CN113794717A - Safety scheduling method, device and related equipment - Google Patents
Safety scheduling method, device and related equipment Download PDFInfo
- Publication number
- CN113794717A CN113794717A CN202111074911.5A CN202111074911A CN113794717A CN 113794717 A CN113794717 A CN 113794717A CN 202111074911 A CN202111074911 A CN 202111074911A CN 113794717 A CN113794717 A CN 113794717A
- Authority
- CN
- China
- Prior art keywords
- strategy
- log information
- client
- issuing
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000007781 pre-processing Methods 0.000 claims abstract description 14
- 238000004458 analytical method Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 12
- 230000002776 aggregation Effects 0.000 claims description 6
- 238000004220 aggregation Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 4
- 230000007547 defect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 14
- 238000012423 maintenance Methods 0.000 description 14
- 238000007726 management method Methods 0.000 description 11
- 230000008859 change Effects 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000000007 visual effect Effects 0.000 description 4
- 238000012800 visualization Methods 0.000 description 4
- 238000012790 confirmation Methods 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present disclosure provides a safety scheduling method, device and related equipment, wherein the method comprises: acquiring log information acquired by a plurality of clients; respectively preprocessing the log information acquired by each client, and associating the preprocessed log information with corresponding logic groups; wherein, the logic grouping is at least one preset grouping; receiving an issuing strategy formulated based on the preprocessed log information; analyzing the issued strategy based on the logic grouping to generate a host readable strategy; and issuing the host readable strategy to a client. The method can overcome the defects that the overall strategy of the safety protection is difficult to maintain and manage and is difficult to adapt to the changeable network environment in the prior art, and the strategy is maintained and managed based on the logic grouping to adapt to the changeable network environment.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, and a related device for secure scheduling.
Background
Currently access control is mainly done through a border firewall or a host firewall, but the management of policies occurs on the device itself. These policies are typically configured at the time of online deployment of the firewall and then do not substantially adjust throughout the firewall lifecycle. In the cloud computing era, such scattered control points working independently become very difficult to maintain and too rigid, and the overall strategy is difficult to maintain and manage and adapt to a variable network environment.
Disclosure of Invention
The present disclosure provides a security scheduling method, device and related device, which are used to solve the defects that the overall security protection policy in the prior art is difficult to maintain and manage and is also difficult to adapt to a changeable network environment, and implement maintenance and management policy based on logic grouping to adapt to a changeable network environment.
In a first aspect, the present disclosure provides a secure scheduling method, including: acquiring log information acquired by a plurality of clients; respectively preprocessing the log information acquired by each client, and associating the preprocessed log information with corresponding logic groups; wherein, the logic grouping is at least one preset grouping; receiving an issuing strategy formulated based on the preprocessed log information; analyzing the issued strategy based on the logic grouping to generate a host readable strategy; and issuing the host readable strategy to a client.
According to a security scheduling method provided by the present disclosure, the respectively preprocessing the log information collected by each client, and associating the preprocessed log information with the corresponding logical grouping further includes: performing operation processing including analysis, duplicate removal, aggregation, association and asset completion on the log information to acquire characteristic information of the log information; matching and associating the characteristic information with the preset configuration characteristics of at least one logic group; and visually displaying the log information and the logic groups which are subjected to matching association.
According to the safety scheduling method provided by the disclosure, the characteristic information of the log information is stored in a graph database; the preset configuration characteristics of at least one logic group are stored in a relational database.
The safety scheduling method provided by the present disclosure further includes: judging whether the number of hosts in each preset logic group changes or not, if so, updating the issuing strategy based on the logic group with the changed number of hosts; analyzing the updated issuing strategy aiming at the logic grouping with the changed number of the hosts to generate a readable strategy of the hosts; and issuing the host readable strategy to a client.
According to the safety scheduling method provided by the present disclosure, the logic groups are workgroups or roles; the working group is confirmed through three labels of region, environment and service; the roles are used to characterize functional classes.
According to the safe scheduling method provided by the disclosure, the client comprises an internet data center and/or a cloud environment.
According to a security scheduling method provided by the present disclosure, the log information includes at least one of: process information, traffic information, access interception information, client state information, and heartbeat information.
In a second aspect, the present disclosure further provides a safety scheduling apparatus, including: the device comprises an acquisition module, a correlation module, a receiving module, an analysis module and a sending module. The acquisition module is used for acquiring log information acquired by a plurality of clients; the association module is used for respectively preprocessing the log information acquired by each client and associating the preprocessed log information with corresponding logic groups; wherein, the logic grouping is at least one preset grouping; the receiving module is used for receiving an issuing strategy formulated based on the preprocessed log information; the analysis module is used for analyzing the issued strategy based on the logic grouping to generate a readable strategy of the host; and the issuing module is used for issuing the host readable strategy to the client.
In a third aspect, the present disclosure also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the program to implement the steps of the secure scheduling method according to any one of the above-mentioned embodiments.
In a fourth aspect, the present disclosure also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the secure scheduling method as described in any of the above.
In a fifth aspect, the present invention also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the secure scheduling method as described in any of the above.
According to the safety scheduling method, the safety scheduling device and the related equipment, the acquired log information collected by each client is preprocessed, and the preprocessed log information is associated with the corresponding logic groups; receiving an issuing strategy formulated based on the preprocessed log information; analyzing the issued strategy based on the logic grouping to generate a readable strategy of the host; and issuing the host readable policy to the client. According to the method and the device, the log information acquired by each client is preprocessed, the preprocessed log information is associated with the corresponding logic groups, operation and maintenance personnel can know the complex service access relation among the hosts in the logic groups from the whole situation, and the issuing strategy is analyzed based on the logic groups, so that when the hosts in the logic groups need to change the strategy, the strategy center can analyze the issuing strategy by taking the logic groups as a unit without issuing the strategy one by one, and therefore the strategy is convenient to maintain and manage and is suitable for variable network environments.
Drawings
In order to more clearly illustrate the technical solutions of the present disclosure or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is one of the flow diagrams of the security scheduling method provided by the present disclosure;
fig. 2 is a schematic flow chart illustrating a logic grouping step of preprocessing log information acquired by each client and associating the preprocessed log information with corresponding log information in the security scheduling method provided by the present disclosure;
fig. 3 is a schematic diagram of a specific embodiment of preprocessing log information acquired by each client and associating the preprocessed log information with corresponding logic groups in the security scheduling method provided by the present disclosure;
fig. 4 is one of the schematic structural diagrams of the safety scheduling apparatus provided in the present disclosure;
fig. 5 is a schematic structural diagram of an associated module in the security scheduling apparatus provided by the present disclosure;
fig. 6 is a second schematic structural diagram of a safety scheduling device provided in the present disclosure;
FIG. 7 is a schematic structural diagram of a secure dispatch system provided by the present disclosure;
FIG. 8 is a schematic structural diagram of a policy center module in the safety scheduling system provided by the present disclosure;
FIG. 9 is a schematic diagram of a bottom support structure of the secure dispatch system provided by the present disclosure;
FIG. 10 is a schematic diagram of a specific implementation of a secure dispatch system provided by the present disclosure;
fig. 11 is a schematic structural diagram of an electronic device provided by the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all, of the embodiments of the present disclosure. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present disclosure, belong to the protection scope of the embodiments of the present disclosure.
Access control is currently performed primarily through a border firewall or host firewall, but in either case, policy management and isolation actions occur on the device itself. These policies are typically configured at the time of online deployment of the firewall and then do not substantially adjust throughout the firewall lifecycle.
By the cloud computing era, such polydisperse, independently working control points have become very difficult to maintain and overly rigid. Users can not know the complex service access relation between the hosts from the whole situation, and the whole strategy is difficult to maintain and manage. It is difficult to adapt to a diverse network environment.
To solve the above problem, the present disclosure provides a security scheduling method, and referring to fig. 1, fig. 1 is a schematic flow diagram of the security scheduling method provided by the present disclosure, and the security scheduling method in the embodiment of the present disclosure includes:
s101, acquiring log information acquired by a plurality of clients;
step S103, respectively preprocessing the log information collected by each client, and associating the preprocessed log information with corresponding logic groups;
step S105, receiving an issuing strategy formulated based on the preprocessed log information;
step S107, analyzing and issuing the strategy based on the logic grouping to generate a readable strategy of the host;
and step S109, issuing the host readable policy to the client.
According to the safety scheduling method provided by the embodiment of the disclosure, the acquired log information collected by each client is preprocessed, and the preprocessed log information is associated with the corresponding logic groups; receiving an issuing strategy formulated based on the preprocessed log information; analyzing the issued strategy based on the logic grouping to generate a readable strategy of the host; and issuing the host readable policy to the client. According to the method and the device, the log information acquired by each client is preprocessed, the preprocessed log information is associated with the corresponding logic groups, operation and maintenance personnel can know the complex service access relation among the hosts in the logic groups from the whole situation, and the issuing strategy is analyzed based on the logic groups, so that when the hosts in the logic groups need to change the strategy, the strategy center can analyze the issuing strategy by taking the logic groups as a unit without issuing the strategy one by one, and therefore the strategy is convenient to maintain and manage and is suitable for variable network environments.
The various steps of embodiments of the present disclosure are described below in conjunction with fig. 1.
S101, acquiring log information acquired by a plurality of clients;
specifically, the client supports multi-cloud deployment, and may be deployed on a server of the IDC room, or in the cloud host, or one part of the client may be deployed on the server of the IDC room, and the other part of the client may be deployed in the cloud host. The log information may include process information, traffic information, access intercept information, client state information, and heartbeat information.
Step S103, respectively preprocessing the log information collected by each client, and associating the preprocessed log information with corresponding logic groups;
in particular, a logical grouping can include a workgroup and a role. One working group can be uniquely confirmed by three labels of area, environment and service, wherein the environment label is used for limiting the environment, such as a test environment, a pre-sending environment and a production environment; the area label is used for limiting a specific deployment position, such as deployment in a certain Beijing machine room, a certain Shanghai machine room, a certain Qingdao machine room and the like; the service label is used to define a service name, i.e. a specific service name. And the roles are used for representing the functional categories of the cloud host, such as host security products including database storage, portal pages, servers and the like, and the roles respectively play their roles and jointly complete the functional characteristics of the host security. The correspondence between roles and workgroups may be many-to-many. The logical grouping is created by a user through a console, is generally stored in a relational database, and is matched and associated with the preprocessed log information stored in the graph database, and it should be emphasized that the corresponding logical grouping is at least one preset grouping, namely, the preprocessed log information can be respectively matched and associated according to the working group and the role.
Step S105, receiving an issuing strategy formulated based on the preprocessed log information;
specifically, the issuing policy is a specific rule that allows or rejects which traffic, and the policy may be issued by a role and a work group, or by a role or a work group, which is not limited herein. By analyzing the preprocessed log information, operation and maintenance personnel can find out a specific communication relation, a strategy can be designated based on the specific communication relation to improve the protection level, the operation and maintenance personnel upload an issuing strategy formulated based on the preprocessed log information to the cloud host, and the cloud host receives the issuing strategy. It should be noted that, the present application also supports the one-by-one issuing with the host as a unit, and at this time, the host readable policy is directly generated, but the issuing policy is analyzed based on the logical grouping, so that the management is more convenient.
Step S107, analyzing and issuing the strategy based on the logic grouping to generate a readable strategy of the host;
specifically, the logical grouping is created by the user through the console and is generally stored in the relational database, because the policy issued by the user can be issued for the work group and the role, the policy analysis module needs to analyze the policy for the role and the work group into a readable policy for the host. It should be noted that, the present application also supports the one-by-one issuing with the host as a unit, and at this time, the host readable policy is directly generated, but the issuing policy is analyzed based on the logical grouping, so that the management is more convenient.
And step S109, issuing the host readable policy to the client.
Specifically, the client supports multi-cloud deployment, and may be deployed on a server of the IDC room, or in the cloud host, or one part of the client may be deployed on the server of the IDC room, and the other part of the client may be deployed in the cloud host.
Referring to fig. 2, fig. 2 is a schematic flow chart illustrating a logic grouping step of respectively preprocessing log information collected by each client and associating the preprocessed log information with corresponding logic groups in the security scheduling method provided by the present disclosure, where step S103 further includes:
step S201, performing operation processing including analysis, duplicate removal, aggregation, association and asset completion on the log information to obtain characteristic information of the log information;
specifically, the original data format is analyzed to obtain the source IP, the destination IP, the source port, the destination port, and the protocol information. The deduplication can be understood as extracting different access flows from a mass log based on source IP, destination IP, destination port and protocol dimensions. Aggregation may be understood as counting the number of accesses for different access relationships. Correlation may be understood as matching traffic information to host process information based on host ID to locate a traffic access relationship to a host process. Asset completion can be understood as completing other attribute information of the host based on the host ID, the attribute information includes ip, host name, operating system, and the like, and the characteristic information of the log information can be understood as the preprocessed traffic access relationship.
Step S203, matching and associating the characteristic information with the preset configuration characteristics of at least one logic grouping;
specifically, the characteristic information is stored in a graph database, and is logically grouped for the user to create through a console, typically in a relational database. The configuration characteristics of the logical grouping are used to match the associated characteristic information.
And S205, visually displaying the log information and the logic groups which are subjected to matching association.
In this embodiment, the characteristic information of the log information is stored in the database, and then the flow visualization is performed. The operation and maintenance personnel can issue the strategy according to the service access relation. And the client deployed on the host computer receives the strategy and executes the strategy.
Referring to fig. 3, the visual display of the embodiment of the present disclosure may draw an access relationship between hosts, including an access direction, an access state (access success or blocking), access port information, and the like, with the hosts as dimensions, for the traffic information acquired by the client. It is emphasized that the flow information can be analyzed specifically from the perspective of the work group or role, rather than having only one overall flow map, which is easier to analyze.
In an alternative embodiment, the characteristic information of the log information is stored in a database; the preset configuration characteristics of at least one logic group are stored in a relational database.
In an optional embodiment, the secure scheduling method includes:
step S301, judging whether the number of hosts in each preset logic group changes or not, if so, updating the issuing strategy based on the logic group with the changed number of hosts;
specifically, the operation and maintenance personnel may add or reduce the number of hosts of a working group or a role according to actual needs, and after the operation and maintenance personnel operate, the cloud host may sense that the hosts in the logical grouping change, and then the update and issue strategy based on the logical grouping may be automatically triggered, so that the newly added hosts in the logical grouping may receive the strategy for the logical grouping. It should be noted that the host that moved out of the logical grouping still retains the previous policy until a new policy is obtained by adding a new logical grouping.
Step S303, analyzing the updated issuing strategy aiming at the logic groups with changed host number to generate a host readable strategy;
specifically, the logical grouping is created by the user through the console and is generally stored in the relational database, because the policy issued by the user can be issued for the work group and the role, the policy analysis module needs to analyze the policy for the role and the work group into a readable policy for the host. It should be noted that, the present application also supports the one-by-one issuing with the host as a unit, and at this time, the host readable policy is directly generated, but the issuing policy is analyzed based on the logical grouping, so that the management is more convenient.
Step S305, the host readable strategy is sent to the client.
Specifically, the client supports multi-cloud deployment, and may be deployed on a server of the IDC room, or in the cloud host, or one part of the client may be deployed on the server of the IDC room, and the other part of the client may be deployed in the cloud host.
In an alternative embodiment, the logical groupings are work groups or roles; the working group is confirmed through three labels of region, environment and service; roles are used to characterize functional classes.
In particular, the logical grouping may be a workgroup or a role or include both a workgroup and a role. One working group can carry out unique confirmation through three labels of area, environment and service, wherein the environment label is used for limiting the environment, such as a testing environment, a pre-sending environment and a production environment; the area label is used for limiting a specific deployment position, such as deployment in a certain Beijing machine room, a certain Shanghai machine room, a certain Qingdao machine room and the like; the service label is used to define a service name, i.e. a specific service name. The roles are used for representing specific functional categories of the service, such as host security products including database storage, portal pages, servers and the like, and the roles respectively play their roles and jointly complete the functional characteristics of the host security. The correspondence between roles and workgroups may be many-to-many. The logical grouping is created by a user through a console, is generally stored in a relational database, and is matched and associated with the preprocessed log information stored in the graph database, and it should be emphasized that the corresponding logical grouping is at least one preset grouping, namely, the preprocessed log information can be respectively matched and associated according to the working group and the role.
In an alternative embodiment, the client comprises an internet data center and/or a cloud environment.
Specifically, the client may be a client in an IDC environment, may also be a client in a cloud environment, and may also be a client including a cloud environment in the IDC environment, so that the client can adapt to a terminal device with complex deployment, and implement micro-isolated multi-cloud deployment. The method is applicable to clients which have internet data centers and can completely support services, clients which support services through the internet data centers and cloud environments and clients which support services through the cloud environments.
In an optional embodiment, the log information comprises at least one of:
process information, traffic information, access interception information, client state information, and heartbeat information.
Specifically, the heartbeat information is used to determine whether both interconnected parties are online or not under the condition of no communication for a long time, or whether a communication link existing between the interconnected parties is disconnected, and generally, after initial deployment, the heartbeat information is sent to the server every few seconds to ensure that the server can master the operating state of the client.
In one embodiment, policy delivery may be based on logical groupings or on individual workloads, i.e., hosts. And when the strategy is issued based on a single workload, directly issuing the readable strategy of the host to the host without performing the step S307.
In an embodiment, the method may include step S105 and step S301, that is, the issuing policy is triggered to be analyzed for the logical grouping, and the host readable policy is generated in two cases, one is a policy that is issued by the user actively, and the other is a policy that senses that a newly added host exists in the logical grouping.
The following describes a security scheduling apparatus provided in an embodiment of the present disclosure, and the security scheduling apparatus described below and the security scheduling method described above may be referred to correspondingly.
An embodiment of the present disclosure provides a safety scheduling apparatus, referring to fig. 4, where fig. 4 is one of schematic structural diagrams of the safety scheduling apparatus provided in the present disclosure, and the safety scheduling apparatus in the embodiment of the present disclosure includes: the system comprises an acquisition module 41, an association module 43, a receiving module 45, an analysis module 47 and a sending module 49. The obtaining module 41 is configured to obtain log information collected by a plurality of clients; the association module 43 is configured to respectively pre-process the log information collected by each client, and associate the pre-processed log information with corresponding logical groups; a receiving module 45, configured to receive an issuing policy formulated based on the preprocessed log information; the analysis module 47 is used for analyzing the issued strategy based on the logic grouping to generate a host readable strategy; and the issuing module 49 is used for issuing the host readable policy to the client.
According to the safety scheduling device provided by the embodiment of the disclosure, the log information acquired by each client and acquired by the acquisition module 41 is preprocessed by the association module 43, and the preprocessed log information is associated with the corresponding logic groups; the receiving module 45 receives an issuing strategy formulated based on the preprocessed log information; analyzing the issued strategy based on the logic grouping through an analysis module 47 to generate a readable strategy of the host; the issuing module 49 issues the host readable policy to the client. According to the method and the device, the log information acquired by each client is preprocessed, the preprocessed log information is associated with the corresponding logic groups, operation and maintenance personnel can know the complex service access relation among the hosts in the logic groups from the whole situation, and the issuing strategy is analyzed based on the logic groups, so that when the hosts in the logic groups need to change the strategy, the strategy center can analyze the issuing strategy by taking the logic groups as a unit without issuing the strategy one by one, and therefore the strategy is convenient to maintain and manage and is suitable for variable network environments.
Specifically, the client of the obtaining module 41 may be deployed on a server of the IDC room, or may be deployed in the cloud host, or one part of the client may be deployed on the server of the IDC room, and the other part of the client is deployed in the cloud host, so that the client can be adapted to a terminal device with complex deployment, and thus, a micro-isolated multi-cloud deployment is realized. The log information may include process information, traffic information, access intercept information, client state information, and heartbeat information.
In particular, the logical groupings in association module 43 may include workgroups and roles. One working group can carry out unique confirmation through three labels of area, environment and service, wherein the environment label is used for limiting the environment, such as a testing environment, a pre-sending environment and a production environment; the area label is used for limiting a specific deployment position, such as deployment in a certain Beijing machine room, a certain Shanghai machine room, a certain Qingdao machine room and the like; the service label is used to define a service name, i.e. a specific service name. The roles are used for representing specific functional categories of the service, such as host security products including database storage, portal pages, servers and the like, and the roles respectively play their roles and jointly complete the functional characteristics of the host security. The correspondence between roles and workgroups may be many-to-many. The logical grouping is created by a user through a console, is generally stored in a relational database, and is matched and associated with the preprocessed log information stored in the graph database, and it should be emphasized that the corresponding logical grouping is at least one preset grouping, namely, the preprocessed log information can be respectively matched and associated according to the working group and the role.
Specifically, the issuing policy in the receiving module 45 is a specific rule for allowing or rejecting traffic, and the issuing policy mode is a role and a workgroup. By analyzing the preprocessed log information, operation and maintenance personnel can find out a specific communication relation, a strategy can be designated based on the specific communication relation to improve the protection level, the operation and maintenance personnel upload an issuing strategy formulated based on the preprocessed log information to the cloud host, and the cloud host receives the issuing strategy. It should be noted that the receiving module 45 may also receive a host-readable policy based on a single workload, and such policy is directly handled by the issuing module 49.
Specifically, the logic grouping in the parsing module 47 is created for the user through the console, and is generally stored in the relational database, because the policy issued by the user can be issued for the work group and the role, the policy parsing module needs to parse the policy for the role and the work group into a readable policy for the host. It should be noted that, the present application also supports the one-by-one issuing with the host as a unit, and at this time, the host readable policy is directly generated, but the issuing policy is analyzed based on the logical grouping, so that the management is more convenient.
Specifically, the client in the delivery module 49 supports multi-cloud deployment, and may be deployed on a server in the IDC room, or in the cloud host, or a part of the client may be deployed on the server in the IDC room, and another part of the client is deployed in the cloud host.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an association module in the security scheduling apparatus provided in the present disclosure, and the association module 43 further includes: a preprocessing unit 511, a matching association unit 513 and a visualization unit 515.
A preprocessing unit 511, configured to perform operation processing on the log information, including parsing, deduplication, aggregation, association, and asset completion, to obtain feature information of the log information;
specifically, the original data format is analyzed to obtain the source IP, the destination IP, the source port, the destination port, and the protocol information. The deduplication can be understood as extracting different access flows from a mass log based on source IP, destination IP, destination port and protocol dimensions. Aggregation may be understood as counting the number of accesses for different access relationships. Correlation may be understood as matching traffic information to host process information based on host ID to locate a traffic access relationship to a host process. Asset completion may be understood as completion of other host attribute information, including ip, host name, operating system, etc., based on the host ID.
A matching association unit 513, configured to perform matching association between the feature information and a preset configuration feature of at least one logical grouping;
specifically, the characteristic information is stored in a graph database, and is logically grouped for the user to create through a console, typically in a relational database. The characteristic information here can be understood as a preprocessed traffic access relation.
And a visualization unit 515, configured to visually display the log information and the logical grouping that are subjected to matching association.
In this embodiment, the characteristic information of the log information is stored in the database, and then the flow visualization is performed. The operation and maintenance personnel can issue the strategy according to the service access relation. And the client deployed on the host computer receives the strategy and executes the strategy. The visual display of the embodiment of the disclosure can draw the access relation between the hosts by taking the hosts as dimensions according to the flow information collected by the client, wherein the access relation comprises an access direction, an access state (access success or blocking), access port information and the like. It is emphasized that the flow information can be analyzed specifically from the perspective of the work group or role, rather than having only one overall flow map, which is easier to analyze.
In an alternative embodiment, the characteristic information of the log information is stored in a database; the preset configuration characteristics of at least one logic group are stored in a relational database.
In an alternative embodiment, referring to fig. 6, fig. 6 is a second schematic structural diagram of a safety scheduling apparatus provided in the present disclosure, the safety scheduling apparatus includes: an update module 61, an analysis module 63 and a distribution module 65. The updating module 61 is configured to determine whether the number of hosts in each preset logical group changes, and if so, update the issuing policy based on the logical group with the changed number of hosts; the analysis module 63 is configured to analyze the updated issued policy for the logical grouping with the changed number of hosts, and generate a host readable policy; and the issuing module 65 is configured to issue the host readable policy to the client.
Specifically, the operation and maintenance personnel may add or reduce the number of hosts of a working group or a role according to actual needs, and after the operation and maintenance personnel operate, the cloud host may sense that the hosts in the logical grouping change through the updating module 61, and update the issuing policy based on the logical grouping in which the hosts change, so that the newly added hosts in the logical grouping may receive the policy for the logical grouping. It should be noted that the host that moved out of the logical grouping still retains the previous policy until a new policy is obtained by adding a new logical grouping.
Specifically, the logic grouping in the parsing module 63 is created for the user through the console, and is generally stored in the relational database, because the policy issued by the user can be issued for the work group and the role, the policy parsing module needs to parse the policy for the role and the work group into a readable policy for the host. It should be noted that, the present application also supports the one-by-one issuing with the host as a unit, and at this time, the host readable policy is directly generated, but the issuing policy is analyzed based on the logical grouping, so that the management is more convenient.
Specifically, the client in the issuing module 65 supports multi-cloud deployment, and may be deployed on a server in the IDC room, or in the cloud host, or a part of the client may be deployed on the server in the IDC room, and another part of the client is deployed in the cloud host.
In a specific embodiment, the security scheduling apparatus including the obtaining module 41, the associating module 43, the receiving module 45, the parsing module 47, and the issuing module 49 may further include: the module 44 is updated. An update module 44, configured to determine whether the number of hosts in each preset logical group changes, and if so, update the issuing policy based on the logical group with the changed number of hosts; and the analysis module 47 is configured to analyze the updated issuing policy for the logical grouping with the changed number of hosts, and generate a host readable policy or generate a host readable policy based on the logical grouping analysis issuing policy.
In an alternative embodiment, the logical groupings are work groups or roles; the working group is confirmed through three labels of region, environment and service; roles are used to characterize traffic classes.
In particular, the logical grouping may be a workgroup or a role or include both a workgroup and a role. The working group can carry out unique confirmation through three labels of region, environment and service, and the environment label is used for limiting the environment, such as a testing environment, a pre-issuing environment and a production environment; the area label is used for limiting a specific deployment position, such as deployment in a certain Beijing machine room, a certain Shanghai machine room, a certain Qingdao machine room and the like; the service label is used to define a service name, i.e. a specific service name. The roles are used for representing specific functional categories of the service, such as host security products including database storage, portal pages, servers and the like, and the roles respectively play their roles and jointly complete the functional characteristics of the host security. The correspondence between roles and workgroups may be many-to-many. The logical grouping is created by a user through a console, is generally stored in a relational database, and is matched and associated with the preprocessed log information stored in the graph database, and it should be emphasized that the corresponding logical grouping is at least one preset grouping, namely, the preprocessed log information can be respectively matched and associated according to the working group and the role.
In an alternative embodiment, the client comprises an internet data center and/or a cloud environment.
Specifically, the client may be a client in an IDC environment, may also be a client in a cloud environment, and may also be a client including a cloud environment in the IDC environment, so that the client can adapt to a terminal device with complex deployment, and implement micro-isolated multi-cloud deployment. The method is applicable to clients which have internet data centers and can completely support services, clients which support services through the internet data centers and cloud environments and clients which support services through the cloud environments.
In an optional embodiment, the log information comprises at least one of:
process information, traffic information, access interception information, client state information, and heartbeat information.
Specifically, the heartbeat information is used to determine whether both interconnected parties are online or not under the condition of no communication for a long time, or whether a communication link existing between the interconnected parties is disconnected, and generally, after initial deployment, the heartbeat information is sent to the server every few seconds to ensure that the server can master the operating state of the client.
Referring to fig. 7, the present disclosure also provides a secure scheduling system, including: the system comprises a policy center module 71, a management and control service module 73, a log service module 75, a visual display module 77 and a calculation service module 79. The policy center module 71 is used for managing and issuing policies; the management and control service module 73 is used for managing the overall operation environment; the log service module 75 is used for collecting log information; the visual display module 77 is used for displaying to the user in a page form; a computation service module 79 for providing computation support.
Referring to fig. 8, the policy center module 71 specifically includes: a strategy receiving unit 811, a strategy self-adapting unit 813, a strategy resolving unit 815 and a strategy issuing unit 817. And a policy receiving unit 811 for providing the api and receiving a policy actively submitted by a user. The policy adaptation unit 813 is used to sense changes in hosts within the workgroup and roles. The policy parsing unit 815 is configured to parse the policy issued by the user, because the policy issued by the user can be issued for the work group and the role, the policy parsing unit 815 needs to parse the policy for the role and the work group into a readable policy for the host. The policy issuing unit 817 is mainly used to issue the analyzed policy to the host client.
Referring to fig. 9, the dependency library of the implementation policy center module 71 is an iptables library, and the iptables library is obtained by encapsulating a netfilter kernel; similarly, the dependency library for implementing the log service module 75 is a conntrack library, and the conntrack library is obtained by packaging a conntrack kernel.
Referring to fig. 10, the management and control service module 73 of the security scheduling system is responsible for interacting with the terminal environment, such as policy issuing, configuration updating, heartbeat communication, and the like, and managing the overall operating environment, including initialization of the operating environment, process start and stop, and the like. The logging service module 75 provides a general logging service, and data can be sent to the server side through the logging service module no matter the terminal is in the IDC environment or the cloud environment.
Fig. 11 illustrates a physical structure diagram of an electronic device, and as shown in fig. 11, the electronic device may include: a processor (processor)1110, a communication Interface (Communications Interface)1120, a memory (memory)1130, and a communication bus 1140, wherein the processor 1110, the communication Interface 1120, and the memory 1130 communicate with each other via the communication bus 1140. Processor 1110 may call logic instructions in memory 1130 to perform a secure scheduling method.
In addition, the logic instructions in the memory 1130 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present disclosure also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of executing the secure scheduling method provided by the above methods.
In yet another aspect, the present disclosure also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the secure scheduling methods provided above.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solutions of the present disclosure, not to limit them; although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.
Claims (11)
1. A method for secure scheduling, comprising:
acquiring log information acquired by a plurality of clients;
respectively preprocessing the log information acquired by each client, and associating the preprocessed log information with corresponding logic groups; wherein, the logic grouping is at least one preset grouping;
receiving an issuing strategy formulated based on the preprocessed log information;
analyzing the issued strategy based on the logic grouping to generate a host readable strategy;
and issuing the host readable strategy to a client.
2. The security scheduling method of claim 1, wherein the pre-processing the log information collected by each client, and associating the pre-processed log information with the corresponding logical grouping further comprises:
performing operation processing including analysis, duplicate removal, aggregation, association and asset completion on the log information to acquire characteristic information of the log information;
matching and associating the characteristic information with the preset configuration characteristics of at least one logic group;
and visually displaying the log information and the logic groups which are subjected to matching association.
3. The secure scheduling method of claim 2,
the characteristic information of the log information is stored in a graph database;
the preset configuration characteristics of at least one logic group are stored in a relational database.
4. The secure scheduling method of claim 1, further comprising:
judging whether the number of hosts in each preset logic group changes or not, if so, updating the issuing strategy based on the logic group with the changed number of hosts;
analyzing the updated issuing strategy aiming at the logic grouping with the changed number of the hosts to generate a readable strategy of the hosts;
and issuing the host readable strategy to a client.
5. The secure scheduling method according to any of claims 1 to 4 wherein the logical grouping is a workgroup or role;
the working group is confirmed through three labels of region, environment and service;
the roles are used to characterize functional classes.
6. The secure scheduling method of claim 5 wherein the client comprises an internet data center and/or a cloud environment.
7. The secure scheduling method of claim 6 wherein the log information comprises at least one of:
process information, traffic information, access interception information, client state information, and heartbeat information.
8. A secure dispatcher, comprising:
the acquisition module is used for acquiring the log information acquired by a plurality of clients;
the association module is used for respectively preprocessing the log information acquired by each client and associating the preprocessed log information with corresponding logic groups; wherein, the logic grouping is at least one preset grouping;
the receiving module is used for receiving an issuing strategy formulated based on the preprocessed log information;
the analysis module is used for analyzing the issued strategy based on the logic grouping to generate a readable strategy of the host;
and the issuing module is used for issuing the host readable strategy to the client.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the secure scheduling method according to any of claims 1 to 7 are implemented when the processor executes the program.
10. A non-transitory computer readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the secure scheduling method according to any one of claims 1 to 7.
11. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the steps of the secure scheduling method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111074911.5A CN113794717A (en) | 2021-09-14 | 2021-09-14 | Safety scheduling method, device and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111074911.5A CN113794717A (en) | 2021-09-14 | 2021-09-14 | Safety scheduling method, device and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113794717A true CN113794717A (en) | 2021-12-14 |
Family
ID=78880281
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111074911.5A Pending CN113794717A (en) | 2021-09-14 | 2021-09-14 | Safety scheduling method, device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113794717A (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008143985A1 (en) * | 2007-05-15 | 2008-11-27 | Consentry Networks | Role derivation in remotely implemented network security policies |
| US20130326579A1 (en) * | 2012-05-30 | 2013-12-05 | Rafae Bhatti | Healthcare privacy breach prevention through integrated audit and access control |
| CN103999091A (en) * | 2011-12-29 | 2014-08-20 | 迈可菲公司 | Geo-mapping system security events |
| CN105391684A (en) * | 2015-10-14 | 2016-03-09 | 浪潮电子信息产业股份有限公司 | Centralized management method and centralized management device for strategies |
| CN105471840A (en) * | 2015-11-12 | 2016-04-06 | 中国建设银行股份有限公司 | Terminal management system under large-scale enterprise network environment |
| CN107276980A (en) * | 2017-05-02 | 2017-10-20 | 广东电网有限责任公司信息中心 | A kind of user's anomaly detection method and system based on association analysis |
| US20180063195A1 (en) * | 2016-08-30 | 2018-03-01 | Nicira, Inc. | Adaptable network event monitoring configuration in datacenters |
| CN109286617A (en) * | 2018-09-13 | 2019-01-29 | 郑州云海信息技术有限公司 | A kind of data processing method and relevant device |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111800408A (en) * | 2020-06-30 | 2020-10-20 | 深信服科技股份有限公司 | Policy configuration device, security policy configuration method of terminal, and readable storage medium |
| CN112887268A (en) * | 2021-01-07 | 2021-06-01 | 深圳市永达电子信息股份有限公司 | Network security guarantee method and system based on comprehensive detection and identification |
-
2021
- 2021-09-14 CN CN202111074911.5A patent/CN113794717A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008143985A1 (en) * | 2007-05-15 | 2008-11-27 | Consentry Networks | Role derivation in remotely implemented network security policies |
| CN103999091A (en) * | 2011-12-29 | 2014-08-20 | 迈可菲公司 | Geo-mapping system security events |
| US20130326579A1 (en) * | 2012-05-30 | 2013-12-05 | Rafae Bhatti | Healthcare privacy breach prevention through integrated audit and access control |
| CN105391684A (en) * | 2015-10-14 | 2016-03-09 | 浪潮电子信息产业股份有限公司 | Centralized management method and centralized management device for strategies |
| CN105471840A (en) * | 2015-11-12 | 2016-04-06 | 中国建设银行股份有限公司 | Terminal management system under large-scale enterprise network environment |
| US20180063195A1 (en) * | 2016-08-30 | 2018-03-01 | Nicira, Inc. | Adaptable network event monitoring configuration in datacenters |
| CN107276980A (en) * | 2017-05-02 | 2017-10-20 | 广东电网有限责任公司信息中心 | A kind of user's anomaly detection method and system based on association analysis |
| CN109286617A (en) * | 2018-09-13 | 2019-01-29 | 郑州云海信息技术有限公司 | A kind of data processing method and relevant device |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111800408A (en) * | 2020-06-30 | 2020-10-20 | 深信服科技股份有限公司 | Policy configuration device, security policy configuration method of terminal, and readable storage medium |
| CN112887268A (en) * | 2021-01-07 | 2021-06-01 | 深圳市永达电子信息股份有限公司 | Network security guarantee method and system based on comprehensive detection and identification |
Non-Patent Citations (3)
| Title |
|---|
| "《基于大数据的网络安全态势感知关键技术研究》", 《电脑知识与技术》, 31 May 2020 (2020-05-31), pages 43 - 45 * |
| 江佳希: "《基于Hadoop的安全态势感知系统的研究与实现》", 《中国优秀硕士学位论文全文数据库》, 15 October 2020 (2020-10-15), pages 27 - 36 * |
| 赵龙: "《面向移动通信网络的安全事件管理技术及方法研究》", 《中国优秀硕士学位论文全文数据库》, 15 March 2017 (2017-03-15), pages 27 - 50 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535831B (en) | Kubernetes and network domain-based cluster security management method and device and storage medium | |
| US10986120B2 (en) | Selecting actions responsive to computing environment incidents based on action impact information | |
| CN107689953B (en) | Multi-tenant cloud computing-oriented container security monitoring method and system | |
| US10237295B2 (en) | Automated event ID field analysis on heterogeneous logs | |
| CN110611651B (en) | Network monitoring method, network monitoring device and electronic equipment | |
| CN106888106A (en) | The extensive detecting system of IT assets in intelligent grid | |
| CN112269718B (en) | Service system fault analysis method and device | |
| CN111835585A (en) | Inspection method and device for Internet of things equipment, computer equipment and storage medium | |
| CN107291928A (en) | A kind of daily record storage system and method | |
| US20110099273A1 (en) | Monitoring apparatus, monitoring method, and a computer-readable recording medium storing a monitoring program | |
| CN107645410A (en) | A kind of virtual machine management system and method based on OpenStack cloud platforms | |
| CN113867782A (en) | Gray scale distribution method and device, computer equipment and storage medium | |
| US20120072589A1 (en) | Information Processing Apparatus and Method of Operating the Same | |
| CN108563697A (en) | A kind of data processing method, device and storage medium | |
| CN110798341B (en) | Service opening method, device and system | |
| CN106874371A (en) | A kind of data processing method and device | |
| US8117181B2 (en) | System for notification of group membership changes in directory service | |
| CN111930653B (en) | Remote distribution use method and device of USB (universal serial bus) equipment | |
| US11902333B2 (en) | Static analysis techniques for determining reachability properties of network and computing objects | |
| CN109921920A (en) | A kind of failure information processing method and relevant apparatus | |
| CN113794717A (en) | Safety scheduling method, device and related equipment | |
| CN107544830A (en) | A kind of method and device of automatic installation database | |
| CN104468767B (en) | A kind of cloud storage data collision detection method and system | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN113360689B (en) | Image retrieval system, method, related device and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |