CN115118466B - Policy generation method and device, electronic equipment and storage medium - Google Patents
Policy generation method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115118466B CN115118466B CN202210673736.XA CN202210673736A CN115118466B CN 115118466 B CN115118466 B CN 115118466B CN 202210673736 A CN202210673736 A CN 202210673736A CN 115118466 B CN115118466 B CN 115118466B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- machine set
- group
- access
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000011156 evaluation Methods 0.000 claims description 36
- 230000000694 effects Effects 0.000 claims description 26
- 238000012545 processing Methods 0.000 claims description 20
- 230000006399 behavior Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 description 6
- 238000002955 isolation Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 239000011159 matrix material Substances 0.000 description 5
- 239000013598 vector Substances 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000007781 pre-processing Methods 0.000 description 4
- 238000013145 classification model Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 230000004931 aggregating effect Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004138 cluster model Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The invention provides a strategy generation method, a strategy generation device, electronic equipment and a computer storage medium, wherein the method comprises the following steps: acquiring historical flow data of a first virtual machine set; the first virtual machine set at least comprises two virtual machines; clustering the first virtual machine set according to the historical flow data, and determining a grouping result of the first virtual machine set; generating access strategies of the virtual machines of each group in each group according to the grouping result; the access policy is used to determine the access behavior of the virtual machines of each group.
Description
Technical Field
The present invention relates to a policy generation method, and in particular, to a policy generation method, a policy generation device, an electronic device, and a computer storage medium.
Background
Along with the transition of the network architecture from the traditional internet architecture to the virtualization, the hybrid cloud and the containerization, the requirement on network security is also higher and higher, so that the micro-isolation technology is adopted to realize the requirement on east-west traffic isolation, the lateral movement of malicious traffic in the data center network can be effectively blocked, and the security of the data center is improved. The micro isolation technology can be regarded as a network isolation technology with smaller fine granularity, virtual machines needing to be isolated can be quickly grouped according to multidimensional labels such as roles, service functions and the like, isolation strategies between the virtual machines and service applications can be flexibly configured, and the spread of the lux virus in an internal network is blocked through access control among servers.
The greatest problem with deploying micro-isolation in a network environment is the need to know the data flow of virtual machines in the network, as well as the business logic between the virtual machines and services. At present, manufacturers generally provide labels, grouping functions and the like of virtual machines, users manually configure the labels and grouping of the virtual machines, and abstract strategies are configured according to the labels. Therefore, how to quickly group virtual machines and configure corresponding access policies is a technical problem to be solved.
Disclosure of Invention
The invention provides a policy generation method, a policy generation device, electronic equipment and a computer storage medium.
The embodiment of the invention provides a strategy generation method, which comprises the following steps:
acquiring historical flow data of a first virtual machine set; the first virtual machine set at least comprises two virtual machines;
clustering the first virtual machine set according to the historical flow data, and determining a grouping result of the first virtual machine set;
generating access strategies of the virtual machines of each group in each group according to the grouping result; the access policy is used for determining the access behavior of the virtual machines of each group.
In the above scheme, the clustering processing is performed on the first virtual machine set according to the historical traffic data, and determining a grouping result of the first virtual machine set includes:
clustering the first virtual machine set according to the clustering model and the historical flow data to obtain a clustering result;
evaluating the effect of the clustering result to obtain an evaluation value;
when the evaluation value is smaller than a preset first threshold value, adjusting parameters of the clustering model, and repeatedly executing the steps of clustering the first virtual machine set and evaluating the effect of the clustering result until the evaluation value is larger than or equal to the preset first threshold value;
and determining the last obtained clustering result as a grouping result of the first virtual machine set.
In the above solution, after generating the access policy of each group in each group, the method further includes:
updating historical traffic data of the first set of virtual machines;
clustering the updated historical flow data, and updating the grouping result of the first virtual machine set;
and generating access policies of the virtual machines of each group in each updated group according to the updated grouping result.
In the above solution, after generating the access policy of the virtual machine of each group in each group, the method further includes:
acquiring historical flow data of a newly-added virtual machine set; the newly added virtual machine set at least comprises two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set;
determining the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set;
generating access policies of the virtual machines of each group in each group of the second virtual machine set under the condition that the proportion is larger than a preset second threshold value; the second set of virtual machines includes: the first virtual machine set and the newly added virtual machine set;
and updating the access strategy of the virtual machine of each group in each group under the condition that the proportion is smaller than or equal to a preset second threshold value.
In the above solution, the generating the access policy of the virtual machine of each group in the respective groups of the second set of virtual machines includes:
Clustering historical flow data of the second virtual machine set, and determining a grouping result of the second virtual machine set;
and generating access policies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result of the second virtual machine set.
In the above solution, the updating the access policy of the virtual machine of each group in the respective groups includes:
classifying historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set, and determining a grouping result of the newly-added virtual machine set;
and updating the access strategy of the virtual machines of each group in each group according to the grouping result of the newly-added virtual machine set.
In the above scheme, the access policy includes: any virtual machine in each set is allowed to access other virtual machines within the set, and is not allowed to access virtual machines in other groupings.
The embodiment of the invention also provides a strategy generation device, which at least comprises:
the acquisition module is used for acquiring historical flow data of the first virtual machine set; the first virtual machine set at least comprises two virtual machines;
The determining module is used for carrying out clustering processing on the first virtual machine set according to the historical flow data and determining a grouping result of the first virtual machine set;
the generation module is used for generating an access strategy of the virtual machine of each group in each group according to the grouping result; the access policy is used for determining the access behavior of the virtual machines of each group.
In one implementation manner, the determining module is configured to perform clustering processing on the first virtual machine set according to the historical traffic data, and determine a grouping result of the first virtual machine set, where the determining module includes:
clustering the first virtual machine set according to the clustering model and the historical flow data to obtain a clustering result;
evaluating the effect of the clustering result to obtain an evaluation value;
when the evaluation value is smaller than a preset first threshold value, adjusting parameters of the clustering model, and repeatedly executing the steps of clustering the first virtual machine set and evaluating the effect of the clustering result until the evaluation value is larger than or equal to the preset first threshold value;
and determining the last obtained clustering result as a grouping result of the first virtual machine set.
In one implementation, after generating the access policy for each of the respective packets, further comprising:
updating historical traffic data of the first set of virtual machines;
clustering the updated historical flow data, and updating the grouping result of the first virtual machine set;
and generating access policies of the virtual machines of each group in each updated group according to the updated grouping result.
In one implementation, after generating the access policy for the virtual machine for each of the respective groups, further comprising:
acquiring historical flow data of a newly-added virtual machine set; the newly added virtual machine set at least comprises two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set;
determining the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set;
generating access policies of the virtual machines of each group in each group of the second virtual machine set under the condition that the proportion is larger than a preset second threshold value; the second set of virtual machines includes: the first virtual machine set and the newly added virtual machine set;
And updating the access strategy of the virtual machine of each group in each group under the condition that the proportion is smaller than or equal to a preset second threshold value.
In one implementation, the generating the access policy of the virtual machines of each of the respective groups of the second set of virtual machines includes:
clustering historical flow data of the second virtual machine set, and determining a grouping result of the second virtual machine set;
and generating access policies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result of the second virtual machine set.
In one implementation, the updating the access policy of the virtual machine of each of the respective groups includes:
classifying historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set, and determining a grouping result of the newly-added virtual machine set;
and updating the access strategy of the virtual machines of each group in each group according to the grouping result of the newly-added virtual machine set.
In one implementation, the access policy includes: any virtual machine in each set is allowed to access other virtual machines within the set, and is not allowed to access virtual machines in other groupings.
The embodiment of the invention also provides electronic equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes any strategy generation method when executing the program.
The embodiment of the invention also provides a computer storage medium, on which a computer program is stored, which when executed by a processor implements any of the above-mentioned policy generation methods.
Based on the policy generation method, the policy generation device, the electronic equipment and the computer storage medium provided by the embodiment of the invention, historical flow data of the first virtual machine set is obtained; the first virtual machine set at least comprises two virtual machines; clustering the first virtual machine set according to the historical flow data, and determining a grouping result of the first virtual machine set; generating access strategies of the virtual machines of each group in each group according to the grouping result; the access policy is used for determining the access behavior of the virtual machines of each group.
It can be seen that, in the embodiment of the present invention, historical traffic data of a first virtual machine set is obtained, where the first virtual machine set includes at least two virtual machines, and according to the historical traffic data of the first virtual machine set, virtual machines in the first virtual machine set are clustered, that is, virtual machines in the first virtual machine set may be grouped, so as to determine a grouping result of the first virtual machine set, and according to the grouping result, an access policy of each group of virtual machines in each group may be generated, that is, virtual machines in each group may determine an access behavior according to an access policy of a corresponding group. It can be seen that, in the embodiment of the invention, based on the historical flow data of the virtual machine, the virtual machine is quickly grouped, and a corresponding access policy is generated according to the grouping result, so that the efficiency of deploying the virtual machine in the network environment can be effectively improved, and the complexity of network security access control can be reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
Fig. 1 is a schematic flow chart of a policy generation method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a network segmentation result of a first virtual machine set according to an embodiment of the present invention;
FIG. 3 is a topology diagram of access relationships of access policies of virtual machines in a group according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating another strategy generation method according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of classifying a newly added virtual machine set according to an embodiment of the present invention;
FIG. 6 is a schematic flow chart of a specific implementation of a policy generation method according to an embodiment of the present invention;
FIG. 7 is a schematic flow chart of a specific implementation of another policy generation method according to an embodiment of the present invention;
FIG. 8 is a schematic flow chart of a specific implementation of a policy generation method according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a policy generation device according to an embodiment of the present invention;
Fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Aiming at the problems that when a virtual machine is deployed in a network environment, the workload of access policy configuration of the virtual machine is large and errors are easy to occur, the technical scheme of the embodiment of the invention is provided. Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the examples provided herein are for the purpose of illustration only and are not intended to limit the invention. In addition, the embodiments provided below are some of the embodiments for carrying out the present invention, but not all of the embodiments for carrying out the present invention, and the technical solutions described in the embodiments of the present invention may be implemented in any combination without conflict.
It should be noted that, in the embodiments of the present invention, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a method or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such method or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other related elements in a method or apparatus comprising the element (e.g., a step in a method or an element in an apparatus, e.g., an element may be part of a circuit, part of a processor, part of a program or software, etc.).
The term "and/or" is herein merely an association relationship describing an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
For example, a policy generating method provided in the embodiment of the present invention includes a series of steps, but the policy generating method provided in the embodiment of the present invention is not limited to the described steps, and similarly, a policy generating apparatus provided in the embodiment of the present invention includes a series of modules, but the policy generating apparatus provided in the embodiment of the present invention is not limited to the modules explicitly described, and may also include modules that are required to be set when acquiring related information or performing processing based on information.
Embodiments of the present invention may be implemented on a terminal and/or server, where the terminal may be a thin client, thick client, handheld or laptop device, microprocessor-based system, set top box, programmable consumer electronics, network personal computer, small computer system, or the like. The servers may be small computer systems, large computer systems, and distributed cloud computing technology environments including any of the above, among others.
An electronic device such as a server may include program modules that execute computer instructions. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks. The computer system/server may be implemented in a distributed cloud computing environment in which tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including memory storage devices.
Fig. 1 is a schematic flow chart of a policy generation method according to an embodiment of the present invention, as shown in fig. 1, the flow may include:
step 101: acquiring historical flow data of a first virtual machine set; the first set of virtual machines includes at least two virtual machines.
In the embodiment of the invention, the virtual machine refers to a complete computer system which has complete hardware system functions and runs in a completely isolated environment through software simulation, and the work which can be completed in the physical computer can be realized in the virtual machine. The first set of virtual machines refers to all virtual machines running in the network environment.
In the embodiment of the invention, the historical traffic data between the virtual machines in the first virtual machine set can be collected based on the data flow information output standard (Internet Protocol Flow Information Export, IPFIX) of the internet protocol, wherein the historical traffic data can be east-west traffic data, and it is noted that the east-west traffic data is a network traffic mode in the network environment and comprises traffic data between the virtual machines in the network environment, so that the access relationship between the virtual machines can be determined according to the historical traffic data of the virtual machines.
Illustratively, one piece of historical traffic data for one virtual machine in the first set of virtual machines may be represented as:
[192.168.0.2,172.16.0.16,3389,60075,6,0,103374,6934316,2018-01T 01:11:35Z, 2018-01T 01:58:50Z, d2bec097-bd19-11ea-b9a8-deaab7670f1c, d2bee7a9-bd19-11ea-b41f-deaab7670f1c ], wherein the fields of the historical traffic data are described, as shown in Table 1, table 1 is the meaning of the fields of the historical traffic data.
TABLE 1
In the embodiment of the present invention, after the historical traffic data of the first virtual machine set is obtained, the historical traffic data may be preprocessed, where the preprocessing includes: loading historical traffic data, performing data deduplication, removing default data, filtering effective field information in the historical traffic data, aggregating the historical traffic data with the same source internet protocol address and destination internet protocol address, and accumulating the total number of packets and the total number of bytes. The valid field information includes: the source internet protocol address, the destination internet protocol address, the data flow direction, the total packet number and the total byte number can be determined, so that the data flow direction between the source virtual machine and the destination virtual machine and the size of data traffic can be determined, and the higher the total packet number or the total byte number is, the higher the access frequency between the source virtual machine and the destination virtual machine can be determined.
In the embodiment of the invention, after preprocessing the historical traffic data, the feature extraction can be performed on the historical traffic data, namely, the internet protocol addresses without repetition are ordered, and if the number of the internet protocol addresses is n, an n-dimensional matrix is generated by taking the ordered list of the internet protocol addresses as rows and columns respectively, wherein the value in the matrix represents the total number of packets or the total number of bytes between the internet protocol addresses corresponding to the rows and the columns. Since the Euclidean distance and cosine similarity calculated between the unit vectors are equivalent, the n-dimensional matrix row vector is converted into the unit vector, namely, the feature matrix can be normalized to achieve a better clustering effect.
Step 102: and clustering the first virtual machine set according to the historical flow data, and determining a grouping result of the first virtual machine set.
In some embodiments, clustering is performed on the first virtual machine set according to the clustering model and the historical flow data to obtain a clustering result;
evaluating the effect of the clustering result to obtain an evaluation value;
when the evaluation value is smaller than a preset first threshold value, adjusting parameters of the clustering model, and repeatedly executing the steps of clustering the first virtual machine set and evaluating the effect of the clustering result until the evaluation value is larger than or equal to the preset first threshold value;
And determining the last obtained clustering result as a grouping result of the first virtual machine set.
In the embodiment of the invention, an n-dimensional matrix of historical flow data can be used as a sample set, and the first virtual machine set is clustered according to a clustering model, wherein the clustering model can comprise a random forest algorithm model, a Markov clustering algorithm model (Markov Cluster Algorithm, MCL) and other clustering algorithm models, and the embodiment of the invention is not limited.
In the embodiment of the invention, after the first virtual machine set is clustered, a clustering result is obtained, the effect of the clustering result can be evaluated according to the clustering evaluation index, an evaluation value is obtained, and the higher the evaluation value is, the better the clustering effect of the first virtual machine set is. Here, the cluster evaluation Index may include a contour coefficient, a Calinski-Harabasz Index coefficient, and a lander coefficient, which is not limited to the embodiment of the present invention.
In the embodiment of the invention, a preset first threshold value can be preset according to experience, whether the clustering effect of the first virtual machine set meets the standard is judged according to the preset first threshold value, if the evaluation value is greater than or equal to the preset first threshold value, the clustering effect of the first virtual machine set is determined to meet the standard, the clustering result is determined to be a grouping result of the first virtual machine set, and the clustering model is stored; if the evaluation value is smaller than a preset first threshold value, the clustering effect of the first virtual machine set does not reach the standard, parameters of a clustering model are required to be adjusted, the first virtual machine set is clustered again until the evaluation value of the obtained clustering result is larger than or equal to the preset first threshold value, and the clustering model is stored.
Step 103: generating access strategies of the virtual machines of each group in each group according to the grouping result; the access policy is used to determine the access behavior of the virtual machines of each group.
In some implementations, the access policy includes: any virtual machine in each group is allowed to access other virtual machines within the group, and is not allowed to access virtual machines in other groups.
In the embodiment of the invention, network segmentation is performed on the virtual machines of the first virtual machine set according to the grouping result, and the virtual machines in the same grouping are divided into one network segment.
For example, as shown in table 2, table 2 is an access relationship and a grouping result of the virtual machines in the first virtual machine set, and it should be noted that IP represents an internet protocol address of the virtual machine, and IP is a unique corresponding relationship with the virtual machine.
| Source virtual machine | Destination virtual machine | Grouping results |
| Virtual machine 1 | Virtual machine 4 | First group of |
| Virtual machine 2 | Virtual machine 7 | Second group of |
| Virtual machine 6 | Virtual machine 2 | Second group of |
| Virtual machine 5 | Virtual machine 8 | Third group of |
| Virtual machine 8 | Virtual machine 3 | Third group of |
TABLE 2
According to the access relationship and the grouping result of the virtual machines in the first virtual machine set in table 2, the network segmentation result of the first virtual machine set may be determined, referring to fig. 2, according to the grouping result, the virtual machines of the first virtual machine set in the network environment may be divided into three network segments, including a first network segment 201, a second network segment 202, and a third network segment 203, where the first network segment 201 includes a virtual machine 1 and a virtual machine 4; the second network segment 202 includes virtual machine 2, virtual machine 6, and virtual machine 7; the third network segment 203 comprises virtual machine 3, virtual machine 5, and virtual machine 8.
In the embodiment of the invention, according to the grouping result and the historical flow access relation of the virtual machines in the groups, the access strategy of the virtual machines in each group can be generated, namely, any virtual machine in each group is allowed to access other virtual machines in the group, and is not allowed to access the virtual machines in other groups, namely, the access is allowed in the group, and the access is refused between the groups. It should be noted that, according to other identification information of the historical traffic data, a finer granularity access policy may also be generated.
In embodiments of the invention, the generated access policies may be translated into formatted Rego rules according to a generic policy engine (Open Policy Agent, OPA), where the Rego rules are declarative languages in the OPA that are used to describe the access policies. The translated access strategy can be displayed on a Web interface by means of the access relation topological graph, the access relation topological graph after the strategy is issued and validated is simulated, and the access strategy can be executed after the user confirms the access strategy.
Illustratively, fig. 3 is an access relationship topology diagram of access policies of virtual machines in a group, where the group includes 12 virtual machines, which are respectively: the access relationships among the first virtual machine 301, the second virtual machine 302, the third virtual machine 303, the fourth virtual machine 304, the fifth virtual machine 305, the sixth virtual machine 306, the seventh virtual machine 307, the eighth virtual machine 308, the ninth virtual machine 309, the tenth virtual machine 310, the eleventh virtual machine 311, the twelfth virtual machine 312, and the 12 virtual machines are as shown in fig. 3.
In practical applications, steps 101 to 103 are implemented by an electronic device-based processor, which may be at least one of an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a digital signal processor (Digital Signal Processor, DSP), a digital signal processing device (Digital Signal Processing Device, DSPD), a programmable logic device (Programmable Logic Device, PLD), a field programmable gate array (Field Programmable Gate Array, FPGA), a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, and a microprocessor.
It can be seen that, in the embodiment of the present invention, by acquiring historical traffic data of a first virtual machine set, where the first virtual machine set includes at least two virtual machines; clustering the first virtual machine set according to the historical flow data of the first virtual machine set and the clustering model to obtain a grouping result of the virtual machines in the first virtual machine set; based on the grouping results, access policies for the virtual machines of each of the respective groups may be generated, wherein the access policies are used to determine access behavior of the virtual machines of each group. It can be seen that, in the embodiment of the present invention, based on the historical traffic data of the first virtual machine set, the first virtual machine set is quickly grouped, that is, the grouping result of the first virtual machine set can be determined according to the access relationship of the virtual machines in the first virtual machine set, and the virtual machines with high access frequency are grouped into the same group, so that the efficiency of deploying the virtual machines in the network environment can be effectively improved, the access policy is generated according to the grouping result, so that the virtual machines in the group allow access, the virtual machines among the groups deny access, and the complexity of network security access control can be reduced.
Fig. 4 is a flow chart of another policy generation method according to an embodiment of the present invention, as shown in fig. 4, the flow may include:
step 401: historical traffic data for the first set of virtual machines is updated.
In some embodiments, when the virtual machines in the first set of virtual machines are running for a period of time, some new historical traffic data may be added, and then the access policy may need to be changed accordingly, so that an update period of the access policy may be set, and for example, the access policy may be automatically updated at zero point every day.
In some embodiments, when the access policy is updated, the historical traffic data of the first set of virtual machines in the last period of time may be obtained, that is, the historical traffic data of the first set of virtual machines is updated. Here, the historical flow data may be acquired within half an hour, or may be acquired within one hour, which is not limited to the embodiment of the present invention.
Step 402: and clustering the updated historical flow data, and updating the grouping result of the first virtual machine set.
In some embodiments, according to the saved clustering model and the updated historical traffic data of the first virtual machine set, carrying out clustering processing on the first virtual machine set again to obtain a clustering result, evaluating the effect of the clustering result to obtain an evaluation value, and when the evaluation value is greater than or equal to a preset first threshold value, indicating that the obtained clustering result has a good effect, and not needing to update the grouping result of the first virtual machine set; when the evaluation value is smaller than a preset first threshold value, adjusting parameters of the clustering model, and carrying out clustering treatment on the first virtual machine set again until the evaluation value of the obtained clustering effect is larger than or equal to the preset first threshold value, so that the grouping result of the first virtual machine set is updated according to the current clustering result, and the current clustering model is stored.
Step 403: and generating access policies of the virtual machines of each group in each updated group according to the updated grouping result.
In some embodiments, according to the updated grouping result, the access policy of the virtual machine of each group in each updated grouping is generated, and the updated policy may also be displayed on the Web interface, and the user is reminded to confirm, and when the confirmation information is received, the access policy of the virtual machine of each group in each updated grouping is updated.
According to the method, according to the running condition of the virtual machines in the first virtual machine set, the historical flow data of the first virtual machine set can be updated, and the access strategy of the virtual machines is updated, namely the access strategy is dynamically updated, so that the accuracy of the access strategy can be improved.
In some embodiments, after generating the access policy of the virtual machine of each group in the respective groups, the method further includes:
acquiring historical flow data of a newly-added virtual machine set; the newly added virtual machine set at least comprises two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly added virtual machine set and the first virtual machine set;
Determining the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set;
generating access policies of the virtual machines of each group in each group of the second virtual machine set under the condition that the proportion is larger than a preset second threshold value; the second set of virtual machines includes: the first virtual machine set and the newly added virtual machine set;
and updating the access strategy of the virtual machine of each group in each group under the condition that the proportion is smaller than or equal to a preset second threshold value.
In some embodiments, it is also possible to add some virtual machines in the network environment, and then it is necessary to determine an access policy of a virtual machine in the newly added virtual machine set. And acquiring the historical flow data of the newly-added virtual machine set, and determining the access strategy of the virtual machine in the newly-added virtual machine set according to the historical flow data of the newly-added virtual machine set.
In some embodiments, according to the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set, when the ratio is greater than a preset second threshold value, the access flow between each virtual machine in the newly-added virtual machine set is larger, and the access flow between each virtual machine in the newly-added virtual machine set and the first virtual machine set is smaller, then the access policy extremely corresponding to the original grouping result is not matched with the newly-added virtual machine set, clustering is needed to be performed on the second virtual machine set, and a corresponding access policy is generated. It should be noted that the preset second preset threshold may be preset according to the existing experience.
In some embodiments, when the ratio is smaller than a preset second threshold, it is indicated that the access flow between each virtual machine in the newly-added virtual machine set and the first virtual machine set is larger, and the access flow between each virtual machine in the newly-added virtual machine set is smaller, so that the virtual machines in the newly-added virtual machine set can be classified directly according to the grouping result of the first virtual machine set and the corresponding access policy, and the corresponding access sides are inherited.
It can be seen that when some virtual machines are newly added in the network environment, corresponding clustering processing or classification processing can be performed on the newly added virtual machine set according to the historical flow data of the newly added virtual machine set, so that the virtual machines in the newly added virtual machine set are quickly grouped, corresponding access strategies are generated, and the efficiency of deploying the virtual machines in the network environment can be improved.
In some implementations, generating the access policy for the virtual machines of each of the respective groups of the second set of virtual machines includes:
clustering historical flow data of the second virtual machine set, and determining grouping results of the second virtual machine set;
and generating access policies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result of the second virtual machine set.
In some embodiments, under the condition that the access flow between each virtual machine in the newly-added virtual machine set and the first virtual machine set is large, clustering the second virtual machine set according to the historical flow data of the second virtual machine set to obtain a clustering result; and evaluating the effect of the clustering result to obtain an evaluation value, and determining the last obtained clustering result as a grouping result of the second virtual machine set when the evaluation value is greater than or equal to a preset first threshold value, and generating access strategies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result.
In some embodiments, updating the access policy of the virtual machine for each of the respective groups includes:
classifying historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set, and determining a grouping result of the newly-added virtual machine set;
and updating the access strategy of the virtual machines of each group in each group according to the grouping result of the newly added virtual machine set.
In some embodiments, in the case where the access traffic between each virtual machine in the set of added virtual machines and the first set of virtual machines is large, the classification processing is performed on the set of added virtual machines according to the historical traffic data of the added virtual machines, which may be obtained through steps 501 to 504, see fig. 5,
Step 501: and acquiring historical flow data of the newly-added virtual machine set.
In some embodiments, historical traffic data between virtual machines in the first set of virtual machines may be collected based on IPFIX.
Step 502: and preprocessing the historical flow data of the newly added virtual machine set.
In some embodiments, the preprocessed historical traffic data is obtained by performing data deduplication on the historical traffic data, removing default data, filtering valid field information in the historical traffic data, aggregating the historical traffic data having the same source and destination internet protocol addresses, and the like.
Step 503: and classifying the newly added virtual machine set according to the classification model to obtain a classification result.
In some embodiments, after the new virtual machine set is classified according to the classification model, a classification result is obtained, and the effect of the classification result can be evaluated according to the classification evaluation index, so that an evaluation value is obtained, and the higher the evaluation value, the better the effect of classifying the new virtual machine set is.
Step 504: and determining the classification result as a grouping result of the newly added virtual machine set.
Fig. 6 is a schematic flow chart of a specific implementation of a policy generation method according to an embodiment of the present invention, as shown in fig. 6, the flow may include:
Step 601: historical traffic data of the first virtual set is collected according to IPFIX.
Step 602: preprocessing the historical flow data.
Step 603: and extracting features of the preprocessed historical flow data to generate n-dimensional feature vectors.
Step 604: and carrying out clustering processing on the first virtual machine set according to the clustering model and the n-dimensional feature vector to obtain a clustering result.
Step 605: and evaluating the effect of the clustering result to obtain an evaluation value.
Step 606: judging whether the evaluation value is greater than or equal to a preset first threshold value, if so, executing step 607; if not, go to step 610.
Step 607: and storing the current clustering model, and determining the last obtained clustering result as a grouping result of the first virtual machine set.
Step 608: and generating a corresponding access strategy according to the grouping result.
Step 609: and translating the access strategy into a Rego rule based on the OPA, displaying or issuing the access strategy, and ending the flow.
In some embodiments, the server exposes or transmits the translated access policies to the virtual machines in each group, and the virtual machines can determine corresponding access behaviors after receiving the access policies.
Step 610: parameters of the cluster model are adjusted, step 604 is performed.
Fig. 7 is a schematic flow chart of a specific implementation of another policy generation method according to an embodiment of the present invention, where, as shown in fig. 7, the flow may include:
step 701: and after triggering the operation of updating the access strategy, acquiring historical flow data of the first virtual machine set in the last period of time.
Step 702: and carrying out clustering processing on the first virtual machine set according to the stored clustering model to obtain a clustering result.
Step 703: and evaluating the clustering effect of the clustering result to obtain an evaluation value.
Step 704: judging whether the evaluation value is larger than or equal to a preset first threshold value, if so, ending the flow; if not, step 705 is performed.
Step 705: and adjusting parameters of the clustering model, and carrying out clustering treatment on the first virtual machine set again until the evaluation value of the obtained clustering effect is greater than or equal to the preset first threshold value.
Step 706: and storing the current clustering model, and updating the grouping result of the first virtual machine set.
Step 707: and generating access policies of the virtual machines of each group in each updated group according to the updated grouping result.
Step 708: the access policy is translated into Rego rules based on OPA and exposed.
Step 709: judging whether an instruction for confirming updating of the access strategy is received, if yes, executing step 710; if not, go to step 711.
Step 710: and issuing an access strategy and ending the flow.
In some embodiments, the server, upon receiving an instruction confirming updating of the access policies, sends the translated access policies to the virtual machines in each group.
Step 711: refusing to update the access strategy and ending the flow.
In some embodiments, when the server does not receive an instruction for confirming updating the access policy, the server refuses to update the access policy, that is, the server does not send the updated access policy to the virtual machines in each group, so that the virtual machines still determine the corresponding access behavior according to the original access policy.
Fig. 8 is a schematic flow chart of a specific implementation of another policy generation method according to an embodiment of the present invention, as shown in fig. 7, the flow may include:
step 801: and acquiring historical flow data of the newly-added virtual machine set.
In some embodiments, the newly added set of virtual machines includes at least two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly added virtual machine set, and historical flow data between each virtual machine in the newly added virtual machine set and the first virtual machine set.
Step 802: and determining the ratio of the historical flow data among the virtual machines in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set.
Step 803: judging whether the proportion is greater than a preset second threshold value, if so, executing step 804; if not, go to step 809
Step 804: and acquiring historical flow data of the second virtual machine set.
In some embodiments, the second set of virtual machines includes: a first set of virtual machines and an added set of virtual machines.
Step 805: and clustering the second virtual machine set to determine a grouping result of the second virtual machine set.
Step 806: and generating a corresponding access strategy according to the grouping result.
Step 807: the access policy is translated into Rego rules based on OPA.
Step 808: and displaying or issuing the access strategy, and ending the flow.
In some embodiments, the server exposes or transmits the translated access policies to the virtual machines in each group, and the virtual machines can determine corresponding access behaviors after receiving the access policies.
Step 809: historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set is obtained.
Step 810: and classifying the newly added virtual machine set according to the classification model to obtain a classification result.
Step 811: the classification result is determined as the grouping result of the newly added virtual machine set, and step 806 is performed.
In various embodiments of the present application, the sequence number of each step/process described above does not mean that the execution sequence of each step/process should be determined by the function and the internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Based on the same technical concept as the foregoing embodiment, referring to fig. 9, an apparatus for generating a policy according to an embodiment of the present invention includes at least:
an obtaining module 901, configured to obtain historical traffic data of a first virtual machine set; the first virtual machine set at least comprises two virtual machines;
a determining module 902, configured to perform clustering processing on the first virtual machine set according to the historical traffic data, and determine a grouping result of the first virtual machine set;
a generating module 903, configured to generate an access policy of the virtual machine of each group in each group according to the grouping result; the access policy is used for determining the access behavior of the virtual machines of each group.
In one implementation, the determining module 902 is configured to perform clustering processing on the first set of virtual machines according to the historical traffic data, and determine a grouping result of the first set of virtual machines, where the determining module includes:
Clustering the first virtual machine set according to the clustering model and the historical flow data to obtain a clustering result;
evaluating the effect of the clustering result to obtain an evaluation value;
when the evaluation value is smaller than a preset first threshold value, adjusting parameters of the clustering model, and repeatedly executing the steps of clustering the first virtual machine set and evaluating the effect of the clustering result until the evaluation value is larger than or equal to the preset first threshold value;
and determining the last obtained clustering result as a grouping result of the first virtual machine set.
In one implementation, after generating the access policy for each of the respective packets, further comprising:
updating historical traffic data of the first set of virtual machines;
clustering the updated historical flow data, and updating the grouping result of the first virtual machine set;
and generating access policies of the virtual machines of each group in each updated group according to the updated grouping result.
In one implementation, after generating the access policy for the virtual machine for each of the respective groups, further comprising:
Acquiring historical flow data of a newly-added virtual machine set; the newly added virtual machine set at least comprises two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set;
determining the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set;
generating access policies of the virtual machines of each group in each group of the second virtual machine set under the condition that the proportion is larger than a preset second threshold value; the second set of virtual machines includes: the first virtual machine set and the newly added virtual machine set;
and updating the access strategy of the virtual machine of each group in each group under the condition that the proportion is smaller than or equal to a preset second threshold value.
In one implementation, the generating the access policy of the virtual machines of each of the respective groups of the second set of virtual machines includes:
clustering historical flow data of the second virtual machine set, and determining a grouping result of the second virtual machine set;
And generating access policies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result of the second virtual machine set.
In one implementation, the updating the access policy of the virtual machine of each of the respective groups includes:
classifying historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set, and determining a grouping result of the newly-added virtual machine set;
and updating the access strategy of the virtual machines of each group in each group according to the grouping result of the newly-added virtual machine set.
In one implementation, the access policy includes: any virtual machine in each set is allowed to access other virtual machines within the set, and is not allowed to access virtual machines in other groupings.
It should be noted that the description of the above device embodiments is similar to the description of the method embodiments described above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
It should be noted that, in the embodiment of the present invention, if the method is implemented in the form of a software functional module, and sold or used as a separate product, the method may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a terminal, a server, etc.) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
Correspondingly, the embodiment of the invention further provides a computer program product, which comprises computer executable instructions for implementing any one of the policy generation methods provided by the embodiment of the invention.
Accordingly, an embodiment of the present invention further provides a computer storage medium, where computer executable instructions are stored on the computer storage medium, where the computer executable instructions are configured to implement any one of the policy generation methods provided in the foregoing embodiments.
In some embodiments, the functions or modules included in the apparatus provided by the embodiments of the present invention may be used to perform the methods described in the foregoing method embodiments, and specific implementations thereof may refer to descriptions of the foregoing method embodiments, which are not repeated herein for brevity.
Based on the same technical concept as the foregoing embodiments, referring to fig. 10, an electronic device 1000 provided in the embodiment of the present invention may include: a memory 1010 and a processor 1020, a computer program executable by the electronic device 1000 on the processor 1020, the processor 1020 implementing any one of the policy generation methods when executing the program; wherein,
A memory 1010 for storing computer programs and data;
a processor 1020 for executing a computer program stored in the memory 1010 to implement any one of the policy generation methods of the previous embodiments.
The foregoing description of the various embodiments is intended to emphasize the differences between the various embodiments, and the same or similar parts thereof may be referred to each other for brevity and will not be repeated herein.
The methods disclosed in the method embodiments provided by the application can be arbitrarily combined under the condition of no conflict to obtain a new method embodiment.
The features disclosed in the embodiments of the products provided by the application can be arbitrarily combined under the condition of no conflict, so as to obtain new embodiments of the products.
The features disclosed in the embodiments of the method or the apparatus provided in the application may be arbitrarily combined without conflict to obtain a new embodiment of the method or the apparatus.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are merely illustrative, and exemplary, the division of units is merely a logical function division, and there may be other manners of division in actual implementation, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to a device or unit, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of grid units; the object of the present embodiment can be achieved according to the fact that some or all of the units thereof can be selected.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing module, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps of implementing the above method embodiments may be implemented by hardware associated with program instructions, and the above program may be stored in a computer readable storage medium, which when executed, performs steps including the above method embodiments.
The above description is not intended to limit the scope of the invention, but is intended to cover any modifications, equivalents, and improvements within the spirit and principles of the invention.
Claims (8)
1. A method of policy generation, the method comprising:
acquiring historical flow data of a first virtual machine set; the first virtual machine set at least comprises two virtual machines;
clustering the first virtual machine set according to the historical flow data, and determining a grouping result of the first virtual machine set;
generating access strategies of the virtual machines of each group in each group according to the grouping result; the access policy is used for determining the access behavior of the virtual machines of each group;
after the access policy of the virtual machine of each group in each group is generated, the method further comprises:
acquiring historical flow data of a newly-added virtual machine set; the newly added virtual machine set at least comprises two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set;
determining the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set;
Generating access policies of the virtual machines of each group in each group of the second virtual machine set under the condition that the proportion is larger than a preset second threshold value; the second set of virtual machines includes: the first virtual machine set and the newly added virtual machine set;
updating the access policy of the virtual machine of each group in each group of the second virtual machine set under the condition that the proportion is smaller than or equal to a preset second threshold value;
the generating the access policy of the virtual machines of each group in the respective groups of the second set of virtual machines includes:
clustering historical flow data of the second virtual machine set, and determining a grouping result of the second virtual machine set;
and generating access policies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result of the second virtual machine set.
2. The method of claim 1, wherein clustering the first set of virtual machines according to the historical traffic data, determining a grouping result of the first set of virtual machines, comprises:
clustering the first virtual machine set according to the clustering model and the historical flow data to obtain a clustering result;
Evaluating the effect of the clustering result to obtain an evaluation value;
when the evaluation value is smaller than a preset first threshold value, adjusting parameters of the clustering model, and repeatedly executing the steps of clustering the first virtual machine set and evaluating the effect of the clustering result until the evaluation value is larger than or equal to the preset first threshold value;
and determining the last obtained clustering result as a grouping result of the first virtual machine set.
3. The method of claim 1, wherein after generating the access policy for each of the respective packets, further comprising:
updating historical traffic data of the first set of virtual machines;
clustering the updated historical flow data, and updating the grouping result of the first virtual machine set;
and generating access policies of the virtual machines of each group in each updated group according to the updated grouping result.
4. The method of claim 1, wherein the updating the access policy of the virtual machines of each of the respective groups comprises:
classifying historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set, and determining a grouping result of the newly-added virtual machine set;
And updating the access strategy of the virtual machines of each group in each group according to the grouping result of the newly-added virtual machine set.
5. The method according to any one of claims 1 to 4, wherein the access policy comprises: any virtual machine in each set is allowed to access other virtual machines within the set, and is not allowed to access virtual machines in other groupings.
6. A policy generation device, said device comprising at least:
the acquisition module is used for acquiring historical flow data of the first virtual machine set; the first virtual machine set at least comprises two virtual machines;
the determining module is used for carrying out clustering processing on the first virtual machine set according to the historical flow data and determining a grouping result of the first virtual machine set;
the generation module is used for generating an access strategy of the virtual machine of each group in each group according to the grouping result; the access policy is used for determining the access behavior of the virtual machines of each group;
the determining module is further used for obtaining historical flow data of the newly-added virtual machine set; the newly added virtual machine set at least comprises two virtual machines; the historical traffic data of the newly added virtual machine set includes: historical flow data between each virtual machine in the newly-added virtual machine set and the first virtual machine set; determining the ratio of the historical flow data between each virtual machine in the newly-added virtual machine set to the historical flow data of the newly-added virtual machine set; generating access policies of the virtual machines of each group in each group of the second virtual machine set under the condition that the proportion is larger than a preset second threshold value; the second set of virtual machines includes: the first virtual machine set and the newly added virtual machine set; updating the access policy of the virtual machine of each group in each group of the second virtual machine set under the condition that the proportion is smaller than or equal to a preset second threshold value;
The determining module is further configured to perform clustering processing on the historical traffic data of the second virtual machine set, and determine a grouping result of the second virtual machine set; and generating access policies of the virtual machines of each group in each group of the second virtual machine set according to the grouping result of the second virtual machine set.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the policy generation method of any of claims 1-5 when the program is executed by the processor.
8. A computer storage medium storing a computer program; characterized in that the computer program, when executed, is capable of implementing the policy generation method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210673736.XA CN115118466B (en) | 2022-06-14 | 2022-06-14 | Policy generation method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210673736.XA CN115118466B (en) | 2022-06-14 | 2022-06-14 | Policy generation method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115118466A CN115118466A (en) | 2022-09-27 |
| CN115118466B true CN115118466B (en) | 2024-04-12 |
Family
ID=83327605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210673736.XA Active CN115118466B (en) | 2022-06-14 | 2022-06-14 | Policy generation method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115118466B (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077189A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method and device for distributing resources |
| CN107612923A (en) * | 2017-10-09 | 2018-01-19 | 中国银联股份有限公司 | A kind of Operational Visit method and device based on network strategy group |
| CN109167795A (en) * | 2018-09-27 | 2019-01-08 | 深信服科技股份有限公司 | A kind of safety defense system and method |
| CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
| CN111163092A (en) * | 2019-12-30 | 2020-05-15 | 深信服科技股份有限公司 | Flow abnormity detection method, device, equipment and storage medium |
| CN111176795A (en) * | 2020-01-09 | 2020-05-19 | 武汉思普崚技术有限公司 | Dynamic migration method and system of distributed virtual network |
| CN111258711A (en) * | 2020-01-09 | 2020-06-09 | 武汉思普崚技术有限公司 | Multi-protocol network micro-isolation method and system |
| CN111262841A (en) * | 2020-01-09 | 2020-06-09 | 武汉思普崚技术有限公司 | Resource scheduling method and system for virtual micro-isolation network |
| CN111273995A (en) * | 2020-01-09 | 2020-06-12 | 武汉思普崚技术有限公司 | Safety scheduling method and system for virtual micro-isolation network |
| CN112769620A (en) * | 2021-01-08 | 2021-05-07 | 深信服科技股份有限公司 | Network deployment method, equipment and computer readable storage medium |
| US11171834B1 (en) * | 2018-11-16 | 2021-11-09 | Juniper Networks, Inc. | Distributed virtualized computing infrastructure management |
| CN113703915A (en) * | 2021-08-17 | 2021-11-26 | 深信服科技股份有限公司 | Access relation visualization method and device, electronic equipment and storage medium |
| CN113763026A (en) * | 2021-04-23 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Method and device for testing information delivery strategy |
| WO2022067539A1 (en) * | 2020-09-29 | 2022-04-07 | 山石网科通信技术股份有限公司 | Network traffic processing method and apparatus, storage medium and computer device |
| CN114567481A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080209501A1 (en) * | 2007-02-28 | 2008-08-28 | Tresys Technology, Llc | System and method for implementing mandatory access control in a computer, and applications thereof |
| US9609023B2 (en) * | 2015-02-10 | 2017-03-28 | International Business Machines Corporation | System and method for software defined deployment of security appliances using policy templates |
| US20200364001A1 (en) * | 2019-05-15 | 2020-11-19 | Vmware, Inc. | Identical workloads clustering in virtualized computing environments for security services |
| US11593234B2 (en) * | 2020-01-16 | 2023-02-28 | Vmware, Inc. | Cloud restart for VM failover and capacity management |
-
2022
- 2022-06-14 CN CN202210673736.XA patent/CN115118466B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077189A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method and device for distributing resources |
| CN107612923A (en) * | 2017-10-09 | 2018-01-19 | 中国银联股份有限公司 | A kind of Operational Visit method and device based on network strategy group |
| CN109167795A (en) * | 2018-09-27 | 2019-01-08 | 深信服科技股份有限公司 | A kind of safety defense system and method |
| US11171834B1 (en) * | 2018-11-16 | 2021-11-09 | Juniper Networks, Inc. | Distributed virtualized computing infrastructure management |
| CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
| CN111163092A (en) * | 2019-12-30 | 2020-05-15 | 深信服科技股份有限公司 | Flow abnormity detection method, device, equipment and storage medium |
| CN111258711A (en) * | 2020-01-09 | 2020-06-09 | 武汉思普崚技术有限公司 | Multi-protocol network micro-isolation method and system |
| CN111262841A (en) * | 2020-01-09 | 2020-06-09 | 武汉思普崚技术有限公司 | Resource scheduling method and system for virtual micro-isolation network |
| CN111273995A (en) * | 2020-01-09 | 2020-06-12 | 武汉思普崚技术有限公司 | Safety scheduling method and system for virtual micro-isolation network |
| CN111176795A (en) * | 2020-01-09 | 2020-05-19 | 武汉思普崚技术有限公司 | Dynamic migration method and system of distributed virtual network |
| WO2022067539A1 (en) * | 2020-09-29 | 2022-04-07 | 山石网科通信技术股份有限公司 | Network traffic processing method and apparatus, storage medium and computer device |
| CN112769620A (en) * | 2021-01-08 | 2021-05-07 | 深信服科技股份有限公司 | Network deployment method, equipment and computer readable storage medium |
| CN113763026A (en) * | 2021-04-23 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Method and device for testing information delivery strategy |
| CN113703915A (en) * | 2021-08-17 | 2021-11-26 | 深信服科技股份有限公司 | Access relation visualization method and device, electronic equipment and storage medium |
| CN114567481A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于微隔离技术的政府网站群综合防护方案研究;王奕钧;黄长慧;张子瀚;栗天池;;警察技术(02);第8-11页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115118466A (en) | 2022-09-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mendonça et al. | Intrusion detection system based on fast hierarchical deep convolutional neural network | |
| US11237897B2 (en) | Detecting and responding to an anomaly in an event log | |
| CN107819783A (en) | A kind of network security detection method and system based on threat information | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN111953641A (en) | Classification of unknown network traffic | |
| WO2015062345A1 (en) | Method and device for recognizing ip address of designated category, and defence method and system | |
| CN112804123B (en) | Network protocol identification method and system for scheduling data network | |
| US11263266B2 (en) | Traffic anomaly sensing device, traffic anomaly sensing method, and traffic anomaly sensing program | |
| CN112084055A (en) | Fault positioning method and device of application system, electronic equipment and storage medium | |
| US20180288143A1 (en) | Managing idle and active servers in cloud data centers | |
| US11196633B2 (en) | Generalized correlation of network resources and associated data records in dynamic network environments | |
| CN112352412B (en) | Network traffic processing method and device, storage medium and computer equipment | |
| CN111935185B (en) | Method and system for constructing large-scale trapping scene based on cloud computing | |
| WO2022115590A1 (en) | Inferring firewall rules from network traffic | |
| CN110597719A (en) | Image clustering method, device and medium for adaptation test | |
| CN113328985A (en) | Passive Internet of things equipment identification method, system, medium and equipment | |
| CN113992349A (en) | Malicious traffic identification method, device, equipment and storage medium | |
| CN111680167A (en) | Service request response method and server | |
| Umbarkar et al. | Analysis of heuristic based feature reduction method in intrusion detection system | |
| CN110019400B (en) | Data storage method, electronic device and storage medium | |
| CN115118466B (en) | Policy generation method and device, electronic equipment and storage medium | |
| CN115378619A (en) | Sensitive data access method, electronic equipment and computer readable storage medium | |
| CN117294497A (en) | Network traffic abnormality detection method and device, electronic equipment and storage medium | |
| CN109918277A (en) | Electronic device, the evaluation method of system log cluster analysis result and storage medium | |
| CN109194700B (en) | Flow control method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |