CN113810344A - Security orchestration system, apparatus, method, and computer-readable storage medium - Google Patents

Security orchestration system, apparatus, method, and computer-readable storage medium Download PDF

Info

Publication number
CN113810344A
CN113810344A CN202010543592.7A CN202010543592A CN113810344A CN 113810344 A CN113810344 A CN 113810344A CN 202010543592 A CN202010543592 A CN 202010543592A CN 113810344 A CN113810344 A CN 113810344A
Authority
CN
China
Prior art keywords
security
orchestration
information
threat
centralized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010543592.7A
Other languages
Chinese (zh)
Other versions
CN113810344B (en
Inventor
樊宁
王海燚
沈军
何明
金华敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202010543592.7A priority Critical patent/CN113810344B/en
Publication of CN113810344A publication Critical patent/CN113810344A/en
Application granted granted Critical
Publication of CN113810344B publication Critical patent/CN113810344B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a security orchestration system, device, method, and computer readable storage medium. According to an aspect of the present invention, there is provided a security orchestration system for orchestrating a security policy of a security device for providing a security defense function corresponding to the security policy to a secured object, the security orchestration system comprising: the centralized editing unit is used for editing the security policies of one or more security devices; and one or more secondary orchestration units respectively configured in the one or more security devices. According to the invention, the possibility of error arrangement of the security strategy of the security equipment can be reduced, and the accuracy of security arrangement is improved.

Description

Security orchestration system, apparatus, method, and computer-readable storage medium
Technical Field
The present invention relates generally to the field of network security, and more particularly to orchestration of security policies.
Background
Security orchestration is a technique to automate the configuration and deployment of security policies for security devices (e.g., firewalls, IPS, WAPs, etc.). Through security orchestration, the security device is enabled to provide appropriate security capabilities for the secured object (e.g., a server, a terminal, etc. protected by the security device).
The security arrangement can provide an efficient security response mechanism for dynamic security requirements of fifth generation mobile communication technology (5G for short), and is widely applied to the field of network security.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood, however, that this summary is not an exhaustive overview of the invention. It is not intended to identify key or critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
The inventors of the present invention have noted that automated security policy configuration by a security orchestration technique known to the inventors may be subject to error for some particular reason. For example, a hacker may forge an IP address of an application system to launch an attack, causing the security orchestrator to misunderstand that the application system is a source of the attack, thereby blocking the IP of the application system when implementing automatic security defense, affecting the availability of the service of the application system.
Typically, the security orchestrator may employ two methods to prevent such errors from occurring. One approach is to avoid blocking the IP address of a trusted application by setting a white list, but no effective response is possible when the application is actually attacked. Another approach is to reduce the incidence of such errors by increasing the accuracy of safety monitoring, but the occurrence of such errors cannot be completely avoided.
It is an object of the present invention to provide a system, device, method and computer-readable storage medium for secure orchestration to address one or more of the above problems.
According to an aspect of the present invention, there is provided a security orchestration system for orchestrating a security policy of a security device for providing a security defense function corresponding to the security policy to a secured object, the security orchestration system comprising: the centralized editing unit is used for editing the security policies of one or more security devices; and one or more secondary orchestration units, respectively configured in the one or more security devices, wherein the centralized orchestration unit is configured to: extracting information about a threat source from the threat information; according to the information about the threat source, judging whether the threat source is matched with a protection object in a security policy table, wherein the security policy of the one or more security devices is recorded in the security policy table, and the security policy of each security device comprises the information about the protection object of the security device and a security policy corresponding to the protection object; under the condition that the threat source is judged to be matched with the protection object in the security policy table, determining the security device corresponding to the protection object as an attacked security device, and providing the threat information to an auxiliary arranging unit corresponding to the attacked security device; performing an action related to security policy orchestration according to orchestration feedback information from the secondary orchestration unit, each secondary orchestration unit of the one or more secondary orchestration units configured to: according to the threat information from the centralized arranging unit, acquiring log information related to the threat information in a security log of the attacked security device; and providing arrangement feedback information to the centralized control unit according to the log information.
According to another aspect of the present invention, there is provided a centralized orchestration device for a security orchestration system for orchestrating security policies of a security device for providing security defense functions to a protected object corresponding to the security policies, wherein the centralized orchestration device comprises processing circuitry configured to: extracting information about a threat source from the threat information; according to the information about the threat source, judging whether the threat source is matched with a protection object in a security policy table of the security arrangement system, wherein the security policy table records the security policies of one or more security devices, and the security policy of each security device comprises the information about the protection object of the security device; under the condition that the threat source is judged to be matched with the protection object in the security policy table, determining the security device corresponding to the protection object as an attacked security device, and providing the threat information to an auxiliary arrangement device corresponding to the attacked security device; performing an action related to security policy orchestration according to orchestration feedback information from the secondary orchestration device.
According to another aspect of the present invention, there is provided an auxiliary orchestration device for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function corresponding to the security policy to a protected object, wherein the auxiliary security orchestration device is configured in the security device, comprising processing circuitry configured to: according to threat information from the security arrangement system, acquiring log information related to the threat information in a security log of the security device; and providing arrangement feedback information to the safety arrangement system according to the log information.
According to another aspect of the present invention, there is provided an auxiliary communication device for a security orchestration system, the security orchestration system being configured to orchestrate a security policy of a security device, the security device being configured to provide a security defense function corresponding to the security policy to a protected object, wherein the auxiliary communication device is configured in the security device to assist the security orchestration system in communicating with the security device, the auxiliary communication device comprising processing circuitry configured to: in response to a notification from the security device that communication between the security device and the security orchestration system failed, initiating a communication connection recovery process comprising: verifying whether the safety equipment is credible or not according to the safety log of the safety equipment; and under the condition that the security device is verified to be authentic, establishing a new communication connection between the security device and the security orchestration system.
According to another aspect of the present invention, there is provided a security orchestration method for a security orchestration system, configured to orchestrate a security policy of a security device, the security device being configured to provide a security defense function corresponding to the security policy to a protected object, wherein the security orchestration system includes: the centralized editing unit is used for editing the security policies of one or more security devices; and one or more secondary orchestration units, respectively, configured in the one or more security devices, the method comprising: the centralized arranging unit extracts information about threat sources from the threat information; the centralized arranging unit judges whether the threat source is matched with a protection object in a security policy table according to the information about the threat source, the security policy table records the security policies of the one or more security devices, and the security policy of each security device comprises the information about the protection object of the security device and the security policy corresponding to the protection object; the centralized arranging unit determines the security device corresponding to the protection object as an attacked security device under the condition that the threat source is judged to be matched with the protection object in the security policy table, and provides the threat information to the auxiliary arranging unit corresponding to the attacked security device; the auxiliary arranging unit acquires log information related to the threat information in the security logs of the attacked security device according to the threat information from the centralized arranging unit; the auxiliary arranging unit provides arranging feedback information to the centralized control unit according to the log information; the centralized orchestration unit performs actions related to security policy orchestration according to orchestration feedback information from the secondary orchestration unit.
According to another aspect of the present invention, a centralized orchestration method for a security orchestration system for orchestrating security policies of a security device for providing security defense functions corresponding to the security policies to a protection object is provided, wherein the centralized orchestration method comprises: extracting information about a threat source from the threat information; according to the information about the threat source, judging whether the threat source is matched with a protection object in a security policy table of the security arrangement system, wherein the security policy table records the security policies of one or more security devices, and the security policy of each security device comprises the information about the protection object of the security device; under the condition that the threat source is judged to be matched with the protection object in the security policy table, determining the security device corresponding to the protection object as an attacked security device, and providing the threat information to an auxiliary arrangement device corresponding to the attacked security device; performing an action related to security policy orchestration according to orchestration feedback information from the secondary orchestration device.
According to another aspect of the present invention, an auxiliary orchestration method for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function corresponding to the security policy to a protection object is provided, wherein the auxiliary orchestration method comprises: according to threat information from the security arrangement system, acquiring log information related to the threat information in a security log of the security device; and providing arrangement feedback information to the safety arrangement system according to the log information.
According to another aspect of the present invention, there is provided an auxiliary communication method for a security orchestration system, the security orchestration system being configured to orchestrate a security policy of a security device, the security device being configured to provide a security defense function corresponding to the security policy to a protected object, wherein the auxiliary communication method is configured to assist the security orchestration system in communicating with the security device, the auxiliary communication method comprising: in response to a notification from the security device that communication between the security device and the security orchestration system failed, initiating a communication connection recovery process comprising: verifying whether the safety equipment is credible or not according to the safety log of the safety equipment; and under the condition that the security device is verified to be authentic, establishing a new communication connection between the security device and the security orchestration system.
According to another aspect of the present invention, there is provided a computer-readable storage medium comprising computer-executable instructions which, when executed by one or more processors, cause the one or more processors to perform one or more of a security orchestration method, a centralized orchestration method, an assisted orchestration method, and an assisted communication method for a security orchestration system according to the present invention.
According to the invention, the possibility of error arrangement of the security strategy of the security equipment can be reduced, and the accuracy of security arrangement is improved. In addition, the communication connection can be restored when the communication of the security orchestration system with the security device is blocked by an error.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description, serve to explain the principles of the invention.
The invention will be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 shows a block diagram of an exemplary configuration of a security orchestration system according to an embodiment of the invention;
FIG. 2A illustrates an exemplary flow diagram of a security orchestration method for a security orchestration system according to embodiments of the present invention;
FIG. 2B illustrates an exemplary flow diagram of a communication connection restoration process performed by the security orchestration system according to embodiments of the present invention.
FIG. 3 illustrates a block diagram of an exemplary configuration of a centralized orchestration device for a security orchestration system according to an embodiment of the invention;
FIG. 4 illustrates an exemplary flow diagram of a centralized orchestration method for a security orchestration system according to embodiments of the present invention;
FIG. 5 shows a block diagram of an exemplary configuration of an auxiliary orchestration device for a security orchestration system according to an embodiment of the invention;
FIG. 6 illustrates an exemplary flow diagram of an auxiliary orchestration method for a security orchestration system according to embodiments of the present invention;
FIG. 7 illustrates a block diagram of an exemplary configuration of an auxiliary communication device for a security orchestration system according to an embodiment of the present invention;
FIG. 8 illustrates an exemplary flow diagram of an auxiliary communication method for a security orchestration system according to embodiments of the present invention;
FIG. 9 illustrates an exemplary configuration of a computing device in which embodiments in accordance with the invention may be implemented.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
(safety arrangement system)
Fig. 1 shows a block diagram of an exemplary configuration of a security orchestration system 1 according to an embodiment of the invention.
As shown in fig. 1, security orchestration system 1 orchestrates the security policies executed by security devices 11. The security appliance 11 provides security protection functions to protected objects by enforcing security policies provided by the security orchestration system 1. In particular, security orchestration system 1 may comprise a centralized orchestration unit 12 and an auxiliary orchestration unit 13. The centralized orchestration unit 12 centrally orchestrates the security policies of one or more security devices 11. In addition, the auxiliary orchestration units 13 are respectively configured in the corresponding security devices 11, and are configured to perform auxiliary orchestration and/or auxiliary communication of the security policies.
Three security devices 11 are illustrated in fig. 1, but the number of security devices 11 is not limited to three, and may be any one or more. The number of the auxiliary organizing units 13 corresponding to the security devices 11 is not limited to three, and may be any one or more.
It is to be noted that the security device 11 described herein refers to a device capable of providing a security function for a protected object in a network environment to prevent the protected object from being attacked from the network, such as a Firewall, an IPS (Intrusion Prevention System), a WAF (Web Application protection System), and the like. A secured object as described herein refers to an object secured by a security device, such as a network terminal, network server, web application, or the like.
In some embodiments, security orchestration system 1 may further comprise a storage unit (not shown). The storage unit may store a security policy table. The security policy table may record the security policies of one or more security devices 11, for example. The security policy of each security device may include, for example, information about the protected object of the security device and the security policy corresponding to the protected object.
As an example, the following table 1 shows a security policy of one security device 11 recorded in a security policy table, where information about a guard object of the security device 11 includes a target address (i.e., an IP address of the guard object), and a security policy corresponding to the guard object includes a security function and a disposition policy. In addition, the security policy may also include information of the attack source (e.g., the source address shown in table 1, i.e., the IP address of the attack source).
When the security orchestration system 1 configures the security policy shown in table 1 and issues the policy to the corresponding security device 11, the security device 11 provides a security function of intrusion prevention for the protection object with the target address of 192.168.1.2 according to the security policy shown in table 1, and implements a disposal policy of "alarm" for the attack source with the source address of "0.0.0.0". In addition, the secure device 11 provides the corresponding security functions shown in table 1 for the guard objects having the destination addresses "192.168.2.2", "192.168.3.2", and implements the corresponding handling policies shown in table 1 for the attack sources.
(Table 1)
Source address Target address Safety function Handling policy
0.0.0.0 192.168.1.2 Intrusion prevention Alarm system
1.1.1.1 192.168.2.2 Viral protection Discard the
1.1.1.1 192.168.3.2 Intrusion prevention Blocking sessions
It should be understood that the security policies shown in table 1 above are only one example of the security policies that the security orchestration system 1 orchestrates for the security devices 11, and that the security policies may be orchestrated differently according to the network security environment and the requirements of the protected objects.
In addition, the security policy table described above may also be stored in an external storage device (for example, an external server, a cloud storage unit, or the like) instead of being stored in the storage unit of the security orchestration system, and the security orchestration system 1 performs operations such as reading, modifying, and the like on the security policy table by communication with the external storage device.
(Security choreography method for Security choreography System)
The security orchestration method implemented by the security orchestration system 1 is described in detail below with reference to fig. 2A.
FIG. 2A illustrates an exemplary flow diagram of a security orchestration method implemented by security orchestration system 1 according to embodiments of the present invention. The security arrangement method may include the following steps S2001 to S2006.
In step S2001, the centralized orchestration unit 12 extracts information about the threat source from the threat information. The information about the source of the threat may indicate the source of the threat, which may be, for example, an IP address of the source of the threat.
In some embodiments, threat information may be provided from the security device 11. For example, in a case where the security device 11 monitors an abnormal operation such as an attack from its protection object, the security device 11 may provide information (e.g., an IP address) related to the protection object to the security orchestration system as threat information.
In some embodiments, the threat information may be provided from an external security analysis system. For example, the security analysis system may obtain a plurality of threat alerts from a plurality of security devices 11, analyze the plurality of threat alerts, and provide the analyzed threat information to security orchestration system 1.
In some embodiments, threat information may be derived by security orchestration system 1 (e.g., centralized orchestration unit 12 or other units of security orchestration system 1) by analyzing information from outside. For example, security device 11 may provide information or the like relating to abnormal operation of the protected object to security orchestration device 1, which security orchestration device 1 analyzes to extract threat information.
In step S2002, the centralized orchestration unit 12 determines whether the threat source matches a protection object in the security policy table according to information about the threat source in the threat information. In some embodiments, the determination may be made by comparing the IP address of the threat source with the IP addresses of the protected objects stored in the security policy table. In a case where it is determined that the threat source matches the protection object in the security policy table, the security device corresponding to the protection object is determined as the attacked security device, and the process proceeds to step S2003.
In addition, in the case where it is determined in step S2002 that the threat source does not match the protection object in the security policy table, the security policies (i.e., the security policy table) of one or more security devices 11 may be rearranged.
In step S2003, centralized orchestration unit 12 provides threat information to secondary orchestration unit 13 corresponding to the attacked security device.
In some embodiments, during operation of security device 11, the corresponding secondary orchestration unit 13 is also in an on state to be able to receive threat information from centralized orchestration unit 12. In other embodiments, auxiliary orchestration unit 13 defaults to an off state during operation of security device 11. In this case, centralized orchestration unit 12 sends an auxiliary orchestration trigger command to security device 11 corresponding to auxiliary orchestration unit 13 before providing threat information to auxiliary orchestration unit 13. In response to this trigger command, the security device 11 turns on the secondary orchestration unit 13 corresponding thereto, so that the secondary orchestration unit 13 is in a state capable of receiving information from the centralized orchestration unit 12. Thus, auxiliary orchestration unit 13 need not always be in an on state, but only need to be turned on by a trigger command of centralized orchestration unit 12 in case of a possible threat, thereby enabling saving power consumption and system resources.
In step S2004, the auxiliary arranging unit 13 acquires log information related to threat information in the security log of the attacked security device, based on the threat information from the centralized arranging unit 12.
In step S2005, the auxiliary arranging unit 13 supplies arrangement feedback information to the centralized arranging unit 12 based on the log information related to the threat information.
In step S2006, the centralized orchestration unit 12 performs an action related to security policy orchestration according to the orchestration feedback information from the auxiliary orchestration unit 13.
According to the security orchestration method of the present disclosure, in step S2002, the centralized orchestration unit 12 does not directly re-orchestrate the security policy of the security device 11 according to the threat information, but first determines whether the threat source matches the protection object in the security policy table. Under the condition of matching, the threat source is preliminarily judged to possibly come from the protection object, the threat information is provided for the auxiliary arranging unit 13, and the auxiliary arranging unit 13 carries out auxiliary judgment and verification on the threat source, so that the possibility of error arrangement of the security strategy of the security equipment can be reduced, and the accuracy of security arrangement is improved.
In some embodiments, the threat information may include a period of time during which the threat source is making an attack. In step S2005, the auxiliary arranging unit 13 supplies log information corresponding to the period of the attack among the log information to the centralized control unit 12 as arrangement feedback information. In step S2006, the centralized orchestration unit 12 determines whether an attack is issued by a protection object of the attacked security device according to the orchestration feedback information, and determines whether to re-orchestrate according to the determination result. For example, in the case where it is determined that the protection object of the attacked security device has not issued an attack from the log information corresponding to the period of the attack, the centralized orchestration unit 12 determines that the attack, which has forged the IP of the protection system, has not been issued by the protection object of the attacked security device, and thus determines that re-orchestration is not necessary. At this point, the orchestration action may be ended. In addition, in the case where it is determined that the protection object of the attacked security device has issued an attack based on the log information corresponding to the period of the attack, the centralized orchestration unit 12 determines that the attack is issued by the protection object of the attacked security device, so that an action of re-orchestration can be performed to repair the security policy.
In some embodiments, threat information may include traffic characteristics of an attack issued by the threat source. The auxiliary orchestration unit 13 may determine whether an attack is issued by a protection object of the attacked security device according to the traffic characteristics and the log information, and provide the determination result as orchestration feedback information to the centralized control unit 12 in step S2005. For example, in the case where the traffic characteristics do not match the traffic characteristics in the log information (e.g., the direction of the traffic and/or the size of the traffic are different), the auxiliary orchestration unit 13 determines that an attack that counterfeits the IP of the security system is not issued by the protection object of the attacked security device, so that re-orchestration is not necessary. At this point, the orchestration action may be ended. In addition, in the case where the traffic characteristics match the traffic characteristics in the log information (for example, the direction of the traffic and/or the size of the traffic are the same or similar), the auxiliary orchestration unit 13 determines that the attack is issued by the protection object of the attacked security device, so that a re-orchestration action can be performed to repair the security policy.
In some embodiments, the re-orchestration of the security policies of one or more security devices 11 by centralized orchestration unit 12 may be, for example, the following: the centralized orchestration unit 12 adds the address of the threat source to the source address in the security policy for each security device 11. As an example, the following table 2 shows the security policies after the security policies (table 1) of one security device 11 are rearranged. As shown in table 2, the address of the threat source is "192.168.1.2", which is the same as a protected object address (i.e., target address) of the security device 11. The threat source address is added to the source addresses of the respective protected objects of the secure device 11 to cause the secure device 11 to perform the corresponding security function and handling policy for the address "192.168.1.2". The same operation is performed for the other secure devices 11 in the security policy table.
(Table 2)
Figure BDA0002539871880000111
In some embodiments, the central orchestration unit 12 re-orchestrating the security policies of one or more security devices 11 may further comprise: a new security policy corresponding to the source of the threat is reconfigured for each security device 11. As an example, the following table 3 shows the security policies after the security policies (table 1) of one security device 11 are rearranged. As shown in table 3, in addition to adding the IP address "192.168.1.2" of the source of the threat to the source addresses of the respective protected objects of the security device 11, new security functions and handling policies are reconfigured for the source address of the threat. In addition, although the security function and the handling policy for each protection target are the same for the source address of the threat shown in table 3, different security functions and handling policies may be provided as needed. The same operation is performed for the other secure devices 11 in the security policy table.
(Table 3)
Figure BDA0002539871880000121
In addition, table 2 and table 3 above show the case where the IP address of the protection object matching the threat source is added to the source address of each protection object of the security device 11 to achieve defense against the protection object. In some embodiments, the network segment where the protection object matched with the threat source is located may also be blocked to provide higher security performance. For example, in the case that the IP address of the threat source is "192.168.1.2", the network segments having the IP addresses of "192.168.1.0" to "192.168.1.255" may be added to the source addresses of the respective protection objects of the secure device 11, and the corresponding security functions and handling policies may be reset as needed.
In addition, table 2 and table 3 above show the case where, when it is determined in step S2002 that the threat source matches the protection object of the attacked security device, the information of the protection object is written in the source address of the security policy table. In the case that it is determined in step S2002 that the threat source does not match the protection object in the security policy table (for example, the IP address of the threat source is "2.2.2.2"), the rearrangement may be performed similarly, that is, the IP address of the threat source (for example, "2.2.2.2") or the network segment corresponding to the threat source (for example, "2.2.2.0" to "2.2.2.255") is written into the security policy table, and the corresponding security function and handling policy are reset as required.
In some embodiments, the centralized arranging unit 12 stores the rearranged security policy table in the storage unit or an external storage device, and issues the table to each corresponding security device 11.
In some embodiments, auxiliary orchestration unit 13, upon acquiring the threat information provided by centralized orchestration unit 12 in step S2003, verifies whether the corresponding security device 11 is authentic according to its security log. In the case where the authentication of the secure device 11 is authentic, the auxiliary orchestration unit 13 performs the operation of step S2004.
In some embodiments, where secure device 11 activates ancillary orchestration unit 13 in response to an ancillary orchestration trigger command from centralized orchestration unit 12, ancillary orchestration unit 13 may first perform an operation after activation whether secure device 11 is authentic. In the case where the security device is verified to be authentic, the assistance orchestration unit 13 performs the operation of step S2004.
In some embodiments, secondary orchestration unit 13 may obtain a security log of secure device 11 and verify the integrity of secure device 11 by a hashing algorithm or like technique. In the case where it is verified that the secure device 11 is complete, the ancillary orchestration unit 13 confirms that the secure device 11 is authentic, and performs the operation of step S2004; in the case of verification that the security device 11 is not complete, this indicates that the security device 11 may have been tampered with and become an untrusted device, thereby concluding the ancillary orchestration action. In addition, in the case where the authentication is that the secure device 11 is not authentic, the administrator may be notified by way of a work order, mail, or the like that the secure device 11 is likely to be attacked to perform corresponding security processing.
According to this embodiment, before the auxiliary arranging unit 13 performs the operations of steps S2004 and S2005, it is verified that the security device 11 is trusted, so that the trustworthiness of the arrangement feedback information provided by the auxiliary arranging unit 13 in step S2005 can be ensured, the possibility of error in the security arrangement of the security arrangement system is further reduced, and the accuracy of the security arrangement and the usability of the security system are further improved.
(communication connection restoration processing performed by the Security orchestration System)
In some cases, the safety equipment and corresponding protected objects may be incorrectly plugged. For example, a hacker may forge an IP address of an application system to launch an attack, which causes the security orchestration system to misunderstand that the application system (i.e., a protection object) is an attack source, thereby blocking a network segment where the IP of the application system is located when implementing automatic security defense. Since the security device is usually in the same network segment as its protected object, in the event that the network segment of the protected object is blocked, the security device is also blocked, resulting in the communication of the security device with the security orchestration system being blocked erroneously.
The security orchestration system 1 according to embodiments of the present disclosure is able to restore the communication connection in case the communication of the security device with the security orchestration system is erroneously blocked.
The communication connection restoration process by the security orchestration system 1 is described in detail below with reference to fig. 2B.
FIG. 2B shows an exemplary flow diagram of a communication connection restoration process performed by security orchestration system 1 according to an embodiment of the present invention.
The communication connection restoration process according to the present disclosure is a process that the auxiliary orchestration unit 13 starts in response to a notification from the secure device 11 of a failure of communication of the secure device 11 with the security orchestration system 1.
In some embodiments, the security device 11 monitors handshake signals with the security orchestration system 1 and determines that communication with the security orchestration system has failed in the event that no handshake signal from the security orchestration system 1 is received within a predetermined period of time. In this case, the secure device 11 starts the subsidiary arranging unit 13 corresponding thereto, and notifies the subsidiary arranging unit 13 of communication failure to cause the subsidiary arranging unit 13 to start the communication connection restoring process.
In some embodiments, the communication connection restoration process may include step S2101 and step S2102, and optionally include steps S2103 to S2105.
In step S2101, the auxiliary orchestration unit 13 verifies whether the security device is authentic according to the security log of the security device. For example, secondary orchestration unit 13 may verify the integrity of secure device 11 through a hash algorithm or like technique. In the case where it is verified that the secure device 11 is complete, the ancillary orchestration unit 13 confirms that the secure device 11 is authentic, and performs the operation of step S2102; in the case where it is verified that the secure device 11 is not complete, it indicates that the secure device 11 may have been tampered with to become an untrusted device, and the communication connection restoration process is ended. In addition, in the case where the authentication is that the secure device 11 is not authentic, the administrator may be notified by way of a work order, mail, or the like that the secure device 11 is likely to be attacked to perform corresponding security processing.
In step S2102, the auxiliary orchestration unit 13 establishes a new communication connection of the security device 11 with the security orchestration system 1, in case it is verified that the security device 11 is authentic. In some embodiments, the auxiliary orchestration unit 13 may provide a different IP than the blocked network segment to establish a new communication connection. The security device 11 can thus communicate with the security orchestration system via the auxiliary orchestration unit 13 over the new communication connection.
In some embodiments, in step S2103, secondary orchestration unit 13 reports security policy errors of the security devices to centralized orchestration unit 12 over the established new communication connection.
In step S2104, centralized orchestration unit 12 re-orchestrates the security policies corresponding to security devices 11 in response to the reports from secondary orchestration unit 13 that the security policies are faulty. In some embodiments, centralized orchestration unit 12 may modify the blocked network segments to an unsealed state in the security policy table to generate a re-orchestrated security policy.
In step S2105, centralized orchestration unit 12 may provide the re-orchestrated security policies to security devices 11 over the new communication connection.
In some embodiments, after secure device 11 obtains the re-orchestrated security policy, secure device 11 may shut down secondary orchestration unit 13, thereby disconnecting the new communication connection. In subsequent communications, since the secure device 11 has obtained the rearranged security policy to become the decapsulated state, communications can be performed through the original communication connection.
According to the method and the device, the communication connection between the safety equipment and the safety arrangement system can be recovered under the condition that the safety equipment is blocked by errors, so that a mechanism for automatically repairing the safety strategy and the safety arrangement when normal services are blocked by errors is provided, the normal service connection can be rapidly recovered, and the accident influence is reduced.
(centralized editing apparatus)
The centralized orchestration device for a security orchestration system is described in detail below with reference to fig. 3.
FIG. 3 shows a block diagram of an exemplary configuration of centralized orchestration device 32 for a security orchestration system according to an embodiment of the invention. Centralized orchestration device 32 can, for example, serve as centralized orchestration unit 12 of security orchestration system 1 described above with reference to fig. 1.
In some embodiments, centralized orchestration device 32 may include processing circuitry 320. Processing circuitry 320 of centralized orchestration device 32 provides various functions of centralized orchestration device 32. In some embodiments, processing circuitry 320 of centralized orchestration device 32 may be configured to perform the centralized orchestration method for a security orchestration system described below in fig. 4.
Processing circuit 320 may refer to various implementations of digital circuitry, analog circuitry, or mixed-signal (a combination of analog and digital) circuitry that perform functions in a computing system. The processing circuitry may include, for example, circuitry such as an Integrated Circuit (IC), an Application Specific Integrated Circuit (ASIC), portions or circuits of an individual processor core, an entire processor core, an individual processor, a programmable hardware device such as a Field Programmable Gate Array (FPGA), and/or a system including multiple processors.
In some embodiments, as shown in fig. 3, the processing circuitry 320 of the centralized orchestration device 32 may include a threat source extraction module 3201, a threat source localization module 3202, a threat information provision module 3203, and an orchestration module 3204. In some embodiments, the threat source extraction module 3201, threat source localization module 3202, threat information provision module 3203, and orchestration module 3204 may be configured to perform steps S4001-S4004, respectively, of the centralized orchestration method for a security orchestration system in fig. 4, described below.
In some embodiments, centralized orchestration device 32 may also include a memory (not shown). The memory of centralized orchestration device 32 may store information generated by processing circuitry 320 as well as programs and data for operation of processing circuitry 320. In some embodiments, the memory of centralized orchestration device 32 may store a security policy table. The memory may be volatile memory and/or non-volatile memory. For example, memory may include, but is not limited to, Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), Read Only Memory (ROM), and flash memory.
In addition, centralized orchestration device 32 may be implemented at the chip level, or may be implemented at the device level by including other external components.
It should be understood that the above modules of the centralized orchestration device 32 are merely logical modules divided according to the specific functions implemented by the modules, and are not used to limit the specific implementation. In actual implementation, the above modules may be implemented as separate physical entities, or may also be implemented by a single entity (e.g., a processor (CPU or DSP, etc.), an integrated circuit, etc.).
(centralized layout method)
The centralized orchestration method for a security orchestration system, which may be performed by, for example, the various modules of processing circuitry 320 of centralized orchestration device 32 in fig. 3, is described in detail below with reference to fig. 4.
FIG. 4 illustrates an exemplary flow diagram of a centralized orchestration method for a security orchestration system according to embodiments of the present invention.
In step S4001, information about a threat source is extracted from the threat information.
In step S4002, it is determined whether the threat source matches a protection object in a security policy table of the security orchestration system according to the information about the threat source.
In step S4003, in a case where it is determined in step S4002 that the threat source matches the protection object in the security policy table, the security device corresponding to the protection object is determined as the attacked security device, and the threat information is provided to the auxiliary orchestration device corresponding to the attacked security device.
In step S4004, an action related to security policy orchestration is performed according to orchestration feedback information from the secondary orchestration device.
The above steps S4001 to S4004 may correspond to, for example, steps S2001, S2002, S2003, and S2006 in the security editing method described with reference to fig. 2A, and details of the steps are similar to those in the foregoing step in fig. 2A, and are not described again here.
According to the centralized arranging device and the centralized arranging method, the security policy of the security device is not directly rearranged according to the threat information, but whether the threat source is matched with the protection object in the security policy table is firstly judged. Under the condition of matching, the threat source is preliminarily judged to possibly come from the protection object, the threat information is provided for the corresponding auxiliary arranging equipment, and whether the rearrangement is carried out is determined according to the feedback information of the auxiliary arranging equipment, so that the possibility of arranging errors of the security strategy of the security equipment can be reduced, and the accuracy of the security arrangement is improved.
(auxiliary editing equipment)
An auxiliary orchestration device for a security orchestration system is described in detail below with reference to FIG. 5.
FIG. 5 shows a block diagram of an exemplary configuration of an auxiliary orchestration device 53 for a security orchestration system according to an embodiment of the present invention. The auxiliary orchestration device 53 can be used, for example, to implement at least part of the functionality of the auxiliary orchestration unit 13 of the security orchestration system 1 described above with reference to fig. 1.
In some embodiments, the auxiliary orchestration device 53 may comprise a processing circuit 530. The processing circuit 530 of the ancillary choreography device 53 provides various functions of the ancillary choreography device 53. In some embodiments, the processing circuit 530 of the secondary orchestration device 53 may be configured to perform a secondary orchestration method for a security orchestration system as described in fig. 5 below.
Processing circuit 530 may refer to various implementations of digital circuitry, analog circuitry, or mixed-signal (a combination of analog and digital) circuitry that perform functions in a computing system. The processing circuitry may include, for example, circuitry such as an Integrated Circuit (IC), an Application Specific Integrated Circuit (ASIC), portions or circuits of an individual processor core, an entire processor core, an individual processor, a programmable hardware device such as a Field Programmable Gate Array (FPGA), and/or a system including multiple processors.
In some embodiments, as shown in fig. 5, the processing circuit 530 of the auxiliary organizing device 53 may include a log analyzing module 5301 and a feedback information providing module 5302. In some embodiments, the log analysis module 5301 and the feedback information providing module 5302 may be configured to perform steps S6001 and S6002, respectively, in the auxiliary orchestration method for a security orchestration system in fig. 6, which will be described later.
In some embodiments, the auxiliary orchestration device 53 may further comprise a memory (not shown). The memory of the auxiliary orchestration device 53 may store information generated by the processing circuit 530, as well as programs and data for operation of the processing circuit 530. In some embodiments, the memory of the auxiliary orchestration device 53 may store log information. The memory may be volatile memory and/or non-volatile memory. For example, memory may include, but is not limited to, Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), Read Only Memory (ROM), and flash memory.
In addition, the auxiliary orchestration device 53 may be implemented at a chip level, or may also be implemented at a device level by including other external components.
It should be understood that the above modules of the auxiliary orchestration device 53 are only logical modules divided according to the specific functions implemented by the modules, and are not used to limit the specific implementation manner. In actual implementation, the above modules may be implemented as separate physical entities, or may also be implemented by a single entity (e.g., a processor (CPU or DSP, etc.), an integrated circuit, etc.).
(auxiliary layout method)
The secondary orchestration method for a security orchestration system, which may be performed by various modules of the processing circuit 530 of the secondary orchestration device 53 in fig. 5, for example, is described in detail below with reference to fig. 6.
FIG. 6 illustrates an exemplary flow diagram of an auxiliary orchestration method for a security orchestration system according to embodiments of the present invention.
In step S6001, log information related to threat information in the security log of the security device is acquired based on the threat information from the security orchestration system.
In step S6002, orchestration feedback information is provided to the security orchestration system according to the log information.
The above steps S6001 and S6002 may correspond to steps S2004 and S2005 in the security editing method described with reference to fig. 2A, for example, and details about each step are similar to those in the foregoing step in fig. 2A, and are not described again here.
According to the auxiliary arrangement equipment and the auxiliary arrangement method, the accuracy of threat information can be verified in an auxiliary mode and fed back to the safety arrangement system according to the threat information from the safety arrangement system, so that the possibility of error arrangement of the safety strategy of the safety equipment can be reduced, and the accuracy of safety arrangement is improved.
(auxiliary communication equipment)
The secondary communication device for the security orchestration system is described in detail below with reference to FIG. 7.
Fig. 7 shows a block diagram of an exemplary configuration of an auxiliary communication device 73 for a security orchestration system according to an embodiment of the present invention. The auxiliary communication device 73 can for example be used to implement at least part of the functionality of the auxiliary orchestration unit 13 of the security orchestration system 1 described above with reference to fig. 1.
In some embodiments, the secondary communication device 73 may include a processing circuit 730. The processing circuitry 730 of the secondary communication device 73 provides various functions of the secondary communication device 73. In some embodiments, the processing circuit 730 of the secondary communication device 73 may be configured to perform the secondary communication method for the security orchestration system of fig. 8 described below.
Processing circuit 730 may refer to various implementations of digital circuitry, analog circuitry, or mixed-signal (a combination of analog and digital) circuitry that perform functions in a computing system. The processing circuitry may include, for example, circuitry such as an Integrated Circuit (IC), an Application Specific Integrated Circuit (ASIC), portions or circuits of an individual processor core, an entire processor core, an individual processor, a programmable hardware device such as a Field Programmable Gate Array (FPGA), and/or a system including multiple processors.
In some embodiments, as shown in fig. 7, processing circuitry 730 of secondary communication device 73 may include a trust verification module 7301 and a connection establishment module 7302. In some embodiments, trust verification module 7301 and connection establishment module 7302 may be configured to perform steps S8001 and S8002, respectively, of an auxiliary communication method for a security orchestration system described below in fig. 8.
In some embodiments, the secondary communication device 73 may also include a memory (not shown). The memory of the secondary communication device 73 may store information generated by the processing circuit 730 as well as programs and data for operation of the processing circuit 730. The memory may be volatile memory and/or non-volatile memory. For example, memory may include, but is not limited to, Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), Read Only Memory (ROM), and flash memory.
In addition, the auxiliary communication device 73 may be implemented at a chip level, or may be implemented at a device level by including other external components.
It should be understood that the above modules of the auxiliary communication device 73 are only logic modules divided according to the specific functions implemented by the modules, and are not used for limiting the specific implementation manner. In actual implementation, the above modules may be implemented as separate physical entities, or may also be implemented by a single entity (e.g., a processor (CPU or DSP, etc.), an integrated circuit, etc.).
The auxiliary orchestration device 53 and the auxiliary communication device 73 are described above with reference to fig. 5 and 7, respectively. It should be understood that the auxiliary orchestration device 53 and the auxiliary communication device 73 are merely logical modules divided according to the specific functions implemented by them, and are not used to limit the specific implementation. In practical implementations, the auxiliary orchestration device 53 and the auxiliary communication device 73 may be implemented as separate physical entities, or may also be implemented by a single entity (e.g., a processor (CPU or DSP, etc.), an integrated circuit, etc.). For example, the auxiliary orchestration device 53 and the auxiliary communication device 73 may be installed in the form of virtual machines as a whole into the security device to provide the auxiliary orchestration function and the auxiliary communication function.
(auxiliary communication method)
The secondary communication method for the security orchestration system, which may be performed by various modules of the processing circuitry 730 of the secondary communication device 73 in fig. 7, for example, is described in detail below with reference to fig. 8.
FIG. 8 illustrates an exemplary flow diagram of an auxiliary communication method for a security orchestration system according to embodiments of the present invention. The secondary communication method includes initiating a communication connection recovery process in response to a notification from a security device of a failure of communication of the security device with the security orchestration system. The communication connection restoration process may include the following steps S8001 and S8002.
In step S8001, whether the secure device is authentic is verified from the security log of the secure device.
In step S8002, in case it is verified that the secure device is authentic, a new communication connection of the secure device with the security orchestration system is established.
In some embodiments, the communication connection recovery process may further include step S8003 (not shown): reporting to a security orchestration system that a security policy of the security device is in error over the new communication connection.
The above steps S8001 to S8003 may correspond to, for example, steps S2101 to S2103 in the communication connection restoration process described with reference to fig. 2B, and details about the respective steps are similar to those in the foregoing fig. 2B and are not described again here.
According to the auxiliary communication equipment and the auxiliary communication method, the communication connection between the safety equipment and the safety arrangement system can be recovered under the condition that the safety equipment is blocked by mistake, so that a mechanism for automatically repairing the safety strategy and the safety arrangement when normal services are blocked by mistake is provided, the normal service connection can be rapidly recovered, and the accident influence is reduced.
(computing device)
Fig. 9 shows an exemplary configuration of a computing device 9 capable of implementing an embodiment according to the present invention.
The computing device 9 is an example of a hardware device to which the above-described aspects of the invention can be applied. Computing device 9 may be any machine configured to perform processing and/or computing. The computing device 9 may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, a Personal Data Assistant (PDA), a smart phone, an in-vehicle computer, or a combination thereof.
As shown in fig. 9, computing device 9 may include one or more elements that may be connected to or communicate with bus 91 via one or more interfaces. Bus 91 may include, but is not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA (eisa) bus, a Video Electronics Standards Association (VESA) local bus, a Peripheral Component Interconnect (PCI) bus, and the like. Computing device 9 may include, for example, one or more processors 92, one or more input devices 93, and one or more output devices 94. The one or more processors 92 may be any kind of processor and may include, but are not limited to, one or more general purpose processors or special purpose processors (such as special purpose processing chips). Processor 92 may correspond to, for example, one or more of processing circuitry 320 in fig. 3, processing circuitry 530 in fig. 5, and processing circuitry 730 in fig. 7, and be configured to implement the functionality of the various modules of the respective devices for a security orchestration system of the present invention. Input device 93 may be any type of input device capable of inputting information to a computing device and may include, but is not limited to, a mouse, a keyboard, a touch screen, a microphone, and/or a remote control. Output device 94 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer.
Computing device 9 may also include or be connected to a non-transitory storage device 97, which non-transitory storage device 97 may be any non-transitory and may implement a storage device for data storage, and may include, but is not limited to, a disk drive, an optical storage device, a solid state memory, a floppy disk, a flexible disk, a hard disk, a magnetic tape, or any other magnetic medium, a compact disk, or any other optical medium, a cache memory, and/or any other memory chip or module, and/or any other medium from which a computer may read data, instructions, and/or code. Computing device 9 may also include Random Access Memory (RAM)95 and Read Only Memory (ROM) 96. The ROM 96 may store programs, utilities or processes to be executed in a nonvolatile manner. The RAM 95 may provide volatile data storage and store instructions related to the operation of the computing device 9. Computing device 9 may also include a network/bus interface 98 that couples to a data link 99. Network/bus interface 98 may be any kind of device or system capable of enabling communication with external devices and/or networks and may include, but is not limited to, a modem, a network card, an infrared communication device, a wireless communication device, and/or a chipset (such as bluetooth)TMDevices, 802.11 devices, WiFi devices, WiMax devices, cellular communications facilities, etc.).
Furthermore, another embodiment of the present invention also provides a computer-readable storage medium including computer-executable instructions, which, when executed by one or more processors, cause the one or more processors to perform any one of the security orchestration method, the centralized orchestration method, the auxiliary orchestration method, and the auxiliary communication method for a security orchestration system as described in the above embodiments.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (18)

1. A security orchestration system for orchestrating a security policy of a security device for providing a security defense function corresponding to the security policy to a protected object, the security orchestration system comprising:
the centralized editing unit is used for editing the security policies of one or more security devices; and
one or more secondary orchestration units, respectively, configured in the one or more security devices, wherein,
the centralized orchestration unit is configured to:
extracting information about a threat source from the threat information;
according to the information about the threat source, judging whether the threat source is matched with a protection object in a security policy table, wherein the security policy of the one or more security devices is recorded in the security policy table, and the security policy of each security device comprises the information about the protection object of the security device and a security policy corresponding to the protection object;
under the condition that the threat source is judged to be matched with the protection object in the security policy table, determining the security device corresponding to the protection object as an attacked security device, and providing the threat information to an auxiliary arranging unit corresponding to the attacked security device;
performing an action related to security policy orchestration according to orchestration feedback information from the secondary orchestration unit,
each of the one or more secondary orchestration units is configured to:
according to the threat information from the centralized arranging unit, acquiring log information related to the threat information in a security log of the attacked security device;
and providing arrangement feedback information to the centralized control unit according to the log information.
2. The security orchestration system according to claim 1,
the threat information also includes a period of time during which the threat source is making an attack,
the auxiliary orchestration unit supplies log information corresponding to the period of the attack among the log information to the centralized control unit as orchestration feedback information,
and the centralized control unit judges whether the attack is sent out by the protection object of the attacked security device according to the feedback information and determines whether to rearrange according to a judgment result.
3. The security orchestration system according to claim 1,
the threat information also includes traffic characteristics of attacks issued by the threat source,
and the auxiliary arranging unit judges whether the attack is sent by the protection object of the attacked safety device or not according to the flow characteristics and the log information, and provides a judgment result serving as the arranging feedback information to the centralized control unit.
4. The security orchestration system according to claim 2 or 3, wherein,
in case that the determination result indicates that the attack is issued by the protection object of the attacked security device, the centralized orchestration unit re-orchestrates the security policies of the one or more security devices,
and under the condition that the judgment result indicates that the attack is not sent by the protection object of the attacked security device, the centralized editing unit ends the editing operation.
5. The security orchestration system according to claim 1,
the centralized orchestration unit is further configured to:
and under the condition that the threat source is judged not to be matched with the protection object in the security policy table, rearranging the security policies of the one or more security devices.
6. The security orchestration system according to claim 1,
each of the one or more secondary orchestration units is further configured to:
and verifying whether the safety equipment is credible or not according to the safety log of the safety equipment.
7. The security orchestration system according to claim 1,
each of the one or more secondary orchestration units is further configured to:
initiating a communication connection recovery process in response to a notification from the security device that communication of the security device with the security orchestration system failed,
the communication connection restoration process includes:
verifying whether the safety equipment is credible or not according to the safety log of the safety equipment;
and under the condition that the security device is verified to be authentic, establishing a new communication connection between the security device and the security orchestration system.
8. The security orchestration system according to claim 7,
the communication connection restoration process further includes:
reporting a security policy error of the security device to the centralized orchestration unit over the new communication connection.
9. The security orchestration system according to claim 8,
the centralized orchestration unit is further configured to:
in response to a report from the secondary orchestration unit that a security policy is in error, re-orchestrating a security policy corresponding to the security device; and
providing the re-orchestrated security policy to the security device over the new communication connection.
10. A centralized orchestration device for a security orchestration system for orchestrating security policies of a security device for providing security defense functions to a protected object corresponding to the security policies, wherein,
the centralized orchestration device comprises processing circuitry configured to:
extracting information about a threat source from the threat information;
according to the information about the threat source, judging whether the threat source is matched with a protection object in a security policy table of the security arrangement system, wherein the security policy table records the security policies of one or more security devices, and the security policy of each security device comprises the information about the protection object of the security device;
under the condition that the threat source is judged to be matched with the protection object in the security policy table, determining the security device corresponding to the protection object as an attacked security device, and providing the threat information to an auxiliary arrangement device corresponding to the attacked security device;
performing an action related to security policy orchestration according to orchestration feedback information from the secondary orchestration device.
11. An auxiliary orchestration device for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function to a protected object corresponding to the security policy, wherein,
the auxiliary security orchestration device is configured in the security device, comprising processing circuitry configured to:
according to threat information from the security arrangement system, acquiring log information related to the threat information in a security log of the security device;
and providing arrangement feedback information to the safety arrangement system according to the log information.
12. An auxiliary communication device for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function to a secured object corresponding to the security policy, wherein,
the auxiliary communication device is configured in the security device for assisting the security orchestration system in communicating with the security device,
the auxiliary communication device includes processing circuitry configured to:
initiating a communication connection recovery process in response to a notification from the security device that communication of the security device with the security orchestration system failed,
the communication connection restoration process includes:
verifying whether the safety equipment is credible or not according to the safety log of the safety equipment;
and under the condition that the security device is verified to be authentic, establishing a new communication connection between the security device and the security orchestration system.
13. The auxiliary communication device of claim 12, wherein,
the communication connection restoration process further includes:
reporting to the security orchestration system a security policy error of the security device over the new communication connection.
14. A security orchestration method for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function to a protected object corresponding to the security policy, wherein,
the security arrangement system is provided with:
the centralized editing unit is used for editing the security policies of one or more security devices; and
one or more secondary orchestration units, respectively configured in the one or more security devices,
the method comprises the following steps:
the centralized arranging unit extracts information about threat sources from the threat information;
the centralized arranging unit judges whether the threat source is matched with a protection object in a security policy table according to the information about the threat source, the security policy table records the security policies of the one or more security devices, and the security policy of each security device comprises the information about the protection object of the security device and the security policy corresponding to the protection object;
the centralized arranging unit determines the security device corresponding to the protection object as an attacked security device under the condition that the threat source is judged to be matched with the protection object in the security policy table, and provides the threat information to the auxiliary arranging unit corresponding to the attacked security device;
the auxiliary arranging unit acquires log information related to the threat information in the security logs of the attacked security device according to the threat information from the centralized arranging unit;
the auxiliary arranging unit provides arranging feedback information to the centralized control unit according to the log information;
the centralized orchestration unit performs actions related to security policy orchestration according to orchestration feedback information from the secondary orchestration unit.
15. A centralized orchestration method for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function to a protected object corresponding to the security policy, wherein,
the centralized editing method comprises the following steps:
extracting information about a threat source from the threat information;
according to the information about the threat source, judging whether the threat source is matched with a protection object in a security policy table of the security arrangement system, wherein the security policy table records the security policies of one or more security devices, and the security policy of each security device comprises the information about the protection object of the security device;
under the condition that the threat source is judged to be matched with the protection object in the security policy table, determining the security device corresponding to the protection object as an attacked security device, and providing the threat information to an auxiliary arrangement device corresponding to the attacked security device;
performing an action related to security policy orchestration according to orchestration feedback information from the secondary orchestration device.
16. An auxiliary orchestration method for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function to a protected object corresponding to the security policy, wherein,
the auxiliary arranging method comprises the following steps:
according to threat information from the security arrangement system, acquiring log information related to the threat information in a security log of the security device;
and providing arrangement feedback information to the safety arrangement system according to the log information.
17. An auxiliary communication method for a security orchestration system for orchestrating a security policy of a security device for providing a security defense function corresponding to the security policy to a secured object, wherein,
the auxiliary communication method is used for assisting the communication between the security orchestration system and the security device, and comprises the following steps:
initiating a communication connection recovery process in response to a notification from the security device that communication of the security device with the security orchestration system failed,
the communication connection restoration process includes:
verifying whether the safety equipment is credible or not according to the safety log of the safety equipment;
and under the condition that the security device is verified to be authentic, establishing a new communication connection between the security device and the security orchestration system.
18. A computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any one of claims 14-17.
CN202010543592.7A 2020-06-15 2020-06-15 Security orchestration system, device, method, and computer-readable storage medium Active CN113810344B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010543592.7A CN113810344B (en) 2020-06-15 2020-06-15 Security orchestration system, device, method, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010543592.7A CN113810344B (en) 2020-06-15 2020-06-15 Security orchestration system, device, method, and computer-readable storage medium

Publications (2)

Publication Number Publication Date
CN113810344A true CN113810344A (en) 2021-12-17
CN113810344B CN113810344B (en) 2023-07-18

Family

ID=78944450

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010543592.7A Active CN113810344B (en) 2020-06-15 2020-06-15 Security orchestration system, device, method, and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN113810344B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580451A (en) * 2022-09-22 2023-01-06 云南电网有限责任公司信息中心 Network safety automatic defense countering method, device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160119379A1 (en) * 2014-10-26 2016-04-28 Mcafee, Inc. Security orchestration framework
CN106941480A (en) * 2015-11-03 2017-07-11 丛林网络公司 With the integrating security system for threatening visualization and automatic safe equipment to control
CN108900551A (en) * 2018-08-16 2018-11-27 中国联合网络通信集团有限公司 SDN/NFV network safety protection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160119379A1 (en) * 2014-10-26 2016-04-28 Mcafee, Inc. Security orchestration framework
CN106941480A (en) * 2015-11-03 2017-07-11 丛林网络公司 With the integrating security system for threatening visualization and automatic safe equipment to control
CN108900551A (en) * 2018-08-16 2018-11-27 中国联合网络通信集团有限公司 SDN/NFV network safety protection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580451A (en) * 2022-09-22 2023-01-06 云南电网有限责任公司信息中心 Network safety automatic defense countering method, device and storage medium

Also Published As

Publication number Publication date
CN113810344B (en) 2023-07-18

Similar Documents

Publication Publication Date Title
US9183383B1 (en) System and method of limiting the operation of trusted applications in presence of suspicious programs
US10205747B2 (en) Protection for computing systems from revoked system updates
US20180365415A1 (en) System and method of detecting anomalous events
WO2020164211A1 (en) Data transmission method and apparatus, terminal device and medium
US20160134646A1 (en) Method and apparatus for detecting malicious software using handshake information
CN114116313A (en) Backup data processing method and device
CN113704718B (en) Computer data protection system based on identity authentication
EP3471042A1 (en) Mobile payment method, system on chip and terminal
CN111314315B (en) Open platform multi-dimensional safety control system and method
CN108804914B (en) Abnormal data detection method and device
KR102407988B1 (en) Method for preventing counterfeit and tampering of black box data and apparatus therof
CN113810344B (en) Security orchestration system, device, method, and computer-readable storage medium
CN110020531A (en) Internet of things equipment risk checking method and device
KR101816868B1 (en) Apparatus and method for verifying rules for malware detection
CN114257404B (en) Abnormal external connection statistical alarm method, device, computer equipment and storage medium
CN115935356A (en) Software security testing method, system and application
CN115543404A (en) SDK repairing method, device, terminal, equipment, system and medium
CN115081017A (en) Large-field data calling method and system
CN115906109A (en) Data auditing method and device and storage medium
EP1744574B2 (en) A method for logically binding and verifying devices in an apparatus
KR20220073657A (en) Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same
CN115412271A (en) Data watermark adding method and data security analysis method and device
CN113360575A (en) Method, device, equipment and storage medium for supervising transaction data in alliance chain
CN112825093A (en) Security baseline checking method, host, server, electronic device and storage medium
CN111949991A (en) Vulnerability scanning method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant