CN115733902A - Network security product interconnection and intercommunication method, data analysis platform and related product - Google Patents
Network security product interconnection and intercommunication method, data analysis platform and related product Download PDFInfo
- Publication number
- CN115733902A CN115733902A CN202211457490.9A CN202211457490A CN115733902A CN 115733902 A CN115733902 A CN 115733902A CN 202211457490 A CN202211457490 A CN 202211457490A CN 115733902 A CN115733902 A CN 115733902A
- Authority
- CN
- China
- Prior art keywords
- data
- target
- network security
- function
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network security product interconnection and intercommunication method, a data analysis platform and related products. The method analyzes data of a plurality of network security products; and then dividing the analyzed data into corresponding data dictionaries according to the data types and the fields. There is a mapping relationship between fields contained in the data dictionary and the security function. And finally, constructing the association relationship between the analyzed data and the safety function through the data dictionary and the mapping relationship. Therefore, the technical scheme of the application finally realizes the aggregation of data to functions, strengthens the close relation between the data and the functions, and makes the data and the network security products unrelated, thereby achieving the effect of interconnection and intercommunication of different network security products.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a network security product interconnection method, a data analysis platform, a computer-readable storage medium, and a processor.
Background
With the continuous acceleration of the construction process of the network security strong country in China, a sound, unified and efficient network security risk monitoring, information sharing and studying and judging disposal mechanism is established, the modern network security protection capability of efficient linkage across departments and industries is formed, the law, the trend and the trend of network security risk occurrence are accurately mastered, and the method becomes the key focus of the construction of the modern network security guarantee system and the guarantee capability.
The network security environment is increasingly complex, the trends of network attack upgrading and hiding are obvious, a single network security product is difficult to adapt to the current complex and various network security protection requirements, and in a specific scene, various different network security products are often required to be additionally arranged. For example, a company lays out a firewall and installs antivirus software on a company employee computer. The interconnection and intercommunication of the network security products is an important technical basis for constructing the security guarantee capability of the modern network, and the interconnection and intercommunication of different network security products is beneficial to effectively integrating network security information, timely and accurately mastering the network security situation in real time and remarkably improving the response and handling efficiency of network security events. However, different types of network security products have different technical routes of manufacturers and are complex and diverse, and various network security products have the problems of difficulty in data fusion, obvious function realization difference and the like. Due to the lack of a uniform technical framework, the cost of the interconnection and intercommunication work of the network security products of the users and security manufacturers is high, the effect is not obvious, and the large-scale and reproducible application and popularization experience is difficult to form. Overall, the difficulty of implementing interconnection and interworking of different network security products is very high.
Disclosure of Invention
Based on the above problems, the application provides a network security product interconnection and intercommunication method, a data analysis platform and related products, and aims to realize interconnection and intercommunication of different network security products in a data plane and reduce interconnection and intercommunication difficulty.
The embodiment of the application discloses the following technical scheme:
a first aspect of the present application provides a method for interworking network security products, where the method includes:
analyzing data of a plurality of network security products, wherein at least two of the network security products are different in type;
dividing the analyzed data into corresponding data dictionaries according to the data types and the fields to obtain data dictionaries after data updating; wherein, the fields contained in each data dictionary have a mapping relation with the security function;
and constructing an incidence relation between the safety function and the analyzed data based on the data dictionary after the data updating and the mapping relation.
In an optional implementation manner, the constructing an association between the security function and the analyzed data based on the data dictionary after the data update and the mapping relationship includes:
determining a target data dictionary to which a target field belongs according to the target field having a mapping relation with a target security function; the target data dictionary is one of data dictionaries which are updated by data;
extracting data from the target field of the target data dictionary;
and constructing an incidence relation between the target safety function and the extracted data.
In an optional implementation manner, the target security function is one of the following four security functions, or the target security function is a function associated with a sub-function that is at least one of the following security functions, or the target security function is a sub-function of at least one of the following security functions:
identification, protection, monitoring and disposal functions.
In an alternative implementation manner, the four security functions are security functions summarized from functions that the multiple network security products have interconnection requirements.
In an optional implementation manner, the constructing an association relationship between the target security function and the extracted data includes:
and constructing a function dictionary of the target safety function according to the extracted data and the mapping relation between the target field and the target safety function.
In an optional implementation manner, the method for interworking network security products further includes:
and issuing an instruction to at least one network security product in the plurality of network security products according to the function dictionary of the target security function, so that the network security product receiving the instruction executes corresponding action according to the instruction.
In an optional implementation manner, the dividing the parsed data into corresponding data dictionaries according to the data types and the fields includes:
determining a target data type to which the analyzed data belongs from a plurality of data types; the multiple data types comprise an asset information description type, an alarm information description type, a threat information description type, a flow information description type and a security policy description type;
determining a data dictionary corresponding to the target data type;
acquiring field information of a data dictionary corresponding to the target data type;
and transmitting the analyzed data of the target data type into a corresponding field of a data dictionary corresponding to the target data type according to the corresponding relation between the field to which the analyzed data of the target data type belongs and the field information.
In an optional implementation manner, before the parsing data of the plurality of network security products, the method further includes:
receiving data reported by a plurality of network security products;
carrying out protocol identification on data reported by a plurality of network security products;
distributing corresponding data pipelines for the data reported by the network security products based on the identified protocol; the analyzing data of a plurality of network security products comprises:
and when the data reaches the corresponding data pipeline, calling an analysis script corresponding to the identified protocol to analyze the data in the data pipeline.
A second aspect of the present application provides a data analysis platform, which is communicatively connected to a plurality of network security products, at least two of the network security products being of different types; the data analysis platform comprises:
the data analysis unit is used for analyzing data of a plurality of network security products, wherein at least two of the network security products are different in type;
the data dividing unit is used for dividing the analyzed data into corresponding data dictionaries according to the data types and the fields to obtain data dictionaries after data updating; wherein, the fields contained in each data dictionary have a mapping relation with the security function;
and the incidence relation establishing unit is used for establishing the incidence relation between the safety function and the analyzed data based on the data dictionary after the data updating and the mapping relation.
A third aspect of the present application provides a computer-readable storage medium, in which a computer program is stored, and when the program is executed by a processor, the method for interworking network security products according to the first aspect is implemented.
A fourth aspect of the present application provides a processor, configured to execute a computer program, where the program executes the method for interworking network security products according to the first aspect.
Compared with the prior art, the method has the following beneficial effects:
the application provides a network security product interconnection method which can be realized in a data analysis platform. The method comprises the steps of firstly analyzing data of a plurality of network security products of at least two types; and then dividing the analyzed data into corresponding data dictionaries according to the data types and the fields to realize the updating of the data dictionaries. There is a mapping relationship between the fields contained in each data dictionary and the security function. And finally, by the data dictionary after data updating and the mapping relation between the fields and the safety function, the association relation between the safety function and the analyzed data can be constructed. Therefore, in the technical scheme of the application, the analyzed data is divided into the corresponding data dictionaries, and the association between the analyzed data and the safety function can be established by means of the mapping association of the fields and the safety function. The method and the device realize the aggregation of data to functions, strengthen the close relation between the data and the functions, and make the data and the network security products irrelevant, thereby achieving the effect of interconnection and intercommunication of different network security products.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic diagram of a network security application scenario provided in an embodiment of the present application;
fig. 2 is a flowchart of a method for interworking between network security products according to an embodiment of the present application;
fig. 3 is a schematic diagram of a protocol-based data normalization process provided in an embodiment of the present application;
fig. 4 is a schematic diagram of an association relationship between a constructed security function and analyzed data according to an embodiment of the present application;
fig. 5 is a schematic diagram of another association relationship between a constructed security function and parsed data according to an embodiment of the present application;
fig. 6 is a schematic diagram of a network security product interworking framework according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a data analysis platform according to an embodiment of the present application.
Detailed Description
Aiming at the difficulty of realizing interconnection and intercommunication of different network security products at present, the application provides an interconnection and intercommunication method of network security products, a data analysis platform, a computer readable storage medium and a processor. By dividing the analyzed data into corresponding data dictionaries, the association relationship between the analyzed data and the security functions of the network security products of the same type or different types can be constructed by means of mapping association of fields and functions. The aggregation of data to functions is realized, the close relation between the data and the functions is enhanced, and the data and the network security products are unrelated, so that the effect of interconnection and intercommunication of a plurality of network security products is achieved.
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
First, for ease of understanding, a schematic diagram of a network security application scenario is provided. In a network security application scenario, a plurality of network security products are provided, at least two of which are of different types. Firewall a and antivirus software B installed in a computer as in fig. 1 are two different types of network security products. In addition, in an actual network security application scenario, a plurality of network security products of the same type may also be included. And a data analysis platform C is also arranged in the network security application scene, and the data analysis platform C can communicate with a plurality of network security products or equipment where the network security products are located, so that the network security products can report data to the data analysis platform C, and the data analysis platform C receives the reported data. In addition, the data analysis platform C may actively acquire data such as logs from a plurality of network security products. And in a possible implementation scenario, a plurality of network security products can also communicate through the communication connection between the devices.
Fig. 1 only illustrates two types of network security products, and in practical application, the types and the number of the network security products in an application scenario are not limited. In an application scene, the same type of network security products can be installed on different devices, and multiple different types of network security products can be installed on a single device. The data analysis platform C is used for different network security products in the scene, and the interconnection and intercommunication among the different network security products are realized from a data level.
Referring to fig. 2, the figure is a flowchart of a network security product interconnection method according to an embodiment of the present application. The method can be applied to the data analysis platform C shown in fig. 1, and the following operations are performed by the data analysis platform C. The method for interworking of network security products shown in fig. 2 includes:
s201, analyzing data of a plurality of network security products.
Because the data analysis platform establishes communication connection with a plurality of network security products (or equipment for operating the network security products), when the network security products have data to be reported, the data can be sent to the data analysis platform, so that the data analysis platform can utilize the data reported by the network security products, and the effect of interconnection and intercommunication among the network security products is realized. Or the data analysis platform can actively acquire data from the network security product. Where at least two of the plurality of network security products are of different types. I.e. it is guaranteed that data from different network security products are involved in the data parsed in S201.
In addition, besides the interconnection and intercommunication of different network security products, the data analysis platform can also analyze based on the reported data to obtain an analysis result and apply the analysis result to the aspects of identification, monitoring, protection, disposal and the like of the security of the equipment in the scene.
Because the data sources of the data acquired by the data analysis platform are diverse, the directly acquired data may not be convenient for performing subsequent interconnection operation, and therefore, the data can be standardized for the convenience of data use. Fig. 3 is a schematic diagram of a protocol-based data normalization process provided in an embodiment of the present application, and a process of the normalization process can be understood with reference to this diagram. And receiving data reported by a plurality of network security products, such as firewalls, intrusion detection, log audit, terminal detection and the like, and performing protocol identification on the reported data. In practical application, the interconnection and interworking framework in the technical scheme of the application is provided with a protocol analysis module which can be used for identifying data protocols, such as SYSLOG, SNMP, HTTPS, KAFKA and other protocols. Distributing corresponding data pipelines for data reported by a plurality of network security products based on the identified protocol, and calling an analysis script corresponding to the protocol by a data analysis engine to analyze the data in the data pipelines after the data reaches the corresponding data pipelines. The parsed data may be parsed by a plurality of elements, for example, by a plurality of elements such as a quintuple, traffic data, a threat tag, an information name, an information rating, a time, and the like. Through the preset elements, the data can be classified more quickly and accurately. And a corresponding analysis script is provided according to the protocol to analyze the data, so that the accuracy and efficiency of data analysis can be improved.
The amount of data to be parsed can be limited by a current limiter. The specific limit data amount may be flexibly configured according to the hardware performance of the data analysis platform, and is not limited herein. The efficiency of data analysis in the same period can be improved through the current limiter, and data congestion and difficult analysis are avoided.
And S202, dividing the analyzed data into corresponding data dictionaries according to the data types and the fields to obtain the data dictionaries after data updating.
In an embodiment of the present application, a plurality of types of data dictionaries are provided, such as data dictionaries of an asset information description class, an alarm information description class, a threat information description class, a traffic information description class, and a security policy description class. For the different types of data dictionaries, the data dictionary may be named according to categories or may be named additionally. A data dictionary such as a traffic information description class may be named a traffic log dictionary. In the embodiment of the application, the data dictionary supports horizontal expansion, so that the division of data can be more refined, the interconnection and intercommunication of data among different network security products are more refined, accurate and precise, and the effect of data interconnection and intercommunication is improved.
When data is divided, the types of the data are mainly referred to, so that the data dictionary to which the data needs to be divided is determined. Here, the type of data is divided in a similar manner to the data dictionary. For example, if the parsed data is alarm information description class data, the data is divided into an alarm information description class data dictionary. In addition, each type of data dictionary comprises a plurality of fields, and data can be transmitted into the corresponding data dictionary according to the fields. Therefore, the specific implementation manner of step S202 can be described as follows:
determining a target data type to which the analyzed data belongs from a plurality of data types; determining a data dictionary corresponding to the target data type; acquiring field information of a data dictionary corresponding to the target data type; and transmitting the analyzed data of the target data type into a corresponding field of a data dictionary corresponding to the target data type according to the corresponding relation between the field to which the analyzed data of the target data type belongs and the field information.
Taking an alarm information description class data dictionary as an example, the fields include: alarm time, alarm level, alarm name, event description, alarm type, alarm subclass, device type, device version, device address, target object IP, target object port, attacker IP, attacker port, and extension information item. If the target data type to which the analyzed data belongs is an alarm information description class, it may be determined that the data dictionary corresponding to the target data type is an alarm information description class data dictionary. And determining the corresponding field to transmit the data according to the correspondence between the field to which the data belongs and the field information of which field in the alarm information description class data dictionary. The analyzed data in the actual application comprises data of various fields, and the data are transmitted into corresponding fields of a corresponding data dictionary according to the data types and the fields. Therefore, the analyzed data can be orderly summarized into the data dictionary, the data sources are not distinguished in the process, and the device independence of the data and the network security product is realized.
It should be noted that, each time new data is transferred into the corresponding data dictionary, the data dictionary is equivalent to the data changed before being transferred. In order to distinguish the front and back changes, in the embodiment of the present application, the data dictionary into which the new data is transmitted after the execution of S202 is completed is referred to as a data dictionary after data update.
The fields contained in the built-in data dictionary of the interconnection and interworking framework in the technical scheme of the embodiment of the application have a mapping relation with the security function. The mapping relation can be used as an important 'bridge' for building an incidence relation between data and a safety function. Based on the diversity of the security function, the diversity of the data dictionary and the diversity of the fields in the data dictionary, the built-in mapping relation of the interconnection framework covers the range. Through the built-in mapping relationship, the following step S203 can be conveniently executed, so as to achieve the interconnection and intercommunication of data among a plurality of network security products containing different types in a real sense.
S203, establishing an incidence relation between the safety function and the analyzed data based on the data dictionary and the mapping relation after the data updating.
As mentioned above, there is a correspondence between fields in the data dictionary and security functions. For this reason, if data related to a certain security function (referred to as function data herein for the sake of distinction) needs to be acquired, only data extraction from the data dictionary is required according to the mapping relationship. By this step, the data related to the security function in each data field can be extracted one by one. And aggregation of data to functions is realized. The close relation between the data and the functions is enhanced, so that the data and the network security products are unrelated, and the effect of interconnection and intercommunication of different network security products is achieved.
Several example implementations of step S203 are provided below:
1) In a first example implementation manner, the execution purpose of step S203 is to obtain an association relationship between data from a plurality of network security products and a certain security function. Because of the diversity of security functions, for the sake of distinction, this security function is defined herein as a target security function. In this implementation, step S203 may specifically include:
and determining a target data dictionary to which the target field belongs according to the target field having a mapping relation with the target security function (here, the target data dictionary may be one of data dictionaries updated by data). Extracting data from the target field of the target data dictionary; and constructing an association relation between the target safety function and the extracted data.
For example, a plurality of fields in the alarm information description class data dictionary are related to the target security function. An association between the data in these fields and the target security function can be constructed.
In addition, in an alternative implementation, the mapping relationship between the fields in the data dictionary and the security function is represented as: the mapping between the fields and the elements contained in the security function. The mapping between the data and the security function can thus be constructed based on the mapping of the fields to the function elements, as explained in the following example.
As an example, the target security function is a firewall attack prevention function. The firewall attack protection function comprises the following elements: the system comprises a protection object, a protection IPv4 address, a protection IPv6 address, a DDOS attack defense switch and a CC attack defense switch. Fields in the alarm information description class data dictionary include: alarm time, alarm level, alarm name, event description, alarm type, alarm subclass, device type, device version, device address, target object IP, target object port, attacker IP, attacker port, and extension information item. The following mapping relationships can be obtained from the mapping relationships built in the interconnection framework:
(1) the target object corresponds to a protection object;
(2) the target object IP corresponds to a protection IPv4 address and a protection IPv6 address;
(3) the alarm type corresponds to a DDOS attack defense switch and a CC attack defense switch.
When S203 is executed, it may be determined that the target field includes the target object, the target object IP, and the alarm type according to (1) - (3), and then the target data dictionary is determined to be the alarm information description type data dictionary. And extracting the data in the target field to obtain functional data related to the firewall attack protection function.
It should be noted that, in practical applications, the target field having a mapping relationship with the target security function may include a plurality of fields belonging to different types of data dictionaries, that is, the target data dictionary may also include a plurality of different types of dictionaries. Data is acquired from a plurality of different types of target data dictionaries when S203 is performed. The kind and number of the target data dictionary are not limited to be specific.
Reference may be made to fig. 4 for a first example implementation manner of S203, which is a schematic diagram of constructing an association relationship between a security function and parsed data. As shown in FIG. 4, the dictionary repository contains fields that illustrate four types of data dictionaries, as indicated by the direction of the arrows in the figure. The target security function is a type 1 security function, and the element X, which is a target element, has a mapping relationship with the field XX of the type 2 data dictionary, so that the field XX is a target field and the type 2 data dictionary is a target data dictionary. An association between data in field XX in a type 2 data dictionary and a type 1 security function may be constructed. For convenience of distinguishing and understanding in the embodiment of the present application, data associated with the target security function is referred to as function data, and as shown in fig. 4, a dashed connecting line between the function data and the target security function represents an association relationship therebetween.
In the above-described implementation, the target security function may be one of an identification function, a protection function, a monitoring function, and a disposal function. Other security functions are possible and not limited herein. The following is specifically described with reference to 2).
2) In a second example implementation, the security functions are divided into four categories: identification, protection, monitoring and disposal functions. And each of these four security functions comprises a plurality of sub-functions. The four security functions can be understood as a first-level security function (or called a class of security functions), the sub-functions divided below the first-level security function are called second-level security functions (or called second-class security functions), and the like, the four security functions can also have the sub-division functions under the sub-functions, namely, three-level security functions (or called third-class security functions). The hierarchy of the security functions can be defined according to actual partitioning requirements, and is not limited herein, and only four security functions respectively having a plurality of sub-functions are exemplified for explanation. Table 1 shows a correspondence table of a plurality of sub-functions divided by four security functions.
TABLE 1
| Identification function | Protective function | Monitoring function | Treatment function |
| a) Asset discovery and identification | a) Network access control | a) Network traffic collection | a) Event handling |
| b) Service identification | b) Network behavior control | b) Terminal information collection | b) Attack suppression |
| c) Vulnerability identification | c) Network intrusion prevention | c) Intrusion detection | c) Backup recovery |
| d) Threat identification | d) Network isolated switching | d) Anomaly analysis | d) Attack tracing |
| e) Configuration checking | e) Terminal behavior control | e) Malicious code monitoring | e) Information sharing |
| f) Application security protection | f) Security audit | ||
| g) Password protection function | g) Security analysis | ||
| h) Network flow control | |||
| i) Malicious code prevention | |||
| j) Identity management and authentication | |||
| k) Database protection | |||
| l) data desensitization |
As shown in table 1, asset discovery and identification, service identification, vulnerability identification, threat identification, and configuration verification all belong to sub-functions under the identification function. Network access control, network behavior control, network intrusion prevention, network isolation exchange, terminal behavior control, application security protection, password protection function, network flow control, malicious code prevention, identity management and identification, database protection and data desensitization all belong to subfunctions under the protection function. Network flow collection, terminal information collection, intrusion detection, anomaly analysis, malicious code monitoring, security audit and security analysis all belong to subfunctions under the monitoring function. Event handling, attack suppression, backup recovery, attack tracing and intelligence sharing all belong to subfunctions under the handling function.
As mentioned above, the mapping relationship between the fields in the data dictionary and the security function (or the mapping relationship between the fields in the data dictionary and the elements of the security function) is built in the interconnection framework. In this implementation, the target security function may be any level of security function, and may also be a specific security function associated with any network security product. In order to obtain function data corresponding to the target security function, in the embodiment of the present application, a sub-function associated with the target security function is referred to as a target sub-function, and the following steps are performed to complete the implementation of S203:
determining one or more target subfunctions having an association relationship with the target security function; determining a target data dictionary to which the target field belongs based on the target field having a mapping relation with the elements contained in the target subfunction; an association of data from the target field of the target data dictionary with the target security function.
For a second example implementation manner of S203, reference may be made to fig. 5, which is another schematic diagram for constructing an association relationship between a security function and parsed data. The target security function is a specific function associated with a sub-function of the safeguard function and a sub-function of the monitoring function as shown in fig. 5. In order to obtain the corresponding function data, the target fields may be determined to be the field XX and the field XXX based on the element XXX and the mapping relationship between the element xxxx and the data dictionary fields in the dictionary library (such as the mapping relationship between the element XXX and the field XX, and the mapping relationship between the element xxxx and the field XXX shown in fig. 5), and the target data dictionaries are the type 2 data dictionary and the type 3 data dictionary. So that data can be extracted from field XX and field XXX to build associations with target security functions. As shown in fig. 5, the dashed connection line between the function data and the target security function represents the association relationship between the two.
Through the implementation of the steps, the data of the fields which have the mapping relation with the target sub-functions related to the target safety functions in all the data dictionaries can be extracted, and the functional data corresponding to the target safety functions is constructed. By the method, even if the target security function has an incidence relation with a plurality of secondary security functions belonging to different primary security functions, corresponding data can be extracted from the target data dictionary very accurately according to the mapping relation between the fields and the elements. The scheme can be suitable for constructing the association relationship between the complex and comprehensive security function and the data.
3) The target security function is a sub-function of at least one security function among an identification function, a protection function, a monitoring function, and a disposal function. The implementation mode is similar to the two implementation modes, and a target data dictionary to which a target field belongs can be determined according to the target field which has a mapping relation with an element contained in a target security function; extracting data from the target field of the target data dictionary; and constructing an incidence relation between the target safety function and the extracted data.
In the above three implementation manners, the extracting data from the target field of the target data dictionary may specifically be: data is extracted from the determined plurality of different target data dictionaries in accordance with the target fields contained therein respectively.
It should be noted that fig. 4 and 5 are only used as exemplary effect diagrams of the above-described exemplary manner for understanding, and in practical applications, the target security function has various types of implementation manners and may have higher complexity. The manner of obtaining the functional data by interconnection is similar to that shown in fig. 4 and 5, so that fig. 4 and 5 are not limited, and the processing may be performed based on actual needs.
As mentioned above, the network security products can be divided into four categories, which are: identification, protection, monitoring and disposal functions. In the network security products for practical use, the security functions provided by the network security products can be various. For example, the functions of the antivirus software installed on the firewall and the terminal device are different. In order to implement such complex and diverse functions, in an optional implementation manner, in order to implement interconnection, the functions of the different network security products may be identified by using a system security lifecycle model, the functions having interconnection requirements are determined, and the identified functions having interconnection requirements are summarized, specifically: generalizing to an identification function, a protection function, a monitoring function, or a disposal function. The system security lifecycle model may refer to the IPDRRR model. Wherein the meanings of each letter in the IPDRRRR are respectively as follows: inspection, protection, detection, reaction, recovery, reflection. Wherein, inspection corresponds to an identification function, protection corresponds to a Protection function, detection corresponds to a monitoring function, and Reaction corresponds to a disposal function.
For example, if the functions of the network security product are the subdivided functions shown in table 1, the specific functions of the network security product may be summarized as an identification function, a protection function, a monitoring function, or a disposal function according to the relationship between each subdivided function shown in table 1 and the four security functions, the similarity of the work content, or the similarity of the work category. Generalizing this action is also understood here as an abstraction. Namely, four functions, namely, an identification function, a protection function, a monitoring function and a disposal function, are abstracted from various concrete functions to form a primary safety function and a secondary safety function which is divided down.
Since the functions of different network security products, which need to be interconnected, are uniformly summarized into four types, the interconnection of different network security products is realized from the aspect of function division. Fig. 6 is a schematic diagram of an interworking framework of network security products according to an embodiment of the present application, and it is also possible to easily understand a specific implementation logic of the embodiment of the present invention. As shown in fig. 6, rich data sources such as security logs, traffic metadata, policy files, threat intelligence, etc. (which may be from a variety of different network security products) are reported to the data analysis platform, and then are transmitted to a variety of data dictionaries in the dictionary library through protocol recognition and analysis. The four security functions obtained through the function abstraction of different network security products are used for communicating the different network security products from the functional level and coordinating the different network security products to the four mutually approved security functions. By means of the incidence relation between the fields in the data dictionary built in the frame and the safety functions, the function data corresponding to any specific safety function can be extracted from the data dictionary of the dictionary database. Diversified data such as security logs, flow metadata, policy files, threat intelligence and the like are interconnected and intercommunicated at a functional level and a data level through the scheme, and then the method can be applied to various types of scenes. Such as the scenarios of threat pre-warning, threat tracing, situation awareness, information sharing, security policy response, etc. shown in fig. 6.
In an optional implementation manner, in order to implement efficient application of functional data, the constructing an association relationship between the target security function and the extracted data according to this embodiment may specifically include: and constructing a function dictionary of the target safety function according to the extracted data and the mapping relation between the target field and the target safety function. In the form of a function dictionary, the extracted data can be stored according to the fields specified in the function dictionary of the target safety function, so that the data in the dictionary can be called efficiently and conveniently when the data in the dictionary needs to be called. This is seen to be a way to improve indexing efficiency.
In various application scenarios shown in fig. 6, if the function dictionary of the target security function is established, the method for interworking network security products may further include: and issuing an instruction to at least one network security product in the plurality of network security products according to the function dictionary of the target security function, so that the network security product receiving the instruction executes corresponding action according to the instruction.
Through the function dictionary of the target security function, the data analysis platform can obtain data related to the target security function and from a plurality of network security products (at least two of which are different in type). Through the data, the data analysis platform can effectively integrate the data related to the function, so that after a specific scene needing to be applied is determined, an instruction can be sent to the network security product, and the network security product can execute actions according to the instruction. The instruction is generated after the function dictionary is integrated, and can provide more accurate indication for the network security product to execute the action in an instruction mode through data integration. Therefore, the efficiency of response and disposal of the network security event is improved, the accuracy of threat tracing is improved, and the timeliness and effectiveness of threat early warning are improved.
Correspondingly, the application also provides a data analysis platform based on the network security product interconnection method provided by the embodiment. A specific implementation of this platform is described below in conjunction with fig. 7.
Fig. 7 is a schematic structural diagram of a data analysis platform according to an embodiment of the present application. As shown in fig. 1, the data analysis platform is communicatively connected to different network security products. As shown in fig. 7, the data analysis platform includes:
a data parsing unit 701, configured to parse data of a plurality of network security products, where at least two of the plurality of network security products are different in type;
a data dividing unit 702, configured to divide the analyzed data into a data dictionary according to the data type and the field, so as to obtain a data dictionary after data update; wherein, the fields contained in each data dictionary have a mapping relation with the elements contained in the safety function;
the association relationship establishing unit 703 is configured to establish an association relationship between the security function and the analyzed data based on the data dictionary after the data update and the mapping relationship.
According to the technical scheme, the analyzed data are divided into the corresponding data dictionaries, and the association between the analyzed data and the safety function can be established through the mapping association of the fields and the functions. The method and the device realize the aggregation of data to functions, strengthen the close relation between the data and the functions, and make the data and the network security products irrelevant, thereby achieving the effect of interconnection and intercommunication of different network security products.
Optionally, the association relationship establishing unit 703 is specifically configured to:
determining a target data dictionary to which a target field belongs according to the target field having a mapping relation with a target security function; the target data dictionary is one of data dictionaries which are updated by data;
extracting data from the target field of the target data dictionary;
and constructing an incidence relation between the target safety function and the extracted data.
The target safety function is one of the following four safety functions, or the target safety function is a function associated with a sub-function which is at least one of the following safety functions, or the target safety function is a sub-function of at least one of the following safety functions:
identification, protection, monitoring and disposal functions.
The four security functions are summarized from functions which are required by the interconnection and intercommunication of the network security products.
Optionally, the association relationship establishing unit 703 is specifically configured to:
and constructing a function dictionary of the target safety function according to the extracted data and the mapping relation between the target field and the target safety function.
Optionally, the data analysis platform further includes an instruction issuing unit, configured to:
and issuing an instruction to at least one network security product in the plurality of network security products according to the function dictionary of the target security function, so that the network security product receiving the instruction executes corresponding action according to the instruction.
Optionally, the association relationship establishing unit 703 is specifically configured to:
data is extracted from the determined plurality of different target data dictionaries in accordance with the target fields contained therein respectively.
The data dividing unit 702 is specifically configured to:
determining a target data type to which the analyzed data belongs from a plurality of data types; the multiple data types comprise an asset information description type, an alarm information description type, a threat information description type, a flow information description type and a security policy description type;
determining a data dictionary corresponding to the target data type;
acquiring field information of a data dictionary corresponding to the target data type;
and transmitting the analyzed data of the target data type into a corresponding field of a data dictionary corresponding to the target data type according to the corresponding relation between the field to which the analyzed data of the target data type belongs and the field information.
Optionally, the data analysis platform is further configured to: receiving data reported by a plurality of network security products; carrying out protocol identification on data reported by a plurality of network security products; distributing corresponding data pipelines for data reported by a plurality of network security products based on the identified protocol;
the data analysis unit 701 is specifically configured to:
and when the data reaches the corresponding data pipeline, calling an analysis script corresponding to the identified protocol to analyze the data in the data pipeline.
On the basis of the network security product interconnection and intercommunication method and the data analysis platform provided by the foregoing embodiments, the present application correspondingly provides a computer-readable storage medium. The computer readable storage medium stores a computer program, and when the program is executed by a processor, the computer program implements part or all of the steps of the network security product interconnection and interworking method provided by the foregoing embodiment.
A processor for running a computer program is also provided in the present application. For the processor, when the program runs therein, some or all of the steps of the network security product interconnection and interworking method provided by the foregoing embodiments are performed.
It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts suggested as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A network security product interconnection method is characterized by comprising the following steps:
analyzing data of a plurality of network security products, wherein at least two of the network security products are different in type;
dividing the analyzed data into corresponding data dictionaries according to the data types and the fields to obtain data dictionaries after data updating; wherein, the fields contained in each data dictionary have a mapping relation with the security function;
and constructing an association relation between the safety function and the analyzed data based on the data dictionary after the data is updated and the mapping relation.
2. The method according to claim 1, wherein the establishing of the association between the security function and the analyzed data based on the updated data dictionary and the mapping relationship comprises:
determining a target data dictionary to which a target field belongs according to the target field having a mapping relation with a target security function; the target data dictionary is one of data dictionaries which are updated by data;
extracting data from the target field of the target data dictionary;
and constructing an incidence relation between the target safety function and the extracted data.
3. The network security product interconnection method according to claim 2, wherein the target security function is one of the following four security functions, or the target security function is a function associated with a sub-function that is at least one of the following security functions, or the target security function is a sub-function of at least one of the following security functions:
identification, protection, monitoring and disposal functions.
4. The method according to claim 3, wherein the four security functions are summarized from functions required by the plurality of network security products for interworking.
5. The network security product interconnection and interworking method according to any one of claims 2-4, wherein the constructing the association relationship between the target security function and the extracted data comprises:
and constructing a function dictionary of the target safety function according to the extracted data and the mapping relation between the target field and the target safety function.
6. The network security product interconnection method according to claim 5, further comprising:
and issuing an instruction to at least one network security product in the plurality of network security products according to the function dictionary of the target security function, so that the network security product receiving the instruction executes corresponding action according to the instruction.
7. The method for interworking and interworking of network security products according to any one of claims 1-4, wherein the dividing the parsed data into the corresponding data dictionaries according to the data type and field comprises:
determining a target data type to which the analyzed data belongs from a plurality of data types; the multiple data types comprise an asset information description type, an alarm information description type, a threat information description type, a flow information description type and a security policy description type;
determining a data dictionary corresponding to the target data type;
acquiring field information of a data dictionary corresponding to the target data type;
and transmitting the analyzed data of the target data type into a corresponding field of a data dictionary corresponding to the target data type according to the corresponding relation between the field to which the analyzed data of the target data type belongs and the field information.
8. The network security product interconnection and interworking method according to any one of claims 1-4, wherein before parsing the data of the plurality of network security products, the method further comprises:
receiving data reported by a plurality of network security products;
carrying out protocol identification on data reported by a plurality of network security products;
distributing corresponding data pipelines for data reported by a plurality of network security products based on the identified protocol; the analyzing data of a plurality of network security products comprises:
and when the data reaches the corresponding data pipeline, calling an analysis script corresponding to the identified protocol to analyze the data in the data pipeline.
9. A data analysis platform, wherein the data analysis platform is communicatively coupled to a plurality of cyber-security products, at least two of the cyber-security products being of different types; the data analysis platform comprises:
the data analysis unit is used for analyzing data of a plurality of network security products, wherein at least two of the network security products are different in type;
the data dividing unit is used for dividing the analyzed data into corresponding data dictionaries according to the data types and the fields to obtain data dictionaries after data updating; wherein, the fields contained in each data dictionary have a mapping relation with the security function;
and the incidence relation establishing unit is used for establishing the incidence relation between the safety function and the analyzed data based on the data dictionary after the data updating and the mapping relation.
10. A computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, implements the network security product interworking method according to any one of claims 1 to 8.
11. A processor configured to execute a computer program, the program being configured to execute the network security product interworking method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211457490.9A CN115733902A (en) | 2022-11-21 | 2022-11-21 | Network security product interconnection and intercommunication method, data analysis platform and related product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211457490.9A CN115733902A (en) | 2022-11-21 | 2022-11-21 | Network security product interconnection and intercommunication method, data analysis platform and related product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115733902A true CN115733902A (en) | 2023-03-03 |
Family
ID=85297260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211457490.9A Pending CN115733902A (en) | 2022-11-21 | 2022-11-21 | Network security product interconnection and intercommunication method, data analysis platform and related product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115733902A (en) |
-
2022
- 2022-11-21 CN CN202211457490.9A patent/CN115733902A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Holgado et al. | Real-time multistep attack prediction based on hidden markov models | |
| US20100325685A1 (en) | Security Integration System and Device | |
| CN104426906A (en) | Identifying malicious devices within a computer network | |
| CN109587125B (en) | Network security big data analysis method, system and related device | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| Lu et al. | A temporal correlation and traffic analysis approach for APT attacks detection | |
| CN111431939A (en) | CTI-based SDN malicious traffic defense method and system | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| WO2019084072A1 (en) | A graph model for alert interpretation in enterprise security system | |
| CN112351031A (en) | Generation method and device of attack behavior portrait, electronic equipment and storage medium | |
| CN113360475B (en) | Data operation and maintenance method, device and equipment based on intranet terminal and storage medium | |
| Cheng et al. | Cyber situation perception for Internet of Things systems based on zero‐day attack activities recognition within advanced persistent threat | |
| Cao et al. | Learning state machines to monitor and detect anomalies on a kubernetes cluster | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| CN114666101A (en) | Attack tracing detection system, method, device and medium | |
| CN116451215A (en) | Correlation analysis method and related equipment | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| CN115733902A (en) | Network security product interconnection and intercommunication method, data analysis platform and related product | |
| CN114969450A (en) | User behavior analysis method, device, equipment and storage medium | |
| CN114221805A (en) | Method, device, equipment and medium for monitoring industrial internet data | |
| CN116668051A (en) | Alarm information processing method, device, program, electronic and medium for attack behavior | |
| Skopik et al. | Intrusion detection in distributed systems using fingerprinting and massive event correlation | |
| Saint-Hilaire et al. | Ontology-based attack graph enrichment | |
| Ersson et al. | Botnet detection with event-driven analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |