CN115442072A - Three-level cross-domain security protection method, device, equipment and readable storage medium - Google Patents
Three-level cross-domain security protection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN115442072A CN115442072A CN202210907667.4A CN202210907667A CN115442072A CN 115442072 A CN115442072 A CN 115442072A CN 202210907667 A CN202210907667 A CN 202210907667A CN 115442072 A CN115442072 A CN 115442072A
- Authority
- CN
- China
- Prior art keywords
- security
- domain
- protection
- rasp
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000003860 storage Methods 0.000 title claims abstract description 17
- 239000000523 sample Substances 0.000 claims abstract description 55
- 238000001514 detection method Methods 0.000 claims description 22
- 230000003993 interaction Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 239000002131 composite material Substances 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a three-level cross-domain security protection method, a device, equipment and a readable storage medium, wherein a central domain, a local domain and an application domain are divided in a preset security protection region based on a ternary management mode, and a security probe is loaded in the application domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; the security vulnerability information gathered by the RASP server is sent to a central domain; and executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain. Through the implementation of this application scheme, the security probe of application domain transmits security hole information to local area, and local area is after handling the security hole, gathers security hole information and sends to central domain, and central domain issues corresponding safety protection decision-making, carries out effectual multizone real-time linkage safety protection through ternary management mode, and fundamentally sweeps away the blind spot of safety attack protection.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for three-level cross-domain security protection.
Background
Today's web application security protection is basically based on a single security detection method or technology, such as DAST (dynamic application security test), SAST (static application security test) and IAST (interactive application security test), which have the disadvantages: the method is only applied to the testing and developing stage of web application, and application real-time protection cannot be performed on a production line; some detection methods such as SAST also require source codes of products, so that privacy protection is a problem in confidentiality protection of codes of intellectual property.
The current patents formed based on RASP (Runtime Application Self-Protection) basically use the rule matching of WAF (web Application firewall) and hardware combination, such as RASP-based firewall. Most of the technologies are based on hardware combination, from the perspective of analyzing network flow, the technology does not really go deep into the code level of the application, the security vulnerability information source is simplified, the security of the web application cannot be comprehensively and timely protected, the security protection rule is single, and the flexible change capability is lacked.
Disclosure of Invention
The embodiment of the application provides a three-level cross-domain security protection method, a three-level cross-domain security protection device, equipment and a readable storage medium, and at least solves the problem that real-time large-scale linkage security attack protection cannot be performed in related technologies.
A first aspect of the embodiments of the present application provides a three-level cross-domain security protection method, including:
dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and loading a safety probe in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain;
when the security probe detects security vulnerability information, controlling the RASP adapter to interact with a gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
sending the security vulnerability information gathered by the RASP server to the central domain;
and executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain.
A second aspect of the embodiments of the present application provides a three-level cross-domain security protection device, including:
the system comprises a dividing module, a processing module and a processing module, wherein the dividing module is used for dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode and loading a safety probe in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain;
the interaction module is used for controlling the RASP adapter to interact with the gateway when the security probe detects the security vulnerability information, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
the sending module is used for sending the security vulnerability information summarized by the RASP server to the central domain;
and the execution module is used for executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain.
A third aspect of the present embodiment provides an electronic device, which is characterized by comprising a memory and a processor, wherein the processor is configured to execute a computer program stored on the memory, and the processor executes the computer program, where the steps in the three-level cross-domain security protection method provided in the first aspect of the present embodiment are performed by the processor.
A fourth aspect of the present embodiment provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the three-level cross-domain security protection method provided in the first aspect of the present embodiment.
As can be seen from the above, according to the three-level cross-domain security protection method, apparatus, device and readable storage medium provided in the present application, a central domain, a local domain and an application domain are divided in a preset security protection region based on a ternary management mode, and a security probe is loaded in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with a gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; sending the security vulnerability information summarized by the RASP server to the central domain; and executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information gathering send to central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real-time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
Drawings
Fig. 1 is a basic flowchart of a three-level cross-domain security protection method according to a first embodiment of the present application;
FIG. 2 is a schematic diagram of a three-level zone safety protection system according to a first embodiment of the present application;
fig. 3 is a detailed flowchart of a three-level cross-domain security protection method according to a second embodiment of the present application;
FIG. 4 is a schematic block diagram illustrating program modules of a third-level cross-domain security apparatus according to a third embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application.
Detailed Description
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problem that real-time large-scale linkage security attack protection cannot be performed in the related art, a first embodiment of the present application provides a three-level cross-domain security protection method, and as shown in fig. 1, a basic flowchart of the three-level cross-domain security protection method provided in this embodiment is provided, where the three-level cross-domain security protection method includes the following steps:
Specifically, the ternary management mode includes a central security officer, a domain level security officer and an application security officer, and it should be noted here that the three-level cross-domain model can be used as a global scope model and can also be used as a basic unit to be expanded according to service requirements. The preset safety protection area can be understood as a company and a user company for developing network safety products, so that the central domain can be a network safety supervision department, the local domain can be the user company, and the application domain can be each department of the user company; it may also be understood as dividing a central domain, a local domain and an application domain within a local or wide area network. In this embodiment, as shown in fig. 2, which is a schematic diagram of a three-level regional security protection system provided in this embodiment, according to a combination of an RASP distributed structure and a ternary management mode, a whole system is divided into a central domain, a local domain, and an application domain, where the central domain corresponds to a region where a central security officer is located, that is, the highest region of the protection unit, is generally only one, and is named as an L1 layer here. The local domain corresponds to the area where the domain level security officer is located, and the local domain has the possibility of 1 to N (N ≧ 1), which is named L2 layer. The application domain corresponds to the area where the application security officer is located, and the application domain has the possibility of 1 to N (N ≧ 1), which is named L3 layer. After the system deployment is completed, the web container is loaded with the security probe at the application domain, and then real-time communication is performed through the RASP adapter and the probe.
In an optional implementation manner of this embodiment, after the step of loading the safety probe in the application domain, the method further includes: controlling the RASP adapter to select a security detection rule and a corresponding configuration instruction according to the security level of the application program; if the security level of the application program is higher than a preset security level threshold, controlling the RASP adapter to independently send a security detection rule and a corresponding configuration instruction to the corresponding security probe; and if the security level of the application program is lower than or equal to the preset security level threshold, controlling the RASP adapter to send a security detection rule and a corresponding configuration instruction to the plurality of corresponding security probes.
Specifically, in this embodiment, the RASP adapter is controlled to select the security detection rule and the corresponding configuration instruction according to the security level of the application program, where the security level may be understood as risk tolerance, for example, the financial department of a company has a high importance level, if it is invaded by a security vulnerability, a huge loss may be caused, and the tolerance is low, so the corresponding security detection rule needs to be relatively strict, and the technical department specially deals with various security attack events, and sometimes it is necessary to pass detection of some security vulnerabilities according to business requirements, and the tolerance is high, so the security detection rule is relatively relaxed compared with other departments. In addition, the configuration instruction includes, but is not limited to, a communication mode of the RASP adapter and the safety probe, and if the safety level of the application program is higher than a preset safety level threshold, the RASP adapter and the corresponding safety probe are controlled to perform one-to-one real-time communication; and if the security level of the application program is lower than or equal to the preset security level threshold, controlling the RASP adapter and the corresponding security probe to perform one-to-many real-time communication, flexibly controlling the communication mode of the RASP adapter and the security probe, being beneficial to improving the communication efficiency of the RASP adapter and the security probe and reducing unnecessary resource waste.
And step 102, when the security probe detects the security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway.
Specifically, in this embodiment, the GateWay (GateWay) often only functions to transfer information. In this embodiment, as shown in fig. 2, when the security probe detects the security vulnerability information, the RASP adapter interacts with the gateway first, determines a security vulnerability that can be released by the gateway and a security vulnerability that needs to be protected in the security vulnerability information, and sends the security vulnerability information to the RASP server in the main area through the gateway.
In an optional implementation manner of this embodiment, before the step of controlling the RASP adapter to interact with the gateway, the method further includes: uploading the security vulnerability information to a Portal end of an application domain; the Portal end is an application terminal for monitoring the safety probe by an application security officer; and carrying out safety protection operation on the safety loophole corresponding to the safety loophole information according to a safety instruction sent by the Portal end aiming at the safety loophole information.
Specifically, in this embodiment, the Portal end is an application terminal for monitoring the security probe by an application security officer, the application security officer can monitor the probe in real time by using an application domain, meanwhile, the security information of the probe end can be synchronized to the Portal end in real time, the application security officer can send the security vulnerability information to be protected to the probe through the Portal end, and can select to protect the security vulnerabilities at different levels, including but not limited to modes of attack blocking, attack reporting, log writing and the like. And the probe accurately operates the security loophole in the web container according to an instruction sent by the Portal end, reports the information of the security loophole to the Portal end in real time according to the selection of a user on attack blocking, attack reporting or log writing, and displays the real-time situation of an attack event at the background server end.
It should be noted that the security protection of this embodiment includes, at this stage, a first security protection according to the security vulnerability information specified by the application security officer, a second security protection according to the security configuration of the gateway for the security vulnerability information, and a third security protection according to the security protection decision issued by the central domain.
In an optional implementation manner of this embodiment, the step of controlling the RASP adapter to interact with the gateway includes: when the RASP adapter acquires the security vulnerability information, controlling the RASP adapter to access security configuration information corresponding to the security vulnerability information of the gateway; wherein the security configuration information includes: a security vulnerability white list and a security vulnerability black list; if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, the control gateway responds to an access request containing the first security vulnerability in the RASP adapter; and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, the control gateway intercepts an access request containing the second security vulnerability in the RASP adapter.
Specifically, in this embodiment, the gateway is provided with security configuration information corresponding to the security vulnerability information, including but not limited to a security vulnerability white list and a security vulnerability blacklist, where the security vulnerability white list is a set of security vulnerabilities that are allowed to be accessed according to service requirements, and the security vulnerability blacklist is a known set of security vulnerabilities that have potential security hazards to the client application program, when the RASP adapter acquires the security vulnerability information, the security configuration of the RASP adapter to access the gateway is controlled, if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, an access request including the first security vulnerability is allowed to be accessed, and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, an access request including the second security vulnerability is denied to be accessed, and the RASP adapter and the gateway perform real-time interactive fusion, so that the detection efficiency of the security vulnerabilities can be improved.
And 103, sending the security vulnerability information summarized by the RASP to a central domain.
Specifically, in this embodiment, after receiving the security vulnerability information sent by the application domain, the RASP server in the local domain collects the security vulnerability information and presents the collected security vulnerability information to the domain-level security officer in the local domain, and the domain-level security officer may issue the security rules or perform the related instruction operation according to the related service requirements.
And 104, executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain.
Specifically, in this embodiment, the central domain is the highest execution region of the present invention, and no matter the central domain is an application domain or a local domain, after performing security protection for a security vulnerability, security protection data needs to be uploaded to the central domain, and through analysis of security vulnerability information and security protection data by a central security officer, a corresponding security protection instruction below, the application domain and the local domain execute a security protection decision according to the security protection instruction.
In an optional implementation manner of this embodiment, the step of executing a corresponding security decision according to a security instruction issued by the central domain includes: determining a corresponding safety protection decision according to the safety loophole information and the safety protection data of the local domain; wherein the safety protection data comprises: application management data and server management data; and after receiving a safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision.
Specifically, in this embodiment, the L1-layer central domain collects L2-layer local domain protection data, including but not limited to security attack events, application management, and server management, for the security protection data in different aspects, a security protection decision corresponding to the security protection data exists in the central domain, a central security clerk may issue a corresponding security protection instruction according to a security vulnerability and specific information of the security protection decision, and after receiving the security protection instruction corresponding to the security protection decision issued by the central domain, control the local domain to execute the security protection decision.
In an optional implementation manner of this embodiment, the step of determining a corresponding security decision according to the security vulnerability information and the security protection data of the local domain includes: summarizing and analyzing the security vulnerability information of the application domain and the local domain; determining potential security vulnerabilities of a third-party library according to the analysis result, and determining security protection decisions corresponding to the potential security vulnerabilities through a CVE (composite virtual environment) and CNNVD (composite network video and video disk) security vulnerability database; or determining the security attack corresponding to the security vulnerability information according to the security vulnerability information and information management data of different layers, and generating a security protection decision corresponding to the security attack.
Specifically, in the embodiment, in the aspect of application management, the L1 layer can summarize all security attack information including the L2 and L3 layers, where a decision can be made on potential security attacks such as CVE and CNNVD of a third-party library; or, for the management of the server, specifically including information management of server name, IP address, web container management, recent active time and other layers, the security attack corresponding to the security vulnerability information is determined, so that real-time protection of the security attack can be effectively performed.
In an optional implementation manner of this embodiment, after receiving a security protection instruction issued by the central domain corresponding to the security protection decision, the method for controlling the local domain to execute the security protection decision further includes: after a safety protection instruction is issued, detecting whether the local domain responds to the safety protection instruction or not within a preset time length; and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction.
Specifically, in this embodiment, under the decision of the central security officer, the decision of security protection is performed, which includes issuing a data aggregation and a related security policy of the local domain. The relation between the central domain and the local domain is a relation of 1 to N, the final decision is determined by the central domain, and under the condition that the central domain informs the local domain that the related security protection is not effective within the preset time, the local domain can be directly replaced, and the related security attack protection operation is directly carried out on the application domain.
Based on the scheme of the embodiment of the application, a central domain, a local domain and an application domain are divided in a preset safety protection region based on a ternary management mode, and a safety probe is loaded in the application domain; the application domain is a sub-domain of the local domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; the security vulnerability information gathered by the RASP server is sent to a central domain; and executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information gathering send to central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real-time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
The method in fig. 3 is a refined three-level cross-domain security protection method provided in a second embodiment of the present application, where the three-level cross-domain security protection method includes:
Specifically, in this embodiment, the local domain is a sub-domain of a central domain, the application domain is a sub-domain of the local domain, the central domain corresponds to a region where a central security officer is located, that is, a highest region of the protection unit, the local domain corresponds to a region where a domain-level security officer is located, the local domain has a possibility of 1 to N (N ≧ 1), the application domain corresponds to a region where an application security officer is located, and the application domain also has a possibility of 1 to N (N ≧ 1).
And step 302, controlling the security probe to perform security vulnerability detection according to the security detection rule sent by the RASP adapter and the corresponding configuration instruction.
And 303, when the security probe detects the security vulnerability information, sending the security vulnerability information to the RASP adapter.
And 304, triggering an interaction instruction when the RASP adapter receives the security vulnerability information, performing information interaction with the gateway according to the interaction instruction, and sending the security vulnerability information to the RASP server of the local domain through the gateway after the interaction is completed.
And 305, sending the security vulnerability information summarized by the RASP to a central domain.
And step 306, determining a corresponding security protection decision according to the security vulnerability information and the security protection data of the local domain.
And 307, after receiving a safety protection instruction corresponding to the safety protection decision issued by the central domain, controlling the local domain to execute the safety protection decision.
And 308, if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction.
According to the three-level cross-domain security protection method provided by the scheme of the application, the security probe is controlled to carry out security vulnerability detection according to the security detection rule sent by the RASP adapter and the corresponding configuration instruction; controlling a security probe to perform security vulnerability detection according to a security detection rule sent by the RASP adapter and a corresponding configuration instruction; when the security probe detects the security vulnerability information, the security vulnerability information is sent to the RASP adapter; triggering an interaction instruction when the RASP adapter receives the security vulnerability information, performing information interaction with the gateway according to the interaction instruction, and sending the security vulnerability information to the RASP server of the local domain through the gateway after the interaction is completed; and sending the security vulnerability information summarized by the RASP server to the central domain. Determining a corresponding safety protection decision according to the safety loophole information and the safety protection data of the local domain; after receiving a safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision; and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information summary send central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
Fig. 4 is a third embodiment of a three-level cross-domain security device provided in this application, where the three-level cross-domain security device may be used to implement the three-level cross-domain security method in the foregoing embodiments. As shown in fig. 4, the three-level cross-domain security device mainly includes:
the dividing module 401 is configured to divide a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and load a safety probe in the application domain; the application domain is a sub-domain of the local domain;
the interaction module 402 is configured to control the RASP adapter to interact with the gateway when the security probe detects the security vulnerability information, and send the security vulnerability information to the RASP server in the local domain through the gateway;
a sending module 403, configured to send the security vulnerability information gathered by the RASP server to the central domain;
and the execution module 404 is configured to execute a corresponding security protection decision according to the security protection instruction issued by the central domain.
In an optional implementation manner of this embodiment, the three-level cross-domain security protection device further includes: and selecting a module. The selection module is to: and controlling the RASP adapter to select a security detection rule and a corresponding configuration instruction according to the security level of the application program. The sending module is specifically further configured to: if the security level of the application program is higher than a preset security level threshold, controlling the RASP adapter to independently send a security detection rule and a corresponding configuration instruction to the corresponding security probe; and if the security level of the application program is lower than or equal to the preset security level threshold, controlling the RASP adapter to send a security detection rule and a corresponding configuration instruction to the corresponding security probes.
In an optional implementation manner of this embodiment, the three-level cross-domain security protection device further includes: upload module, protection module. The uploading module is used for: uploading the security vulnerability information to a Portal end of an application domain; the Portal terminal is an application terminal for monitoring the safety probe by an application security officer. The protection module is used for: and according to a safety instruction sent by the Portal end aiming at the safety loophole information, carrying out safety protection on the safety loophole corresponding to the safety loophole information.
In an optional implementation manner of this embodiment, the interaction module is specifically configured to: when the RASP adapter acquires the security vulnerability information, controlling the RASP adapter to access security configuration information corresponding to the security vulnerability information; wherein the security configuration information includes: a security vulnerability white list and a security vulnerability black list; if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, the control gateway responds to an access request containing the first security vulnerability in the RASP adapter; and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, the control gateway intercepts an access request containing the second security vulnerability in the RASP adapter.
In an optional implementation manner of this embodiment, the execution module is specifically configured to: determining a corresponding safety protection decision according to the safety loophole information and the safety protection data of the local domain; wherein, safety protection data includes: application management data and server management data; and after receiving a safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision.
Further, in an optional implementation manner of this embodiment, when the execution module executes a function of determining a corresponding security decision according to the security vulnerability information and the security protection data of the local domain, the execution module is specifically configured to: summarizing and analyzing the security vulnerability information of the application domain and the local domain; determining a potential security vulnerability of a third-party library according to the analysis result, and determining a security protection decision corresponding to the potential security vulnerability through a CVE (composite virtual environment) and CNNVD (CNNVD) security vulnerability database; or determining the security attack corresponding to the security vulnerability information according to the security vulnerability information and information management data of different layers, and generating a security protection decision corresponding to the security attack.
Further, in another optional implementation manner of this embodiment, the three-level cross-domain security protection device further includes: and a judging module. The judging module is used for: and after a safety protection instruction is issued, detecting whether the local domain responds to the safety protection instruction or not within a preset time length. The execution module is specifically further configured to: and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute a safety protection decision according to the safety protection instruction.
According to the three-level cross-domain safety protection device provided by the scheme of the application, a central domain, a local domain and an application domain are divided in a preset safety protection region based on a ternary management mode, and a safety probe is loaded in the application domain; the application domain is a sub-domain of the local domain; when the security probe detects security vulnerability information, controlling the RASP adapter to interact with the gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway; the security vulnerability information gathered by the RASP server is sent to a central domain; and executing a corresponding safety protection decision according to a safety protection instruction issued by the central domain. Through the implementation of this application scheme, when the security probe of application domain detected the security leak, through gateway to local domain transmission security leak information, local domain is handling the security leak after, with security leak information summary send central domain, and central domain issues corresponding safety protection decision according to the information that gathers, carries out effectual multizone real time linkage safety protection through ternary management mode, fundamentally sweeps away the blind spot of safety attack protection.
Fig. 5 is an electronic device according to a fourth embodiment of the present application. The electronic device may be used to implement the three-level cross-domain security protection method in the foregoing embodiment, and mainly includes:
a memory 501, a processor 502 and a computer program 503 stored on the memory 501 and executable on the processor 502, the memory 501 and the processor 502 being communicatively connected. The processor 502 executes the computer program 503 to implement the three-level cross-domain security protection method in the foregoing embodiment. Wherein the number of processors may be one or more.
The Memory 501 may be a high-speed Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. The memory 501 is used for storing executable program code, and the processor 502 is coupled to the memory 501.
Further, an embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium may be provided in the electronic device in the foregoing embodiments, and the computer-readable storage medium may be the memory in the foregoing embodiment shown in fig. 5.
The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the three-level cross-domain security protection method in the foregoing embodiments. Further, the computer-readable storage medium may be various media that can store program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application, or portions or all or portions of the technical solutions that contribute to the prior art, may be embodied in the form of a software product, which is stored in a readable storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the methods according to the embodiments of the present application. And the aforementioned readable storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk, and various media capable of storing program codes.
It should be noted that for simplicity and convenience of description, the above-described method embodiments are described as a series of combinations of acts, but those skilled in the art will appreciate that the present application is not limited by the order of acts, as some steps may, in accordance with the present application, occur in other orders and/or concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the above description of the three-level cross-domain security protection method, apparatus, device and readable storage medium provided by the present application, for those skilled in the art, there may be variations in the specific implementation and application scope according to the ideas of the embodiments of the present application, and in summary, the contents of the present specification should not be construed as limiting the present application.
Claims (10)
1. A three-level cross-domain security protection method is characterized by comprising the following steps:
dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode, and loading a safety probe in the application domain; the local domain is a sub-domain of the central domain, and the application domain is a sub-domain of the local domain;
when the security probe detects security vulnerability information, controlling the RASP adapter to interact with a gateway, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
sending the security vulnerability information gathered by the RASP server to the central domain;
and executing corresponding safety protection decision according to the safety protection instruction issued by the central domain.
2. The method of three-level cross-domain security protection according to claim 1, wherein after the step of loading the security probe in the application domain, the method further comprises:
controlling the RASP adapter to select a security detection rule and a corresponding configuration instruction according to the security level of the application program;
if the security level of the application program is higher than a preset security level threshold, controlling the RASP adapter to independently send a security detection rule and a corresponding configuration instruction to the corresponding security probe;
and if the security level of the application program is lower than or equal to a preset security level threshold, controlling the RASP adapter to send a security detection rule and a corresponding configuration instruction to the plurality of corresponding security probes.
3. The method for three-level cross-domain security protection according to claim 1, wherein before the step of controlling the RASP adapter to interact with the gateway, the method further comprises:
uploading the security vulnerability information to a Portal end of the application domain; the Portal terminal is an application terminal for monitoring the safety probe by an application security officer;
and according to a safety instruction sent by the Portal end aiming at the safety loophole information, carrying out safety protection on the safety loophole corresponding to the safety loophole information.
4. The method of claim 1, wherein the step of controlling the RASP adapter to interact with a gateway comprises:
when the RASP adapter acquires the security vulnerability information, controlling the RASP adapter to access security configuration information corresponding to the security vulnerability information; wherein the security configuration information comprises: a security vulnerability white list and a security vulnerability blacklist;
if a first security vulnerability corresponding to the security vulnerability white list exists in the security vulnerability information, controlling the gateway to respond to an access request containing the first security vulnerability in the RASP adapter;
and if a second security vulnerability corresponding to the security vulnerability blacklist exists in the security vulnerability information, controlling the gateway to intercept an access request containing the second security vulnerability in the RASP adapter.
5. The three-level cross-domain security protection method according to claim 1, wherein the step of executing the corresponding security decision according to the security instruction issued by the central domain comprises:
determining a corresponding security protection decision according to the security vulnerability information and the security protection data of the local domain; wherein the safety protection data comprises: application management data and server management data;
and after receiving the safety protection instruction which is sent by the central domain and corresponds to the safety protection decision, controlling the local domain to execute the safety protection decision.
6. The three-level cross-domain security protection method according to claim 5, wherein the step of determining a corresponding security decision according to the security vulnerability information and the security protection data of the local domain comprises:
summarizing and analyzing the security vulnerability information of the application domain and the local domain;
determining potential security vulnerabilities of a third-party library according to analysis results, and determining security protection decisions corresponding to the potential security vulnerabilities through a CVE (composite virtual environment) and CNNVD (composite network video and video disk) security vulnerability database;
or determining the security attack corresponding to the security vulnerability information according to the security vulnerability information and information management data of different layers, and generating a security protection decision corresponding to the security attack.
7. The method according to claim 5, wherein after the step of controlling the local domain to execute the security protection decision after receiving the security protection command issued by the central domain corresponding to the security protection decision, the method further comprises:
after the safety protection instruction is issued, detecting whether the local domain responds to the safety protection instruction or not within a preset time length;
and if the local domain does not respond to the safety protection instruction, directly controlling the application domain to execute the safety protection decision according to the safety protection instruction.
8. A three-level cross-domain safety protection device is characterized by comprising:
the system comprises a dividing module, a judging module and a processing module, wherein the dividing module is used for dividing a central domain, a local domain and an application domain in a preset safety protection region based on a ternary management mode and loading a safety probe in the application domain; the local domain is a sub-region of the central domain, and the application domain is a sub-region of the local domain;
the interaction module is used for controlling the RASP adapter to interact with the gateway when the security probe detects security vulnerability information, and sending the security vulnerability information to the RASP server of the local domain through the gateway;
the sending module is used for sending the security vulnerability information gathered by the RASP server to the central domain;
and the execution module is used for executing a corresponding safety protection decision according to the safety protection instruction issued by the central domain.
9. An electronic device comprising a memory and a processor, wherein:
the processor is configured to execute a computer program stored on the memory;
the processor, when executing the computer program, performs the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210907667.4A CN115442072A (en) | 2022-07-29 | 2022-07-29 | Three-level cross-domain security protection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210907667.4A CN115442072A (en) | 2022-07-29 | 2022-07-29 | Three-level cross-domain security protection method, device, equipment and readable storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115442072A true CN115442072A (en) | 2022-12-06 |
Family
ID=84242309
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210907667.4A Pending CN115442072A (en) | 2022-07-29 | 2022-07-29 | Three-level cross-domain security protection method, device, equipment and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115442072A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180225230A1 (en) * | 2015-09-15 | 2018-08-09 | Gatekeeper Ltd. | System and method for securely connecting to a peripheral device |
CN114091039A (en) * | 2021-12-07 | 2022-02-25 | 何成刚 | Attack protection system and application equipment based on RASP |
CN114760089A (en) * | 2022-02-23 | 2022-07-15 | 深圳开源互联网安全技术有限公司 | Safety protection method and device for web server |
-
2022
- 2022-07-29 CN CN202210907667.4A patent/CN115442072A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180225230A1 (en) * | 2015-09-15 | 2018-08-09 | Gatekeeper Ltd. | System and method for securely connecting to a peripheral device |
CN114091039A (en) * | 2021-12-07 | 2022-02-25 | 何成刚 | Attack protection system and application equipment based on RASP |
CN114760089A (en) * | 2022-02-23 | 2022-07-15 | 深圳开源互联网安全技术有限公司 | Safety protection method and device for web server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
EP3343867B1 (en) | Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset | |
CN114584405B (en) | Electric power terminal safety protection method and system | |
US8141157B2 (en) | Method and system for managing computer security information | |
US20240176879A1 (en) | Generating Simulated Spear Phishing Messages and Customized Cybersecurity Training Modules Using Machine Learning | |
US10671723B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
US20020078381A1 (en) | Method and System for Managing Computer Security Information | |
US20060156407A1 (en) | Computer model of security risks | |
US20190042737A1 (en) | Intrusion detection system enrichment based on system lifecycle | |
US11050773B2 (en) | Selecting security incidents for advanced automatic analysis | |
KR102160950B1 (en) | Data Distribution System and Its Method for Security Vulnerability Inspection | |
CN114900333B (en) | Multi-region safety protection method, device, equipment and readable storage medium | |
US20230231882A1 (en) | Honeypot identification method, apparatus, device, and medium based on cyberspace mapping | |
CA2983458A1 (en) | Cyber security system and method using intelligent agents | |
US20220038485A1 (en) | Real-Time Validation of Application Data | |
WO2022132334A1 (en) | Dysfunctional device detection tool | |
CN114553471A (en) | Tenant safety management system | |
Surridge et al. | Run-time risk management in adaptive ICT systems | |
CN102664913B (en) | Method and device for webpage access control | |
CN110381047A (en) | A kind of method, server and the system of the tracking of network attack face | |
CN116662112A (en) | Digital monitoring platform using full-automatic scanning and system state evaluation | |
CN113301040B (en) | Firewall strategy optimization method, device, equipment and storage medium | |
CN115442072A (en) | Three-level cross-domain security protection method, device, equipment and readable storage medium | |
CN110213301A (en) | A kind of method, server and system shifting network attack face | |
Tang et al. | Identifying missed monitoring alerts based on unstructured incident tickets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |