CN113792292A - Response method and device of security script, storage medium and processor - Google Patents
Response method and device of security script, storage medium and processor Download PDFInfo
- Publication number
- CN113792292A CN113792292A CN202111076876.0A CN202111076876A CN113792292A CN 113792292 A CN113792292 A CN 113792292A CN 202111076876 A CN202111076876 A CN 202111076876A CN 113792292 A CN113792292 A CN 113792292A
- Authority
- CN
- China
- Prior art keywords
- security
- target
- determining
- script
- target task
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 98
- 230000004044 response Effects 0.000 title claims abstract description 70
- 238000013507 mapping Methods 0.000 claims abstract description 75
- 230000001960 triggered effect Effects 0.000 claims abstract description 20
- 230000003068 static effect Effects 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000012545 processing Methods 0.000 description 27
- 238000010586 diagram Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 14
- 238000004590 computer program Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
- 238000007794 visualization technique Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The application discloses a response method and device of a security scenario, a storage medium and a processor. The method comprises the following steps: registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for responding to an interface which provides response service for the security system when a security threat event occurs; determining a target task of the security script according to the mapping information; determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and triggering the script execution engine to execute the target task according to the triggering rule. Through the method and the device, the problem that the script response efficiency to the security threat event is low in the related technology is solved.
Description
Technical Field
The application relates to the technical field of network security processing, in particular to a response method and device of a security scenario, a storage medium and a processor.
Background
Conventional approaches to handling a security threat event include manual handling by security operations and maintenance personnel, simply invoking an interface provided by a third party security system to handle the event. Until now, a core problem with a security orchestration and automated response system has been how to integrate existing security capabilities to automatically respond to security threats. The security script provides such an integrated approach: it orchestrates the existing security capabilities, i.e., defines a workflow and rules that trigger automatic responses. When a security threat event occurs that satisfies the triggering rules of the security script, the workflow defined in the script will be automatically executed and the security capabilities orchestrated by the script will be invoked to complete the response to the security threat event.
In the prior art, the work flow of the script is expressed by a program script mode, and the first problem is that the script is complex to construct. Because the user is directly faced with the underlying program script when creating the script, if the system cannot provide an effective grammar checking tool, the direct filling of the script is easy to make mistakes, and the difficulty of the user is greatly increased.
Aiming at the problem of low script response efficiency to the security threat event in the prior art in the related art, no effective solution is provided at present.
Disclosure of Invention
The present application provides a method, an apparatus, a storage medium, and a processor for responding to a security scenario, so as to solve the problem of low response efficiency of the scenario of a security threat event in the related art.
In order to achieve the above object, according to one aspect of the present application, there is provided a response method of a security scenario. The method comprises the following steps: registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for responding to an interface which provides response service for the security system when a security threat event occurs; determining a target task of the security script according to the mapping information; determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and triggering the script execution engine to execute the target task according to the triggering rule.
Further, registering the security interface in the security system includes: acquiring system attributes of a security system, wherein the system attributes are used for configuring a security interface; instantiation processing is carried out on the system attribute to obtain a target object, wherein the target object is the description of the system attribute; the secure interface registration is made complete by the target object.
Further, instantiating the system attribute to obtain the target object includes: mapping the system attribute to obtain an attribute value of the system instance; and determining the target object according to the attribute of the instance and the attribute value of the instance.
Further, determining the target task of the security scenario according to the mapping information includes: determining the mapping relation of a target node in the directed acyclic graph through the mapping information of the security interface; determining target nodes in the directed acyclic graph corresponding to the security interfaces based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph; and determining a target task of the security script through the target node.
Further, after determining the target task of the security scenario according to the mapping information, the method further includes: arranging the target nodes in the security script; determining directed edges in the directed acyclic graph according to the processed target nodes; and determining the execution sequence of the subtasks in the target task according to the directed edges.
Further, according to the triggering rule, triggering the script execution engine to execute the target task comprises: calculating the degree of the target node to obtain the degree value of the target node; determining a first subtask to be executed by a script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task; after the script execution engine executes the first subtask, the script execution engine executes the rest subtasks in the target task according to the execution sequence of the subtasks in the target task.
Further, before triggering the script execution engine to execute the target task according to the triggering rule, the method further comprises: converting the format of the script into a directed acyclic graph format; and carrying out static verification on the security script in the directed acyclic graph format.
Further, after triggering the script execution engine to execute the target task according to the triggering rule, the method further comprises: deleting a target node in the directed acyclic graph to obtain a processed directed acyclic graph; calculating the degree of entry of the non-target nodes in the processed directed acyclic graph to obtain the degree of entry values of the non-target nodes; and determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
In order to achieve the above object, according to another aspect of the present application, there is provided a response device of a security scenario. The device includes: the system comprises a first registration unit, a second registration unit and a third registration unit, wherein the first registration unit is used for registering a security interface in a security system to obtain mapping information of the security interface, and the security interface is used for responding to an interface which provides response service for the security system when a security threat event occurs; a first determination unit for determining a target task of the security scenario according to the mapping information; the second determining unit is used for determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and the first trigger unit is used for triggering the script execution engine to execute the target task according to the trigger rule.
Further, the first registration unit includes: the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring system attributes of the security system, and the system attributes are used for configuring a security interface; the first processing module is used for performing instantiation processing on the system attribute to obtain a target object, wherein the target object is the description of the system attribute; and the first registration module is used for completing the registration of the security interface through the target object.
Further, the first processing module comprises: the first processing submodule is used for mapping the system attribute to obtain an attribute value of the system instance; and the first determining submodule is used for determining the target object according to the attribute of the instance and the attribute value of the instance.
Further, the first determination unit includes: the first determining module is used for determining the mapping relation of the target node in the directed acyclic graph through the mapping information of the security interface; the second determining module is used for determining target nodes in the directed acyclic graph corresponding to the security interface based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph; and the third determining module is used for determining the target task of the security script through the target node.
Further, the apparatus further comprises: the first processing unit is used for arranging the target nodes in the safety scenario after determining the target tasks of the safety scenario according to the mapping information; a third determining unit, configured to determine a directed edge in the directed acyclic graph according to the processed target node; and the fourth determining unit is used for determining the execution sequence of the subtasks in the target task according to the directed edge.
Further, the first trigger unit includes: the first calculation module is used for calculating the degree of the target node to obtain the degree value of the target node; the fourth determining module is used for determining a first subtask to be executed by the script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task; and the first execution module is used for executing the rest subtasks in the target task by the script execution engine according to the execution sequence of the subtasks in the target task after the script execution engine completes the execution of the first subtask.
Further, the apparatus further comprises: the first conversion unit is used for converting the format of the script into a directed acyclic graph format before triggering the script execution engine to execute the target task according to the triggering rule; and the first checking unit is used for carrying out static checking on the security script in the directed acyclic graph format.
Further, the apparatus further comprises: the first deleting unit is used for deleting a target node in the directed acyclic graph after the script execution engine is triggered to execute a target task according to a trigger rule, so that the processed directed acyclic graph is obtained; the first calculation unit is used for calculating the degree of the non-target nodes in the processed directed acyclic graph to obtain the degree value of the non-target nodes; and the fifth determining unit is used for determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
According to another aspect of the embodiments of the present application, there is also provided a processor configured to execute a program, where the program executes to perform the method of any one of the above.
According to another aspect of embodiments of the present application, there is also provided a computer-readable storage medium having stored thereon a computer program/instructions which, when executed by a processor, perform the method of any one of the above.
Through the application, the following steps are adopted: registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for responding to an interface which provides response service for the security system when a security threat event occurs; determining a target task of the security script according to the mapping information; determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and triggering the script execution engine to execute the target task according to the triggering rule. The problem of lower script response efficiency to the security threat event in the correlation technique is solved. The target task of the security script is determined according to the mapping information of the security interface, and the script execution engine is triggered to execute the target task according to the trigger rule, so that the effect of improving the script response efficiency to the security threat event is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a flow chart of a response method for a security scenario provided according to an embodiment of the present application;
fig. 2 is a schematic diagram of a registration process of a security interface of a response method of a security scenario provided according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a security scenario of a response method of the security scenario provided according to an embodiment of the present application;
fig. 4 is a schematic diagram of a UML-like graph of a directed acyclic graph of a response method of a security scenario provided according to an embodiment of the present application;
fig. 5 is a schematic diagram of task execution of a scenario execution engine of a response method of a security scenario provided according to an embodiment of the present application; and
fig. 6 is a schematic diagram of a response device for a security scenario provided according to an embodiment of the application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the present application, there is provided a response method of a security scenario.
Fig. 1 is a flow chart of a response method of a security scenario according to an embodiment of the application. As shown in fig. 1, the method comprises the steps of:
step S101, registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for an interface for providing response service for the security system when a security threat event occurs.
For example, the security interface may be an interface for configuring a policy provided by a firewall, and an interface for querying threat intelligence provided by a threat intelligence platform, and the application performs abstract definition on the security system, instantiates an attribute after the abstract definition of the security system, further completes registration of the security interface, and obtains mapping information of the security interface, where the mapping information includes an attribute of an instance of the security system and an attribute value of the instance.
In particular, a security system may generally be abstracted into a collection of attributes that uniquely represent the system. As shown in table 1 below, the set of attributes in the table may define a security system.
TABLE 1
The attribute set of the security system represented by table 1 is composed of three parts: 1. attributes representing meta information of the security system; 2. attributes representing abstract definitions of security system instances; 3. attributes that represent abstract definitions of security interfaces provided by the security system.
Specifically, the attributes of the meta information indicating the security system in table 1 include: id. logo, name, description, vendor, category, visual, updated, description, order, wherein the attribute information of the meta information is necessary information of the security system for other modules to use, for example, the visualization module shows one security system through the meta information.
Specifically, the configkeys attribute in table 1 is an object array that abstractly defines an instance of the security system, where each object in the configkeys object array is a description of an attribute of the instance of the security system, and thus, a set of descriptions of the attributes of the instance of the security system is a complete abstract definition of the instance of the security system, for example, a firewall instance can be expressed as a set of attributes: name, protocol, address, port, username, password, version. The fields contained in an object in the configkeys array are shown in table 2 below:
TABLE 2
| Name of field | Type (B) | Description of the invention |
| name | Character string | Chinese name of attribute |
| field | Character string | English name of attribute |
| type | Character string | Data type of attribute |
| required | Boolean value | Attribute whether this field is mandatory |
| min | Character string | Minimum value constraint of attribute |
| max | Character string | Maximum value constraint of attribute |
| default | Character string | Default value of attribute |
Specifically, a security system will typically provide a plurality of security interfaces, the actions attribute in table 1 defines the security interface in the security system, which is an array of objects, each object in the array defining a security interface, for example, the firewall system provides the security interfaces with: testing, logging in, strategy, IP blocking, strategy deletion, IP blocking deletion, security domain query and virtual router query. The fields contained in an object in the Actions array are shown in Table 3 below:
TABLE 3
Specifically, the abstract definition of the security system is stored in a database in json format, where the database may be a document database or a relational database, and the process of instantiating the abstract definition of the security system is a process of registering security capability (corresponding to the security interface in this application), where the security capability is a function that can be utilized by the system and is related to network security, that is, the security interface.
Optionally, in the response method of the security scenario provided in the embodiment of the present application, registering the security interface in the security system includes: acquiring system attributes of a security system, wherein the system attributes are used for configuring a security interface; instantiation processing is carried out on the system attribute to obtain a target object, wherein the target object is the description of the system attribute; the secure interface registration is made complete by the target object.
Specifically, the system attributes in the present application correspond to the configkeys attributes in table 1, the abstract definition of the security system is usually loaded as a predefined configuration upon system startup, and the configkeys attributes are instantiated to obtain a target object, for example, the target object obtained by instantiating the configkeys attributes may be used to configure the interface provided by the firewall.
Optionally, in the response method for a security scenario provided in the embodiment of the present application, instantiating the system attribute to obtain the target object includes: mapping the system attribute to obtain an attribute value of the system instance; and determining the target object according to the attribute of the instance and the attribute value of the instance.
Fig. 2 is a schematic diagram of a registration process of a security interface of a response method of a security scenario provided according to an embodiment of the present application, as shown in fig. 2, after the abstract definition of the security system results in the collection of attributes, the system presents the security system to the user by reading the abstract definition of the security system in the database system, and by visualization techniques (such as the WEBUI technique based on the http protocol), and also provides a UI for security system registration, through which the user fills in the attribute values for each security system instance, resulting in a map representing the security system instances, such a mapping is then stored in the database system, the registration of the security interface is completed, the abstract definition of the security system is an attribute set, the instantiation process is a process of mapping the attribute into the value, and the response efficiency of the security threat event is improved by registering the interface in the security system.
And step S102, determining a target task of the security script according to the mapping information.
Fig. 3 is a schematic structural diagram of a security scenario of a response method of the security scenario provided in an embodiment of the present application, and as shown in fig. 3, in the security scenario, a precedence relationship of security performance may be represented by a directed acyclic graph, where each node in the directed acyclic graph represents an execution of a security performance, and each directed edge represents a precedence relationship of two executions of the security performance.
Optionally, in the response method for a security scenario provided in the embodiment of the present application, determining the target task of the security scenario according to the mapping information includes: determining the mapping relation of a target node in the directed acyclic graph through the mapping information of the security interface; determining target nodes in the directed acyclic graph corresponding to the security interfaces based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph; and determining a target task of the security script through the target node.
For example, in the process of arranging the interface for querying IP intelligence provided by the threat intelligence platform into the scenario in fig. 3, the attributes of the mapping information of the security interface (i.e. the mapping information for querying IP intelligence interface provided by the example threat intelligence platform) include: the descriptive name of the node, the ID representing the query IP intelligence interface, the ID of the security system instance providing the interface, the name of the input parameter, a key for representing all subsequent nodes, wherein, a key representing all subsequent nodes should exist in all mappings corresponding to all the subsequent nodes, otherwise, the node has no subsequent node, the value corresponding to the attribute of the mapping information of the security interface (namely the mapping information of the query IP intelligence interface provided by the instance threat intelligence platform) is specified when the user creates the script to arrange the security capability through the UI, the value can be an explicit value or a reference to other values, and the node corresponding to the security capability in the directed acyclic graph is determined (corresponding to the target node in the application) based on the mapping relation of the query IP intelligence interface provided by the threat intelligence platform, the nodes of security capabilities are added to the screenplay task. The method and the system use the directed acyclic graph form for the nodes of the security script, so that the definition of the script becomes simple and flexible, and the script has high expandability, and the security threat event can be responded more effectively.
Optionally, in the response method for a security scenario provided in an embodiment of the present application, after determining the target task of the security scenario according to the mapping information, the method further includes: arranging the target nodes in the security script; determining directed edges in the directed acyclic graph according to the processed target nodes; and determining the execution sequence of the subtasks in the target task according to the directed edges.
For example, after an interface for querying IP intelligence provided by a threat intelligence platform is arranged in a scenario node in fig. 3, a directed edge between nodes represents a sequential relationship of execution of two security capabilities, and a target task is sequenced and executed, so that a security threat event can be dealt with more effectively.
Step S103, determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when the security threat event occurs.
In particular, when a security threat event occurs, it will match the trigger rules of the script and in conjunction with the context environment of the security script, implement the orchestration and automated response of the security script, where the global context is typically the security threat event and the local context may be the output after each security capability is executed. The global context of script execution may be explicitly specified by the rules that trigger script execution, which may be represented as a node in the graph, in a directed acyclic graph, as well as other nodes representing security capabilities.
And step S104, triggering the script execution engine to execute the target task according to the triggering rule.
Specifically, before a target task in the security scenario is executed, the security scenario needs to be checked, and fig. 4 is a schematic diagram of a UML-like graph of a directed acyclic graph according to the response method of the security scenario provided by the embodiment of the present application, and as shown in fig. 4, checking of the scenario first needs to convert the scenario in a json format into a directed graph, and the directed graph may be represented by a neighboring matrix.
Optionally, in the response method of the security scenario provided in the embodiment of the present application, before triggering the scenario execution engine to execute the target task according to the triggering rule, the method further includes: converting the format of the script into a directed acyclic graph format; and carrying out static verification on the security script in the directed acyclic graph format.
For example, static verification of security scenarios includes: the method comprises the steps of verifying whether execution failure of nodes in a script caused by the fact that a nonexistent safety system instance or interface is cited in a safety script or not, or verifying whether a loop exists in the script, wherein the script with the loop can cause the script to be executed normally, static checking whether the loop exists in the script or not is achieved through depth-first traversal of a graph, in the process of carrying out depth-first traversal once, if the traversed nodes are traversed again, the fact that the loop exists in the script is indicated, if depth-first traversal is carried out from any node in the graph, the fact that the loop exists is not found, the fact that a topological graph structure of the script is a directed acyclic graph is indicated. According to the method and the device, the subsequent target task is further guaranteed to be efficiently and accurately executed by performing static verification on the safety script.
Optionally, in the response method of the security scenario provided in the embodiment of the present application, triggering the scenario execution engine to execute the target task according to the trigger rule includes: calculating the degree of the target node to obtain the degree value of the target node; determining a first subtask to be executed by a script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task; after the script execution engine executes the first subtask, the script execution engine executes the rest subtasks in the target task according to the execution sequence of the subtasks in the target task.
Specifically, the scenario execution engine first determines a first task (corresponding to a first sub-task to be executed in the present application) in a scenario of the target task stream, where the scenario is converted into a form of a directed acyclic graph in the scenario execution engine, so a node with an in-degree of 0 may be regarded as the first sub-task of the scenario. If there are multiple nodes with an in-degree of 0, any one of the nodes with an in-degree of 0 can be regarded as the first executed task.
Optionally, in the response method of the security scenario provided in the embodiment of the present application, after the scenario execution engine is triggered to execute the target task according to the trigger rule, the method further includes: deleting a target node in the directed acyclic graph to obtain a processed directed acyclic graph; calculating the degree of entry of the non-target nodes in the processed directed acyclic graph to obtain the degree of entry values of the non-target nodes; and determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
Fig. 5 is a schematic diagram of task execution of a scenario execution engine of a response method of a security scenario according to an embodiment of the present application, and as shown in fig. 5, it describes a program code execution logic of a run method of a playbook engine class in fig. 4, when a security threat event occurs, the scenario execution engine searches for nodes with an introductivity of 0 in a directed acyclic graph, regards one of the nodes with an introductivity of 0 as a task to be executed (corresponding to a first subtask to be executed in the present application), parses a task in a json format, completes the task according to its declared semantics, deletes the executed node and its associated edges, and calculates the introductivities of the remaining nodes in the processed directed acyclic graph (corresponding to introductivities of non-target nodes in the present application), determines a second subtask to be executed by the scenario execution engine according to the introductivities of the non-target nodes, when there is no node in the directed acyclic graph, the description indicates that the script representing a workflow is executed.
In summary, in the response method for the security scenario provided in the embodiment of the present application, mapping information of a security interface is obtained by registering the security interface in a security system, where the security interface is used for an interface for providing a response service for the security system when a security threat event occurs; determining a target task of the security script according to the mapping information; determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and triggering the script execution engine to execute the target task according to the triggering rule. The problem of lower script response efficiency to the security threat event in the correlation technique is solved. The target task of the security script is determined according to the mapping information of the security interface, and the script execution engine is triggered to execute the target task according to the trigger rule, so that the effect of improving the script response efficiency to the security threat event is achieved.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a response device for a security scenario, and it should be noted that the response device for a security scenario of the embodiment of the present application may be used to execute the response method for a security scenario provided by the embodiment of the present application. The following describes a response device of a security scenario provided in an embodiment of the present application.
Fig. 6 is a schematic diagram of a response arrangement for a security scenario according to an embodiment of the application. As shown in fig. 6, the apparatus includes: a first registering unit 601, a first determining unit 602, a second determining unit 603, and a first triggering unit 604.
Specifically, the first registration unit 601 is configured to register a security interface in a security system to obtain mapping information of the security interface, where the security interface is used to deal with an interface that provides a response service for the security system when a security threat event occurs;
a first determination unit 602, configured to determine a target task of the security scenario according to the mapping information;
a second determining unit 603, configured to determine a trigger rule that matches the target task, where the trigger rule is a rule that the target task is triggered when the security threat event occurs;
the first triggering unit 604 is configured to trigger the scenario execution engine to execute the target task according to the triggering rule.
To sum up, in the response apparatus for a security scenario provided in the embodiment of the present application, the first registration unit 601 registers the security interface in the security system to obtain mapping information of the security interface, where the security interface is used for an interface for providing response service for the security system when a security threat event occurs; the first determination unit 602 determines a target task of the security scenario according to the mapping information; the second determining unit 603 determines a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; the first triggering unit 604 triggers the scenario execution engine to execute the target task according to the triggering rule, so that the problem of low scenario response efficiency to the security threat event in the related art is solved. The target task of the security script is determined according to the mapping information of the security interface, and the script execution engine is triggered to execute the target task according to the trigger rule, so that the effect of improving the script response efficiency to the security threat event is achieved.
Optionally, in the response apparatus for a security scenario provided in an embodiment of the present application, the first registration unit 601 includes: the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring system attributes of the security system, and the system attributes are used for configuring a security interface; the first processing module is used for performing instantiation processing on the system attribute to obtain a target object, wherein the target object is the description of the system attribute; and the first registration module is used for completing the registration of the security interface through the target object.
Optionally, in the response apparatus for a security scenario provided in an embodiment of the present application, the first processing module includes: the first processing submodule is used for mapping the system attribute to obtain an attribute value of the system instance; and the first determining submodule is used for determining the target object according to the attribute of the instance and the attribute value of the instance.
Optionally, in the response apparatus for a security scenario provided in an embodiment of the present application, the first determining unit 602 includes: the first determining module is used for determining the mapping relation of the target node in the directed acyclic graph through the mapping information of the security interface; the second determining module is used for determining target nodes in the directed acyclic graph corresponding to the security interface based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph; and the third determining module is used for determining the target task of the security script through the target node.
Optionally, in the response device for a security scenario provided in an embodiment of the present application, the device further includes: the first processing unit is used for arranging the target nodes in the safety scenario after determining the target tasks of the safety scenario according to the mapping information; a third determining unit, configured to determine a directed edge in the directed acyclic graph according to the processed target node; and the fourth determining unit is used for determining the execution sequence of the subtasks in the target task according to the directed edge.
Optionally, in the response apparatus for a security scenario provided in an embodiment of the present application, the first triggering unit 604 includes: the first calculation module is used for calculating the degree of the target node to obtain the degree value of the target node; the fourth determining module is used for determining a first subtask to be executed by the script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task; and the first execution module is used for executing the rest subtasks in the target task by the script execution engine according to the execution sequence of the subtasks in the target task after the script execution engine completes the execution of the first subtask.
Optionally, in the response device for a security scenario provided in an embodiment of the present application, the device further includes: the first conversion unit is used for converting the format of the script into a directed acyclic graph format before triggering the script execution engine to execute the target task according to the triggering rule; and the first checking unit is used for carrying out static checking on the security script in the directed acyclic graph format.
Optionally, in the response device for a security scenario provided in an embodiment of the present application, the device further includes: the first deleting unit is used for deleting a target node in the directed acyclic graph after the script execution engine is triggered to execute a target task according to a trigger rule, so that the processed directed acyclic graph is obtained; the first calculation unit is used for calculating the degree of the non-target nodes in the processed directed acyclic graph to obtain the degree value of the non-target nodes; and the fifth determining unit is used for determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
The response device of the security scenario includes a processor and a memory, the first registration unit 601, the first determination unit 602, the second determination unit 603, the first trigger unit 604, and the like are all stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can set one or more than one, and the response of the security script is carried out by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium having a program stored thereon, the program implementing a response method of a security scenario when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein a response method for executing a security script is executed when the program runs.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps: registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for responding to an interface which provides response service for the security system when a security threat event occurs; determining a target task of the security script according to the mapping information; determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and triggering the script execution engine to execute the target task according to the triggering rule.
The processor executes the program and further realizes the following steps: acquiring system attributes of a security system, wherein the system attributes are used for configuring a security interface; instantiation processing is carried out on the system attribute to obtain a target object, wherein the target object is the description of the system attribute; the secure interface registration is made complete by the target object.
The processor executes the program and further realizes the following steps: mapping the system attribute to obtain an attribute value of the system instance; and determining the target object according to the attribute of the instance and the attribute value of the instance.
The processor executes the program and further realizes the following steps: determining the mapping relation of a target node in the directed acyclic graph through the mapping information of the security interface; determining target nodes in the directed acyclic graph corresponding to the security interfaces based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph; and determining a target task of the security script through the target node.
The processor executes the program and further realizes the following steps: after determining a target task of the security scenario according to the mapping information, arranging target nodes in the security scenario; determining directed edges in the directed acyclic graph according to the processed target nodes; and determining the execution sequence of the subtasks in the target task according to the directed edges.
The processor executes the program and further realizes the following steps: calculating the degree of the target node to obtain the degree value of the target node; determining a first subtask to be executed by a script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task; after the script execution engine executes the first subtask, the script execution engine executes the rest subtasks in the target task according to the execution sequence of the subtasks in the target task.
The processor executes the program and further realizes the following steps: converting the format of the script into a directed acyclic graph format before triggering the script execution engine to execute the target task according to the triggering rule; and carrying out static verification on the security script in the directed acyclic graph format.
The processor executes the program and further realizes the following steps: according to a trigger rule, after a script execution engine is triggered to execute a target task, a target node in the directed acyclic graph is deleted, and the processed directed acyclic graph is obtained; calculating the degree of entry of the non-target nodes in the processed directed acyclic graph to obtain the degree of entry values of the non-target nodes; and determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for responding to an interface which provides response service for the security system when a security threat event occurs; determining a target task of the security script according to the mapping information; determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs; and triggering the script execution engine to execute the target task according to the triggering rule.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: acquiring system attributes of a security system, wherein the system attributes are used for configuring a security interface; instantiation processing is carried out on the system attribute to obtain a target object, wherein the target object is the description of the system attribute; the secure interface registration is made complete by the target object.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: mapping the system attribute to obtain an attribute value of the system instance; and determining the target object according to the attribute of the instance and the attribute value of the instance.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: determining the mapping relation of a target node in the directed acyclic graph through the mapping information of the security interface; determining target nodes in the directed acyclic graph corresponding to the security interfaces based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph; and determining a target task of the security script through the target node.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: after determining a target task of the security scenario according to the mapping information, arranging target nodes in the security scenario; determining directed edges in the directed acyclic graph according to the processed target nodes; and determining the execution sequence of the subtasks in the target task according to the directed edges.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: calculating the degree of the target node to obtain the degree value of the target node; determining a first subtask to be executed by a script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task; after the script execution engine executes the first subtask, the script execution engine executes the rest subtasks in the target task according to the execution sequence of the subtasks in the target task.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: converting the format of the script into a directed acyclic graph format before triggering the script execution engine to execute the target task according to the triggering rule; and carrying out static verification on the security script in the directed acyclic graph format.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: according to a trigger rule, after a script execution engine is triggered to execute a target task, a target node in the directed acyclic graph is deleted, and the processed directed acyclic graph is obtained; calculating the degree of entry of the non-target nodes in the processed directed acyclic graph to obtain the degree of entry values of the non-target nodes; and determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (11)
1. A method of responding to a security script, comprising:
registering a security interface in a security system to obtain mapping information of the security interface, wherein the security interface is used for providing an interface of response service for the security system when a security threat event occurs;
determining a target task of the security script according to the mapping information;
determining a trigger rule matched with the target task, wherein the trigger rule is a rule that the target task is triggered when a security threat event occurs;
and triggering the script execution engine to execute the target task according to the triggering rule.
2. The method of claim 1, wherein registering the security interface in the security system comprises:
obtaining system attributes of the security system, wherein the system attributes are used for configuring the security interface;
instantiating the system attribute to obtain a target object, wherein the target object is the description of the system attribute;
and finishing the registration of the safety interface through the target object.
3. The method of claim 2, wherein instantiating the system attributes to obtain the target object comprises:
mapping the system attribute to obtain an attribute value of a system instance;
and determining the target object according to the attribute of the instance and the attribute value of the instance.
4. The method of claim 1, wherein determining a target task for a security scenario from the mapping information comprises:
determining the mapping relation of a target node in the directed acyclic graph through the mapping information of the safety interface;
determining target nodes in the directed acyclic graph corresponding to the security interfaces based on the mapping relation, wherein edges between the target nodes are determined as directed edges of the directed acyclic graph;
and determining a target task of the security scenario through the target node.
5. The method of claim 4, wherein after determining a target task for a security scenario from the mapping information, the method further comprises:
arranging the target nodes in the safety script;
determining directed edges in the directed acyclic graph according to the processed target nodes;
and determining the execution sequence of the subtasks in the target task according to the directed edges.
6. The method of claim 5, wherein triggering a script execution engine to perform the target task according to the triggering rules comprises:
calculating the degree of the target node to obtain the degree value of the target node;
determining a first subtask to be executed by the script execution engine according to the in-degree value of the target node, wherein the first subtask is a subtask in the target task;
and after the script execution engine completes the execution of the first subtask, the script execution engine performs execution operation on the rest subtasks in the target task according to the execution sequence of the subtasks in the target task.
7. The method of claim 1, wherein prior to triggering a script execution engine to perform the target task in accordance with the triggering rules, the method further comprises:
converting the format of the script into a directed acyclic graph format;
and carrying out static verification on the security script in the directed acyclic graph format.
8. The method of claim 6, wherein after triggering a script execution engine to perform the target task according to the triggering rule, the method further comprises:
deleting the target node in the directed acyclic graph to obtain a processed directed acyclic graph;
calculating the degree of entry of a non-target node in the processed directed acyclic graph to obtain the degree of entry value of the non-target node;
and determining a second subtask to be executed by the script execution engine according to the in-degree value of the non-target node.
9. A response device for a security scenario, comprising:
the system comprises a first registration unit, a second registration unit and a third registration unit, wherein the first registration unit is used for registering a security interface in a security system to obtain mapping information of the security interface, and the security interface is used for providing an interface of response service for the security system when a security threat event occurs;
the first determining unit is used for determining a target task of the security scenario according to the mapping information;
the second determining unit is used for determining a triggering rule matched with the target task, wherein the triggering rule is a rule that the target task is triggered when a security threat event occurs;
and the first trigger unit is used for triggering the script execution engine to execute the target task according to the trigger rule.
10. A processor, characterized in that the processor is configured to run a program, wherein the program when running performs the method of any of claims 1 to 8.
11. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program performs the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111076876.0A CN113792292A (en) | 2021-09-14 | 2021-09-14 | Response method and device of security script, storage medium and processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111076876.0A CN113792292A (en) | 2021-09-14 | 2021-09-14 | Response method and device of security script, storage medium and processor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113792292A true CN113792292A (en) | 2021-12-14 |
Family
ID=79183438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111076876.0A Pending CN113792292A (en) | 2021-09-14 | 2021-09-14 | Response method and device of security script, storage medium and processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113792292A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109523187A (en) * | 2018-11-27 | 2019-03-26 | 北京字节跳动网络技术有限公司 | Method for scheduling task, device and equipment |
| CN111835768A (en) * | 2020-07-14 | 2020-10-27 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for processing security event |
| CN112114956A (en) * | 2020-09-29 | 2020-12-22 | 中国银行股份有限公司 | Task scheduling method, device and system |
| WO2021028060A1 (en) * | 2019-08-15 | 2021-02-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Security automation system |
| CN112527489A (en) * | 2020-12-22 | 2021-03-19 | 税友软件集团股份有限公司 | Task scheduling method, device and equipment and computer readable storage medium |
| US20210133331A1 (en) * | 2019-11-04 | 2021-05-06 | Monaco Risk Analytics Inc | Cyber risk minimization through quantitative analysis of aggregate control efficacy |
-
2021
- 2021-09-14 CN CN202111076876.0A patent/CN113792292A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109523187A (en) * | 2018-11-27 | 2019-03-26 | 北京字节跳动网络技术有限公司 | Method for scheduling task, device and equipment |
| WO2021028060A1 (en) * | 2019-08-15 | 2021-02-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Security automation system |
| US20210133331A1 (en) * | 2019-11-04 | 2021-05-06 | Monaco Risk Analytics Inc | Cyber risk minimization through quantitative analysis of aggregate control efficacy |
| CN111835768A (en) * | 2020-07-14 | 2020-10-27 | 绿盟科技集团股份有限公司 | Method, device, medium and computer equipment for processing security event |
| CN112114956A (en) * | 2020-09-29 | 2020-12-22 | 中国银行股份有限公司 | Task scheduling method, device and system |
| CN112527489A (en) * | 2020-12-22 | 2021-03-19 | 税友软件集团股份有限公司 | Task scheduling method, device and equipment and computer readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 廖雯: "安全编排与自动化响应的探索与场景实践", 《2020年"网络安全技术与应用创新"研讨会论文集》, pages 102 - 105 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10355941B2 (en) | Sensor data handling for cloud-platform infrastructure layouts | |
| US11068382B2 (en) | Software testing and verification | |
| US8166464B2 (en) | Analysis and detection of soft hang responsiveness program errors | |
| US10412195B2 (en) | Risk-aware service management stack transformation during workload migration | |
| US11488029B2 (en) | Cognitive process code generation | |
| US11200048B2 (en) | Modification of codified infrastructure for orchestration in a multi-cloud environment | |
| CN110968437A (en) | Method, device, equipment and medium for parallel execution of single contract based on Java intelligent contract | |
| US11196633B2 (en) | Generalized correlation of network resources and associated data records in dynamic network environments | |
| Rossini et al. | The cloud application modelling and execution language (CAMEL) | |
| US20220374218A1 (en) | Software application container hosting | |
| Schmieders et al. | Runtime model-based privacy checks of big data cloud services | |
| CA2902128C (en) | System architecture for cloud-platform infrastructure layouts | |
| Basirati et al. | Towards systematic inconsistency identification for product service systems | |
| US20230418623A1 (en) | Application remodeling method, system, cluster, medium, and program product | |
| US10169603B2 (en) | Real-time data leakage prevention and reporting | |
| US10176011B2 (en) | Automatically generating and executing a service operation implementation for executing a task | |
| US8468116B2 (en) | Rule creation method and rule creating apparatus | |
| CN116483888A (en) | Program evaluation method and device, electronic equipment and computer readable storage medium | |
| US20220337620A1 (en) | System for collecting computer network entity information employing abstract models | |
| CN113792292A (en) | Response method and device of security script, storage medium and processor | |
| US11409769B2 (en) | Computer-implemented method and system for attribute discovery for operation objects from operation data | |
| US11074508B2 (en) | Constraint tracking and inference generation | |
| US9672083B2 (en) | Operating a program code object in conjunction with an application context | |
| Binz et al. | Improve Resource-sharing through Functionality-preserving Merge of Cloud Application Topologies. | |
| Milhem et al. | Extraction of architectural patterns from frameworks and modeling their contributions to qualities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |