllable network segment set comprises the display control network segments and the implicit control network segments, and the implicit control network segments comprise other network segments except the associated explicit control network segments, recorded in running logs of the network protection devices, and used for executing protection response action processing;
and when the protection target is determined to be included in the network segment range corresponding to the controllable network segment set, determining the screened controllable network segment including the target to be protected as the target network protection device called to execute the protection response action.
2. The method of claim 1, wherein the screening out, among the network defending devices associated with the target to be defended, a portion of the network defending devices that support performing the defending response action, generating a set of candidate network defending devices, comprises:
determining the equipment type of the network protection equipment associated with the protection response action and the deployment mode of the network protection equipment, and screening out the network protection equipment matched with the equipment type of the network protection equipment from the network protection equipment associated with the target to be protected to obtain an initial network protection equipment set containing the network protection equipment with the same equipment type;
screening out network protection equipment with the same deployment mode as the network protection equipment in the initial network protection equipment set, and generating an intermediate network protection equipment set containing the network protection equipment with the same deployment mode;
and acquiring the respectively associated explicit control network segments of each network protection device in the preset intermediate network protection device set, screening the explicit control network segments which have intersection with the target to be protected, and generating a candidate network protection device set comprising the network protection devices corresponding to the screened explicit control network segments.
3. The method of claim 1, wherein receiving a registration request for a network defense device to be registered associated with a defense target, further comprises:
when the interactive interface with the network protection equipment to be registered is determined not to be installed, acquiring and installing an equipment plug-in of the network protection equipment to be registered, wherein the equipment plug-in is packaged with the equipment type and the supported response action of the network protection equipment;
acquiring explicit management and control information configured for the to-be-registered network protection device, and completing registration of the to-be-registered network protection device based on the explicit management and control information and attribute information of the to-be-registered network protection device, wherein the attribute information comprises address information and a deployment mode of the to-be-registered network protection device.
4. The method according to any one of claims 1 to 3, wherein the obtaining of the implicit regulatory network segment associated with each of the network defense devices includes:
for each network protection device, the following operations are respectively executed:
acquiring an operation log of a network protection device, determining an operation record recorded in the operation log for executing a protection response action, and determining a processing network segment covered by the operation record;
and determining the explicit control network segment associated with the network protection device, and determining other network segments except the explicit control network segment in the processing network segment as implicit control network segments.
5. The method of claim 1, wherein when it is determined that the target to be guarded is included in the segment range corresponding to the explicit regulation segment set, the method further comprises:
screening the explicit control network segments containing the target to be protected in the explicit control network segment set, and using the network protection equipment corresponding to the screened explicit control network segments as the target network protection equipment called to execute the protection response action.
6. The method of claim 1, wherein when it is determined that the target to be guarded is not included in the range of the network segment corresponding to the manageable segment set, the method further comprises:
and determining each network protection device in the candidate network protection device set as a target network protection device called to execute the protection response action.
7. An apparatus for determining invoked network defense equipment, applied to scenario operation under Security Orchestration and Automated Response (SOAR) architecture, comprising:
the receiving unit is used for receiving a protection request containing a target to be protected and a network threat type, determining a protection response action indicated by a script, screening partial network protection equipment supporting execution of the protection response action from the network protection equipment associated with the target to be protected, and generating a candidate network protection equipment set;
the acquisition unit is used for acquiring the display control network segments associated with the network protection devices in the candidate network protection device set which is configured in advance and generating the display control network segment set comprising the display control network segments;
a generating unit, configured to, when it is determined that the target to be protected is not included in the network segment range corresponding to the explicit control network segment set, obtain an implicit control network segment of each network protection device, and generate a controllable network segment set, where the controllable network segment set includes each display control network segment and each implicit control network segment, and the implicit control network segment includes other network segments, except for the associated explicit control network segment, recorded in an operation log of the network protection device, and used for executing protection response action processing;
and the determining unit is used for determining the screened controllable network segment containing the target to be protected as the target network protection device called to execute the protection response action when the protection target is determined to be contained in the network segment range corresponding to the controllable network segment set.
8. The apparatus of claim 7, wherein the receiving unit, when the screening out, from the network defending devices associated with the target to be defended, a portion of the network defending devices that support performing the defending response action to generate the set of candidate network defending devices, is configured to:
determining the equipment type of the network protection equipment associated with the protection response action and the deployment mode of the network protection equipment, and screening out the network protection equipment matched with the equipment type of the network protection equipment from the network protection equipment associated with the target to be protected to obtain an initial network protection equipment set containing the network protection equipment with the same equipment type;
screening out network protection equipment with the same deployment mode as the network protection equipment in the initial network protection equipment set, and generating an intermediate network protection equipment set containing the network protection equipment with the same deployment mode;
and acquiring the respectively associated explicit control network segments of each network protection device in the preset intermediate network protection device set, screening the explicit control network segments which have intersection with the target to be protected, and generating a candidate network protection device set comprising the network protection devices corresponding to the screened explicit control network segments.
9. A computer-readable electronic device, comprising:
a memory for storing executable instructions;
a processor for reading and executing executable instructions stored in the memory to implement the method of any one of claims 1 to 6.
10. A storage medium, wherein instructions in the storage medium, when executed by an electronic device, enable the electronic device to perform the method of any of claims 1-6.
CN202010882622.7A 2020-08-28 2020-08-28 Method and device for determining called network protection equipment Active CN112039871B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010882622.7A CN112039871B (en) 2020-08-28 2020-08-28 Method and device for determining called network protection equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010882622.7A CN112039871B (en) 2020-08-28 2020-08-28 Method and device for determining called network protection equipment

Publications (2)

Publication Number Publication Date
CN112039871A true CN112039871A (en) 2020-12-04
CN112039871B CN112039871B (en) 2022-04-19

Family

ID=73586755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010882622.7A Active CN112039871B (en) 2020-08-28 2020-08-28 Method and device for determining called network protection equipment

Country Status (1)

Country Link
CN (1) CN112039871B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030056652A (en) * 2001-12-28 2003-07-04 한국전자통신연구원 Blacklist management apparatus in a policy-based network security management system and its proceeding method
US20150365438A1 (en) * 2014-06-11 2015-12-17 Accenture Global Services Limited Method and System for Automated Incident Response
US20160014081A1 (en) * 2014-07-14 2016-01-14 Cautela Labs, Inc. System, apparatus, and method for protecting a network using internet protocol reputation information
CN106465100A (en) * 2014-06-30 2017-02-22 迈克菲股份有限公司 Premises-aware security and policy orchestration
CN106605397A (en) * 2014-10-26 2017-04-26 迈克菲股份有限公司 Security orchestration framework
WO2018136941A1 (en) * 2017-01-23 2018-07-26 ShieldX Networks, Inc. Generating efficient computer security threat signature libraries
WO2018236688A1 (en) * 2017-06-22 2018-12-27 Mark Cummings Security orchestration and network immune system deployment framework
CN111131335A (en) * 2020-03-30 2020-05-08 腾讯科技(深圳)有限公司 Network security protection method and device based on artificial intelligence and electronic equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030056652A (en) * 2001-12-28 2003-07-04 한국전자통신연구원 Blacklist management apparatus in a policy-based network security management system and its proceeding method
US20150365438A1 (en) * 2014-06-11 2015-12-17 Accenture Global Services Limited Method and System for Automated Incident Response
US20180097847A1 (en) * 2014-06-11 2018-04-05 Accenture Global Services Limited Method and system for automated incident response
CN106465100A (en) * 2014-06-30 2017-02-22 迈克菲股份有限公司 Premises-aware security and policy orchestration
US20160014081A1 (en) * 2014-07-14 2016-01-14 Cautela Labs, Inc. System, apparatus, and method for protecting a network using internet protocol reputation information
CN106605397A (en) * 2014-10-26 2017-04-26 迈克菲股份有限公司 Security orchestration framework
WO2018136941A1 (en) * 2017-01-23 2018-07-26 ShieldX Networks, Inc. Generating efficient computer security threat signature libraries
WO2018236688A1 (en) * 2017-06-22 2018-12-27 Mark Cummings Security orchestration and network immune system deployment framework
CN111131335A (en) * 2020-03-30 2020-05-08 腾讯科技(深圳)有限公司 Network security protection method and device based on artificial intelligence and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邢家鸣等: "SOAR技术在银行业应用浅析", 《中国金融电脑》 *

Also Published As

Publication number Publication date
CN112039871B (en) 2022-04-19

Similar Documents

Publication Publication Date Title
US20230281311A1 (en) Method of malware detection and system thereof
CN109033828B (en) Trojan horse detection method based on computer memory analysis technology
CN105593870B (en) Complexity scoring for malware detection
CN106991324B (en) Malicious code tracking and identifying method based on memory protection type monitoring
US20080178290A1 (en) Method of secure data processing on a computer system
US7730530B2 (en) System and method for gathering exhibited behaviors on a .NET executable module in a secure manner
EP3958088A1 (en) Methods and apparatus for dealing with malware
CN107851155A (en) For the system and method across multiple software entitys tracking malicious act
CN110826067B (en) Virus detection method and device, electronic equipment and storage medium
WO2009142668A1 (en) Detection and prevention of malicious code execution using risk scoring
CN105760787B (en) System and method for the malicious code in detection of random access memory
CN111541686B (en) Method and device for calling scanner
CN107330328A (en) Defend method, device and the server of virus attack
CN109995727A (en) Penetration attack behavior active protection method, device, equipment and medium
CN106775981B (en) Process processing method and device and computer readable medium
CN109783316B (en) Method and device for identifying tampering behavior of system security log, storage medium and computer equipment
CN107818028A (en) A kind of computer data backup and restoring method
CN106778246A (en) The detection method and detection means of sandbox virtualization
CN104252594A (en) Virus detection method and device
CN114417335A (en) Malicious file detection method and device, electronic equipment and storage medium
CN112039871B (en) Method and device for determining called network protection equipment
US7337327B1 (en) Using mobility tokens to observe malicious mobile code
CN109981573B (en) Security event response method and device
CN115086081B (en) Escape prevention method and system for honeypots
CN111428240A (en) Method and device for detecting illegal access of memory of software

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant