CN115442072A - Three-level cross-domain security protection method, device, equipment and readable storage medium - Google Patents

Three-level cross-domain security protection method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN115442072A
CN115442072A CN202210907667.4A CN202210907667A CN115442072A CN 115442072 A CN115442072 A CN 115442072A CN 202210907667 A CN202210907667 A CN 202210907667A CN 115442072 A CN115442072 A CN 115442072A
Authority
CN
China
Prior art keywords
security
domain
protection
rasp
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210907667.4A
Other languages
Chinese (zh)
Inventor
何成刚
万振华
王颉
李华
董燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seczone Technology Co Ltd
Original Assignee
Seczone Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seczone Technology Co Ltd filed Critical Seczone Technology Co Ltd
Priority to CN202210907667.4A priority Critical patent/CN115442072A/en
Publication of CN115442072A publication Critical patent/CN115442072A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a three-level cross-domain security protection method, a device, equipment and a readable storage medium, wherein a central domain, a local domain and an application domain are divided in a preset security protection region based on a ternary management mode, and a security probe is loaded in the application domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; the security vulnerability information gathered by the RASP server is sent to a central domain; and executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain. Through the implementation of this application scheme, the security probe of application domain transmits security hole information to local area, and local area is after handling the security hole, gathers security hole information and sends to central domain, and central domain issues corresponding safety protection decision-making, carries out effectual multizone real-time linkage safety protection through ternary management mode, and fundamentally sweeps away the blind spot of safety attack protection.

Description

Three-level cross-domain security protection method, device, equipment and readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for three-level cross-domain security protection.
Background
Today's web application security protection is basically based on a single security detection method or technology, such as DAST (dynamic application security test), SAST (static application security test) and IAST (interactive application security test), which have the disadvantages: the method is only applied to the testing and developing stage of web application, and application real-time protection cannot be performed on a production line; some detection methods such as SAST also require source codes of products, so that privacy protection is a problem in confidentiality protection of codes of intellectual property.
The current patents formed based on RASP (Runtime Application Self-Protection) basically use the rule matching of WAF (web Application firewall) and hardware combination, such as RASP-based firewall. Most of the technologies are based on hardware combination, from the perspective of analyzing network flow, the technology does not really go deep into the code level of the application, the security vulnerability information source is simplified, the security of the web application cannot be comprehensively and timely protected, the security protection rule is single, and the flexible change capability is lacked.
Disclosure of Invention
The embodiment of the application provides a three-level cross-domain security protection method, a three-level cross-domain security protection device, equipment and a readable storage medium, and at least solves the problem that real-time large-scale linkage security attack protection cannot be performed in related technologies.
A first aspect of the embodiments of the present application provides a three-level cross-domain security protection method, including:
dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and loading a safety probe in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain;
when the security probe detects security vulnerability information, controlling the RASP adapter to interact with a gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
sending the security vulnerability information gathered by the RASP server to the central domain;
and executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain.
A second aspect of the embodiments of the present application provides a three-level cross-domain security protection device, including:
the system comprises a dividing module, a processing module and a processing module, wherein the dividing module is used for dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode and loading a safety probe in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain;
the interaction module is used for controlling the RASP adapter to interact with the gateway when the security probe detects the security vulnerability information, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
the sending module is used for sending the security vulnerability information summarized by the RASP server to the central domain;
and the execution module is used for executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain.
A third aspect of the present embodiment provides an electronic device, which is characterized by comprising a memory and a processor, wherein the processor is configured to execute a computer program stored on the memory, and the processor executes the computer program, where the steps in the three-level cross-domain security protection method provided in the first aspect of the present embodiment are performed by the processor.
A fourth aspect of the present embodiment provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the three-level cross-domain security protection method provided in the first aspect of the present embodiment.
As can be seen from the above, according to the three-level cross-domain security protection method, apparatus, device and readable storage medium provided in the present application, a central domain, a local domain and an application domain are divided in a preset security protection region based on a ternary management mode, and a security probe is loaded in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with a gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; sending the security vulnerability information summarized by the RASP server to the central domain; and executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information gathering send to central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real-time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
Drawings
Fig. 1 is a basic flowchart of a three-level cross-domain security protection method according to a first embodiment of the present application;
FIG. 2 is a schematic diagram of a three-level zone safety protection system according to a first embodiment of the present application;
fig. 3 is a detailed flowchart of a three-level cross-domain security protection method according to a second embodiment of the present application;
FIG. 4 is a schematic block diagram illustrating program modules of a third-level cross-domain security apparatus according to a third embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed Description
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problem that real-time large-scale linkage security attack protection cannot be performed in the related art, a first embodiment of the present application provides a three-level cross-domain security protection method, and as shown in fig. 1, a basic flowchart of the three-level cross-domain security protection method provided in this embodiment is provided, where the three-level cross-domain security protection method includes the following steps:
step 101, dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and loading a safety probe in the application domain.
Specifically, the ternary management mode includes a central security officer, a domain level security officer and an application security officer, and it should be noted here that the three-level cross-domain model can be used as a global scope model and can also be used as a basic unit to be expanded according to service requirements. The preset safety protection area can be understood as a company and a user company for developing network safety products, so that the central domain can be a network safety supervision department, the local domain can be the user company, and the application domain can be each department of the user company; it may also be understood as dividing a central domain, a local domain and an application domain within a local or wide area network. In this embodiment, as shown in fig. 2, which is a schematic diagram of a three-level regional security protection system provided in this embodiment, according to a combination of an RASP distributed structure and a ternary management mode, a whole system is divided into a central domain, a local domain, and an application domain, where the central domain corresponds to a region where a central security officer is located, that is, the highest region of the protection unit, is generally only one, and is named as an L1 layer here. The local domain corresponds to the area where the domain level security officer is located, and the local domain has the possibility of 1 to N (N ≧ 1), which is named L2 layer. The application domain corresponds to the area where the application security officer is located, and the application domain has the possibility of 1 to N (N ≧ 1), which is named L3 layer. After the system deployment is completed, the web container is loaded with the security probe at the application domain, and then real-time communication is performed through the RASP adapter and the probe.
In an optional implementation manner of this embodiment, after the step of loading the safety probe in the application domain, the method further includes: controlling the RASP adapter to select a security detection rule and a corresponding configuration instruction according to the security level of the application program; if the security level of the application program is higher than a preset security level threshold, controlling the RASP adapter to independently send a security detection rule and a corresponding configuration instruction to the corresponding security probe; and if the security level of the application program is lower than or equal to the preset security level threshold, controlling the RASP adapter to send a security detection rule and a corresponding configuration instruction to the plurality of corresponding security probes.
Specifically, in this embodiment, the RASP adapter is controlled to select the security detection rule and the corresponding configuration instruction according to the security level of the application program, where the security level may be understood as risk tolerance, for example, the financial department of a company has a high importance level, if it is invaded by a security vulnerability, a huge loss may be caused, and the tolerance is low, so the corresponding security detection rule needs to be relatively strict, and the technical department specially deals with various security attack events, and sometimes it is necessary to pass detection of some security vulnerabilities according to business requirements, and the tolerance is high, so the security detection rule is relatively relaxed compared with other departments. In addition, the configuration instruction includes, but is not limited to, a communication mode of the RASP adapter and the safety probe, and if the safety level of the application program is higher than a preset safety level threshold, the RASP adapter and the corresponding safety probe are controlled to perform one-to-one real-time communication; and if the security level of the application program is lower than or equal to the preset security level threshold, controlling the RASP adapter and the corresponding security probe to perform one-to-many real-time communication, flexibly controlling the communication mode of the RASP adapter and the security probe, being beneficial to improving the communication efficiency of the RASP adapter and the security probe and reducing unnecessary resource waste.
And step 102, when the security probe detects the security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway.
Specifically, in this embodiment, the GateWay (GateWay) often only functions to transfer information. In this embodiment, as shown in fig. 2, when the security probe detects the security vulnerability information, the RASP adapter interacts with the gateway first, determines a security vulnerability that can be released by the gateway and a security vulnerability that needs to be protected in the security vulnerability information, and sends the security vulnerability information to the RASP server in the main area through the gateway.
In an optional implementation manner of this embodiment, before the step of controlling the RASP adapter to interact with the gateway, the method further includes: uploading the security vulnerability information to a Portal end of an application domain; the Portal end is an application terminal for monitoring the safety probe by an application security officer; and carrying out safety protection operation on the safety loophole corresponding to the safety loophole information according to a safety instruction sent by the Portal end aiming at the safety loophole information.
Specifically, in this embodiment, the Portal end is an application terminal for monitoring the security probe by an application security officer, the application security officer can monitor the probe in real time by using an application domain, meanwhile, the security information of the probe end can be synchronized to the Portal end in real time, the application security officer can send the security vulnerability information to be protected to the probe through the Portal end, and can select to protect the security vulnerabilities at different levels, including but not limited to modes of attack blocking, attack reporting, log writing and the like. And the probe accurately operates the security loophole in the web container according to an instruction sent by the Portal end, reports the information of the security loophole to the Portal end in real time according to the selection of a user on attack blocking, attack reporting or log writing, and displays the real-time situation of an attack event at the background server end.
It should be noted that the security protection of this embodiment includes, at this stage, a first security protection according to the security vulnerability information specified by the application security officer, a second security protection according to the security configuration of the gateway for the security vulnerability information, and a third security protection according to the security protection decision issued by the central domain.
In an optional implementation manner of this embodiment, the step of controlling the RASP adapter to interact with the gateway includes: when the RASP adapter acquires the security vulnerability information, controlling the RASP adapter to access security configuration information corresponding to the security vulnerability information of the gateway; wherein the security configuration information includes: a security vulnerability white list and a security vulnerability black list; if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, the control gateway responds to an access request containing the first security vulnerability in the RASP adapter; and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, the control gateway intercepts an access request containing the second security vulnerability in the RASP adapter.
Specifically, in this embodiment, the gateway is provided with security configuration information corresponding to the security vulnerability information, including but not limited to a security vulnerability white list and a security vulnerability blacklist, where the security vulnerability white list is a set of security vulnerabilities that are allowed to be accessed according to service requirements, and the security vulnerability blacklist is a known set of security vulnerabilities that have potential security hazards to the client application program, when the RASP adapter acquires the security vulnerability information, the security configuration of the RASP adapter to access the gateway is controlled, if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, an access request including the first security vulnerability is allowed to be accessed, and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, an access request including the second security vulnerability is denied to be accessed, and the RASP adapter and the gateway perform real-time interactive fusion, so that the detection efficiency of the security vulnerabilities can be improved.
And 103, sending the security vulnerability information summarized by the RASP to a central domain.
Specifically, in this embodiment, after receiving the security vulnerability information sent by the application domain, the RASP server in the local domain collects the security vulnerability information and presents the collected security vulnerability information to the domain-level security officer in the local domain, and the domain-level security officer may issue the security rules or perform the related instruction operation according to the related service requirements.
And 104, executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain.
Specifically, in this embodiment, the central domain is the highest execution region of the present invention, and no matter the central domain is an application domain or a local domain, after performing security protection for a security vulnerability, security protection data needs to be uploaded to the central domain, and through analysis of security vulnerability information and security protection data by a central security officer, a corresponding security protection instruction below, the application domain and the local domain execute a security protection decision according to the security protection instruction.
In an optional implementation manner of this embodiment, the step of executing a corresponding security decision according to a security instruction issued by the central domain includes: determining a corresponding safety protection decision according to the safety loophole information and the safety protection data of the local domain; wherein the safety protection data comprises: application management data and server management data; and after receiving a safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision.
Specifically, in this embodiment, the L1-layer central domain collects L2-layer local domain protection data, including but not limited to security attack events, application management, and server management, for the security protection data in different aspects, a security protection decision corresponding to the security protection data exists in the central domain, a central security clerk may issue a corresponding security protection instruction according to a security vulnerability and specific information of the security protection decision, and after receiving the security protection instruction corresponding to the security protection decision issued by the central domain, control the local domain to execute the security protection decision.
In an optional implementation manner of this embodiment, the step of determining a corresponding security decision according to the security vulnerability information and the security protection data of the local domain includes: summarizing and analyzing the security vulnerability information of the application domain and the local domain; determining potential security vulnerabilities of a third-party library according to the analysis result, and determining security protection decisions corresponding to the potential security vulnerabilities through a CVE (composite virtual environment) and CNNVD (composite network video and video disk) security vulnerability database; or determining the security attack corresponding to the security vulnerability information according to the security vulnerability information and information management data of different layers, and generating a security protection decision corresponding to the security attack.
Specifically, in the embodiment, in the aspect of application management, the L1 layer can summarize all security attack information including the L2 and L3 layers, where a decision can be made on potential security attacks such as CVE and CNNVD of a third-party library; or, for the management of the server, specifically including information management of server name, IP address, web container management, recent active time and other layers, the security attack corresponding to the security vulnerability information is determined, so that real-time protection of the security attack can be effectively performed.
In an optional implementation manner of this embodiment, after receiving a security protection instruction issued by the central domain corresponding to the security protection decision, the method for controlling the local domain to execute the security protection decision further includes: after a safety protection instruction is issued, detecting whether the local domain responds to the safety protection instruction or not within a preset time length; and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction.
Specifically, in this embodiment, under the decision of the central security officer, the decision of security protection is performed, which includes issuing a data aggregation and a related security policy of the local domain. The relation between the central domain and the local domain is a relation of 1 to N, the final decision is determined by the central domain, and under the condition that the central domain informs the local domain that the related security protection is not effective within the preset time, the local domain can be directly replaced, and the related security attack protection operation is directly carried out on the application domain.
Based on the scheme of the embodiment of the application, a central domain, a local domain and an application domain are divided in a preset safety protection region based on a ternary management mode, and a safety probe is loaded in the application domain; the application domain is a sub-domain of the local domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; the security vulnerability information gathered by the RASP server is sent to a central domain; and executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information gathering send to central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real-time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
The method in fig. 3 is a refined three-level cross-domain security protection method provided in a second embodiment of the present application, where the three-level cross-domain security protection method includes:
step 301, dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and loading a safety probe in the application domain.
Specifically, in this embodiment, the local domain is a sub-domain of a central domain, the application domain is a sub-domain of the local domain, the central domain corresponds to a region where a central security officer is located, that is, a highest region of the protection unit, the local domain corresponds to a region where a domain-level security officer is located, the local domain has a possibility of 1 to N (N ≧ 1), the application domain corresponds to a region where an application security officer is located, and the application domain also has a possibility of 1 to N (N ≧ 1).
And step 302, controlling the security probe to perform security vulnerability detection according to the security detection rule sent by the RASP adapter and the corresponding configuration instruction.
And 303, when the security probe detects the security vulnerability information, sending the security vulnerability information to the RASP adapter.
And 304, triggering an interaction instruction when the RASP adapter receives the security vulnerability information, performing information interaction with the gateway according to the interaction instruction, and sending the security vulnerability information to the RASP server of the local domain through the gateway after the interaction is completed.
And 305, sending the security vulnerability information summarized by the RASP to a central domain.
And step 306, determining a corresponding security protection decision according to the security vulnerability information and the security protection data of the local domain.
And 307, after receiving a safety protection instruction corresponding to the safety protection decision issued by the central domain, controlling the local domain to execute the safety protection decision.
And 308, if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction.
According to the three-level cross-domain security protection method provided by the scheme of the application, the security probe is controlled to carry out security vulnerability detection according to the security detection rule sent by the RASP adapter and the corresponding configuration instruction; controlling a security probe to perform security vulnerability detection according to a security detection rule sent by the RASP adapter and a corresponding configuration instruction; when the security probe detects the security vulnerability information, the security vulnerability information is sent to the RASP adapter; triggering an interaction instruction when the RASP adapter receives the security vulnerability information, performing information interaction with the gateway according to the interaction instruction, and sending the security vulnerability information to the RASP server of the local domain through the gateway after the interaction is completed; and sending the security vulnerability information summarized by the RASP server to the central domain. Determining a corresponding safety protection decision according to the safety loophole information and the safety protection data of the local domain; after receiving a safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision; and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information summary send central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
Fig. 4 is a third embodiment of a three-level cross-domain security device provided in this application, where the three-level cross-domain security device may be used to implement the three-level cross-domain security method in the foregoing embodiments. As shown in fig. 4, the three-level cross-domain security device mainly includes:
the dividing module 401 is configured to divide a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and load a safety probe in the application domain; the application domain is a sub-domain of the local domain;
the interaction module 402 is configured to control the RASP adapter to interact with the gateway when the security probe detects the security vulnerability information, and send the security vulnerability information to the RASP server in the local domain through the gateway;
a sending module 403, configured to send the security vulnerability information gathered by the RASP server to the central domain;
and the execution module 404 is configured to execute a corresponding security protection decision according to the security protection instruction issued by the central domain.
In an optional implementation manner of this embodiment, the three-level cross-domain security protection device further includes: and selecting a module. The selection module is to: and controlling the RASP adapter to select a security detection rule and a corresponding configuration instruction according to the security level of the application program. The sending module is specifically further configured to: if the security level of the application program is higher than a preset security level threshold, controlling the RASP adapter to independently send a security detection rule and a corresponding configuration instruction to the corresponding security probe; and if the security level of the application program is lower than or equal to the preset security level threshold, controlling the RASP adapter to send a security detection rule and a corresponding configuration instruction to the corresponding security probes.
In an optional implementation manner of this embodiment, the three-level cross-domain security protection device further includes: upload module, protection module. The uploading module is used for: uploading the security vulnerability information to a Portal end of an application domain; the Portal terminal is an application terminal for monitoring the safety probe by an application security officer. The protection module is used for: and according to a safety instruction sent by the Portal end aiming at the safety loophole information, carrying out safety protection on the safety loophole corresponding to the safety loophole information.
In an optional implementation manner of this embodiment, the interaction module is specifically configured to: when the RASP adapter acquires the security vulnerability information, controlling the RASP adapter to access security configuration information corresponding to the security vulnerability information; wherein the security configuration information includes: a security vulnerability white list and a security vulnerability black list; if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, the control gateway responds to an access request containing the first security vulnerability in the RASP adapter; and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, the control gateway intercepts an access request containing the second security vulnerability in the RASP adapter.
In an optional implementation manner of this embodiment, the execution module is specifically configured to: determining a corresponding safety protection decision according to the safety loophole information and the safety protection data of the local domain; wherein, safety protection data includes: application management data and server management data; and after receiving a safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision.
Further, in an optional implementation manner of this embodiment, when the execution module executes a function of determining a corresponding security decision according to the security vulnerability information and the security protection data of the local domain, the execution module is specifically configured to: summarizing and analyzing the security vulnerability information of the application domain and the local domain; determining a potential security vulnerability of a third-party library according to the analysis result, and determining a security protection decision corresponding to the potential security vulnerability through a CVE (composite virtual environment) and CNNVD (CNNVD) security vulnerability database; or determining the security attack corresponding to the security vulnerability information according to the security vulnerability information and information management data of different layers, and generating a security protection decision corresponding to the security attack.
Further, in another optional implementation manner of this embodiment, the three-level cross-domain security protection device further includes: and a judging module. The judging module is used for: and after a safety protection instruction is issued, detecting whether the local domain responds to the safety protection instruction or not within a preset time length. The execution module is specifically further configured to: and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction.
According to the three-level cross-domain safety protection device provided by the scheme of the application, a central domain, a local domain and an application domain are divided in a preset safety protection region based on a ternary management mode, and a safety probe is loaded in the application domain; the application domain is a sub-domain of the local domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; the security vulnerability information gathered by the RASP server is sent to a central domain; and executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information summary send central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
Fig. 5 is an electronic device according to a fourth embodiment of the present application. The electronic device may be used to implement the three-level cross-domain security protection method in the foregoing embodiment, and mainly includes:
a memory 501, a processor 502 and a computer program 503 stored on the memory 501 and executable on the processor 502, the memory 501 and the processor 502 being communicatively connected. The processor 502 executes the computer program 503 to implement the three-level cross-domain security protection method in the foregoing embodiment. Wherein the number of processors may be one or more.
The Memory 501 may be a high-speed Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. The memory 501 is used for storing executable program code, and the processor 502 is coupled to the memory 501.
Further, an embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium may be provided in the electronic device in the foregoing embodiments, and the computer-readable storage medium may be the memory in the foregoing embodiment shown in fig. 5.
The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the three-level cross-domain security protection method in the foregoing embodiments. Further, the computer-readable storage medium may be various media that can store program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application, or portions or all or portions of the technical solutions that contribute to the prior art, may be embodied in the form of a software product, which is stored in a readable storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the methods according to the embodiments of the present application. And the aforementioned readable storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk, and various media capable of storing program codes.
It should be noted that for simplicity and convenience of description, the above-described method embodiments are described as a series of combinations of acts, but those skilled in the art will appreciate that the present application is not limited by the order of acts, as some steps may, in accordance with the present application, occur in other orders and/or concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the above description of the three-level cross-domain security protection method, apparatus, device and readable storage medium provided by the present application, for those skilled in the art, there may be variations in the specific implementation and application scope according to the ideas of the embodiments of the present application, and in summary, the contents of the present specification should not be construed as limiting the present application.

Claims (10)

1. A three-level cross-domain security protection method is characterized by comprising the following steps:
dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and loading a safety probe in the application domain; the local domain is a sub-domain of the central domain, and the application domain is a sub-domain of the local domain;
when the security probe detects security vulnerability information, controlling the RASP adapter to interact with a gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
sending the security vulnerability information gathered by the RASP server to the central domain;
and executing corresponding safety protection decision according to the safety protection instruction issued by the central domain.
2. The method of three-level cross-domain security protection according to claim 1, wherein after the step of loading the security probe in the application domain, the method further comprises:
controlling the RASP adapter to select a security detection rule and a corresponding configuration instruction according to the security level of the application program;
if the security level of the application program is higher than a preset security level threshold, controlling the RASP adapter to independently send a security detection rule and a corresponding configuration instruction to the corresponding security probe;
and if the security level of the application program is lower than or equal to a preset security level threshold, controlling the RASP adapter to send a security detection rule and a corresponding configuration instruction to the plurality of corresponding security probes.
3. The method for three-level cross-domain security protection according to claim 1, wherein before the step of controlling the RASP adapter to interact with the gateway, the method further comprises:
uploading the security vulnerability information to a Portal end of the application domain; the Portal terminal is an application terminal for monitoring the safety probe by an application security officer;
and according to a safety instruction sent by the Portal end aiming at the safety loophole information, carrying out safety protection on the safety loophole corresponding to the safety loophole information.
4. The method of claim 1, wherein the step of controlling the RASP adapter to interact with a gateway comprises:
when the RASP adapter acquires the security vulnerability information, controlling the RASP adapter to access security configuration information corresponding to the security vulnerability information; wherein the security configuration information comprises: a security vulnerability white list and a security vulnerability blacklist;
if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, controlling the gateway to respond to an access request containing the first security vulnerability in the RASP adapter;
and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, controlling the gateway to intercept an access request containing the second security vulnerability in the RASP adapter.
5. The three-level cross-domain security protection method according to claim 1, wherein the step of executing the corresponding security decision according to the security instruction issued by the central domain comprises:
determining a corresponding security protection decision according to the security vulnerability information and the security protection data of the local domain; wherein the safety protection data comprises: application management data and server management data;
and after receiving the safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision.
6. The three-level cross-domain security protection method according to claim 5, wherein the step of determining a corresponding security decision according to the security vulnerability information and the security protection data of the local domain comprises:
summarizing and analyzing the security vulnerability information of the application domain and the local domain;
determining potential security vulnerabilities of a third-party library according to analysis results, and determining security protection decisions corresponding to the potential security vulnerabilities through a CVE (composite virtual environment) and CNNVD (composite network video and video disk) security vulnerability database;
or determining the security attack corresponding to the security vulnerability information according to the security vulnerability information and information management data of different layers, and generating a security protection decision corresponding to the security attack.
7. The method according to claim 5, wherein after the step of controlling the local domain to execute the security protection decision after receiving the security protection command issued by the central domain corresponding to the security protection decision, the method further comprises:
after the safety protection instruction is issued, detecting whether the local domain responds to the safety protection instruction or not within a preset time length;
and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute the safety protection decision according to the safety protection instruction.
8. A three-level cross-domain safety protection device is characterized by comprising:
the system comprises a dividing module, a judging module and a processing module, wherein the dividing module is used for dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode and loading a safety probe in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain;
the interaction module is used for controlling the RASP adapter to interact with the gateway when the security probe detects security vulnerability information, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
the sending module is used for sending the security vulnerability information gathered by the RASP server to the central domain;
and the execution module is used for executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain.
9. An electronic device comprising a memory and a processor, wherein:
the processor is configured to execute a computer program stored on the memory;
the processor, when executing the computer program, performs the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202210907667.4A 2022-07-29 2022-07-29 Three-level cross-domain security protection method, device, equipment and readable storage medium Pending CN115442072A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210907667.4A CN115442072A (en) 2022-07-29 2022-07-29 Three-level cross-domain security protection method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210907667.4A CN115442072A (en) 2022-07-29 2022-07-29 Three-level cross-domain security protection method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN115442072A true CN115442072A (en) 2022-12-06

Family

ID=84242309

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210907667.4A Pending CN115442072A (en) 2022-07-29 2022-07-29 Three-level cross-domain security protection method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115442072A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180225230A1 (en) * 2015-09-15 2018-08-09 Gatekeeper Ltd. System and method for securely connecting to a peripheral device
CN114091039A (en) * 2021-12-07 2022-02-25 何成刚 Attack protection system and application equipment based on RASP
CN114760089A (en) * 2022-02-23 2022-07-15 深圳开源互联网安全技术有限公司 Safety protection method and device for web server

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180225230A1 (en) * 2015-09-15 2018-08-09 Gatekeeper Ltd. System and method for securely connecting to a peripheral device
CN114091039A (en) * 2021-12-07 2022-02-25 何成刚 Attack protection system and application equipment based on RASP
CN114760089A (en) * 2022-02-23 2022-07-15 深圳开源互联网安全技术有限公司 Safety protection method and device for web server

Similar Documents

Publication Publication Date Title
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
EP3343867B1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
CN114584405B (en) Electric power terminal safety protection method and system
US8141157B2 (en) Method and system for managing computer security information
US20240176879A1 (en) Generating Simulated Spear Phishing Messages and Customized Cybersecurity Training Modules Using Machine Learning
US10671723B2 (en) Intrusion detection system enrichment based on system lifecycle
US20020078381A1 (en) Method and System for Managing Computer Security Information
US20060156407A1 (en) Computer model of security risks
US20190042737A1 (en) Intrusion detection system enrichment based on system lifecycle
US11050773B2 (en) Selecting security incidents for advanced automatic analysis
KR102160950B1 (en) Data Distribution System and Its Method for Security Vulnerability Inspection
CN114900333B (en) Multi-region safety protection method, device, equipment and readable storage medium
US20230231882A1 (en) Honeypot identification method, apparatus, device, and medium based on cyberspace mapping
CA2983458A1 (en) Cyber security system and method using intelligent agents
US20220038485A1 (en) Real-Time Validation of Application Data
WO2022132334A1 (en) Dysfunctional device detection tool
CN114553471A (en) Tenant safety management system
Surridge et al. Run-time risk management in adaptive ICT systems
CN102664913B (en) Method and device for webpage access control
CN110381047A (en) A kind of method, server and the system of the tracking of network attack face
CN116662112A (en) Digital monitoring platform using full-automatic scanning and system state evaluation
CN113301040B (en) Firewall strategy optimization method, device, equipment and storage medium
CN115442072A (en) Three-level cross-domain security protection method, device, equipment and readable storage medium
CN110213301A (en) A kind of method, server and system shifting network attack face
Tang et al. Identifying missed monitoring alerts based on unstructured incident tickets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination