CN115834193A - Abnormal security policy detection method and device, electronic equipment and storage medium - Google Patents

Abnormal security policy detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115834193A
CN115834193A CN202211465635.XA CN202211465635A CN115834193A CN 115834193 A CN115834193 A CN 115834193A CN 202211465635 A CN202211465635 A CN 202211465635A CN 115834193 A CN115834193 A CN 115834193A
Authority
CN
China
Prior art keywords
security policy
newly added
policy
detection result
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211465635.XA
Other languages
Chinese (zh)
Inventor
张培峰
魏子涵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202211465635.XA priority Critical patent/CN115834193A/en
Publication of CN115834193A publication Critical patent/CN115834193A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides an abnormal security policy detection method, an abnormal security policy detection device, electronic equipment and a storage medium, which relate to the field of network security and comprise the following steps: receiving a newly added security policy, detecting whether an added application range of the newly added security policy is overlapped with an existing application range of the security policy in a local policy library, and generating a first detection result; when the first detection result is that the newly added application range is not overlapped with each existing application range, configuring the newly added security policy to the security equipment, detecting whether the security equipment returns response information representing successful configuration, and generating a second detection result; when the second detection result is that the safety equipment returns response information, the detection is quitted; when the first detection result and the second detection result have abnormal results, judging that the newly added security strategy has abnormality; the newly added security strategy can be detected redundantly when being received, so that relevant security personnel can adjust the newly added security strategy in time, and the situation of strategy redundancy is avoided.

Description

Abnormal security policy detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a method and an apparatus for detecting an abnormal security policy, an electronic device, and a storage medium.
Background
In order to improve network security, a security manager can set a corresponding security policy for each network device, so as to effectively control various behaviors of the network device. In the related art, because the existing security policies are independent in the aspects of creation and execution, conflicts among the policies are easily caused, and policy redundancy is caused; furthermore, part of the policies are not deployed to the security device correctly, which also easily results in policy redundancy. Therefore, for those skilled in the art, how to analyze the performance of the security policy and to select the security policy with redundancy exception is an urgent technical problem to be dealt with.
Disclosure of Invention
The invention aims to provide an abnormal security policy detection method, an abnormal security policy detection device, electronic equipment and a storage medium, which can perform redundancy detection on a newly added security policy when the newly added security policy is received, so that related security personnel can adjust the newly added security policy in time and the policy redundancy condition is avoided.
In order to solve the above technical problem, the present invention provides an abnormal security policy detection method, including:
receiving a newly added security policy, detecting whether an added application range of the newly added security policy is overlapped with an existing application range of a security policy in a local policy library, and generating a first detection result;
when the first detection result is that the newly-added application range is not overlapped with each existing application range, configuring the newly-added security policy to security equipment, detecting whether the security equipment returns response information representing successful configuration, and generating a second detection result;
when the second detection result is that the safety equipment returns the response information, exiting the detection;
and when the first detection result and the second detection result have abnormal results, judging that the newly added security policy has abnormality.
Optionally, the receiving a new security policy includes:
and receiving a newly added security policy issued by the superior device and/or receiving a locally input newly added security policy.
Optionally, when the type of the newly added security policy is an IP type, the detecting whether an added application range of the newly added security policy overlaps with an existing application range of a security policy in a local policy repository includes:
extracting a target security policy of which the type is the IP type from the local policy library;
judging whether the target security policy has a condition that an existing IP range corresponding to the target security policy overlaps with a newly added IP range corresponding to the newly added security policy;
if yes, generating a first detection result representing the overlapping;
if not, a first detection result indicating no overlap is generated.
Optionally, before determining whether there is a situation in the target security policy that an existing IP range corresponding to the target security policy overlaps with a newly added IP range corresponding to the newly added security policy, the method further includes:
judging whether the IP range information configured by the newly added security policy conforms to a preset rule or not; the preset rule comprises whether the IP in the IP range information conforms to a preset IP format rule or not and whether the boundary value in the IP range information conforms to the preset IP range format rule or not;
if yes, the step of judging whether the existing IP range corresponding to the target security policy is overlapped with the newly added IP range corresponding to the newly added security policy exists or not is carried out.
Optionally, when the type of the newly added security policy is an application restricted list type, the detecting whether an added application range of the newly added security policy overlaps with an existing application range of a security policy in a local policy repository includes:
extracting a target security policy of which the type is the application program restricted list type from the local policy library;
judging whether the situation that the application program corresponding to the target security policy is overlapped with the application program corresponding to the newly added security policy exists in the target security policy;
if yes, generating a first detection result representing the overlapping;
if not, a first detection result indicating no overlap is generated.
Optionally, before determining whether there is an overlapping situation between the application program corresponding to the target security policy and the application program corresponding to the newly added security policy, the method further includes:
judging whether the application program name configured by the newly added security policy meets a preset rule or not;
if so, the step of judging whether the application program corresponding to the target security policy is overlapped with the application program corresponding to the newly added security policy exists or not is carried out.
Optionally, after determining that the newly added security policy is abnormal, the method further includes:
adding a corresponding mark for the newly added security policy according to the type of the abnormal result, and adding the newly added security policy added with the mark to the local policy library;
and writing the security policy added with the mark in the local policy library into a result list, and outputting the result list.
The invention also provides an abnormal security policy detection device, comprising:
the first detection module is used for receiving the newly added security policy, detecting whether the newly added application range of the newly added security policy is overlapped with the existing application range of the security policy in the local policy library or not, and generating a first detection result;
a second detection module, configured to configure the newly added security policy to a security device when it is determined that the first detection result is that the newly added application range is not overlapped with each existing application range, and detect whether the security device returns response information indicating successful configuration, so as to generate a second detection result;
the exit module is used for exiting detection when the second detection result indicates that the safety equipment returns the response information;
and the judging module is used for judging that the newly added security policy is abnormal when an abnormal result exists in the first detection result and the second detection result.
The present invention also provides an electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the abnormal security policy detection method as described above when executing the computer program.
The present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the abnormal security policy detection method as described above.
The invention provides an abnormal security policy detection method, which comprises the following steps: receiving a newly added security policy, detecting whether the newly added application range of the newly added security policy is overlapped with the existing application range of the security policy in a local policy library, and generating a first detection result; when the first detection result is that the newly-added application range is not overlapped with each existing application range, configuring the newly-added security policy to security equipment, detecting whether the security equipment returns response information representing successful configuration, and generating a second detection result; when the second detection result is that the safety equipment returns the response information, exiting the detection; and when the first detection result and the second detection result have abnormal results, judging that the newly added security policy has abnormality.
Therefore, when a newly added security policy is obtained, whether a newly added application range corresponding to the policy is overlapped with an existing application range corresponding to each security policy in a local policy library or not can be detected, and if the newly added application range is overlapped with the existing application range corresponding to each security policy in the local policy library, the newly added security policy is indicated to have a redundancy condition and should be deleted or adjusted; if the new security policy is not overlapped, the method further configures the new security policy to the security device, judges whether the security device returns response information representing successful configuration, and if the information is determined not to be returned, the new security policy is indicated that the new security policy cannot be configured to the security device, namely the new security policy is not effective, and the new security policy should be redeployed or abnormal should be repaired. In other words, the invention can carry out redundancy detection on the newly added security policy when receiving the newly added security policy, so that related security personnel can adjust the newly added security policy in time, and the situation of policy redundancy is avoided. The invention also provides an abnormal security policy detection device, electronic equipment and a storage medium, which have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an abnormal security policy detection method according to an embodiment of the present invention;
fig. 2 is a block diagram of an abnormal security policy detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the related art, because the existing security policies are independent in the aspects of creation and execution, conflicts among the policies are easily caused, and policy redundancy is caused; in addition, part of the strategies are not deployed to the safety equipment correctly, and strategy redundancy is easy to cause. Therefore, for those skilled in the art, how to analyze the performance of the security policy and to select the security policy with redundancy exception is an urgent technical problem to be dealt with. In view of this, the present invention can provide a method for detecting an abnormal security policy, which can perform redundancy detection on a newly added security policy when receiving the newly added security policy, so that related security personnel can adjust the newly added security policy in time, thereby avoiding the occurrence of policy redundancy. Referring to fig. 1, fig. 1 is a flowchart of an abnormal security policy detection method according to an embodiment of the present invention, where the method includes:
s101, receiving a newly added security policy, detecting whether an added application range of the newly added security policy is overlapped with an existing application range of the security policy in a local policy library, and generating a first detection result.
In the embodiment of the present invention, the security policy is used to limit the network access behavior of the target object, and may be limited in various ways, for example, it may be a black list (completely prohibited), a white list (completely released), and a red list (released after passing manual review), and may also be limited in other forms; the policy may also restrict various objects, such as access restrictions on traffic from a specified IP address, and such as restrictions on network access behavior from a specified application. The embodiment of the invention carries out redundancy detection on the newly added security policy when receiving the newly added security policy, wherein the policy can be the newly added security policy issued by superior equipment or the newly added security policy locally input by a user. The reason for performing redundancy detection at this time is that the existing security policies are independent in creation and execution, and thus conflicts among the policies are easily generated, and redundancy detection and marking of the redundant policies are started in the creation stage, so that network security personnel can be reminded to adjust the policies in time at the beginning of policy creation to prevent the creation of the redundant policies and further prevent the security problems easily caused by the redundant policies in the execution stage.
Furthermore, the local policy library is a database for storing all local security policies, and the embodiment of the invention compares the application range of each security policy in the local policy library with the newly added application range corresponding to the newly added security policy to determine whether the newly added security policy has redundancy. The application scope specifically refers to an object limited by the security policy, and may be, for example, an IP, an application program, or the like. The embodiment of the invention does not limit the specific way of detecting whether the newly added application range of the newly added security policy is overlapped with the existing application range of the security policy in the local policy library, which is related to the object of the specific limitation of the newly added security policy. For example, when the type of the newly added security policy is an IP type, that is, the newly added security policy specifically limits the IP, the application range configured by the policy is specifically an IP range, for example, a certain security policy can specifically protect all IPs ranging from 13.1.1.1 to 13.1.1.3. Furthermore, for the IP type new security policy, the redundancy detection method may be: judging whether a target security policy with an extracted IP type in a local policy library has a condition that an existing IP range corresponding to the target security policy is overlapped with a newly-added IP range corresponding to the newly-added security policy, for example, if the IP range protected by the target security policy is 13.1.1.1 to 13.1.1.3 and the IP range protected by the newly-added security policy is 13.1.1 to 13.1.1.2, the condition that the newly-added security policy and the target security policy have the condition that the protection ranges are overlapped is obvious; for another example, if the IP range protected by the target security policy is 13.1.1.1 to 13.1.1.3 and the IP range protected by the new security policy is 13.1.1.4 to 13.1.1.6, there is no overlap of the protection ranges between the new security policy and the target security policy.
In a possible case, when the type of the newly added security policy is an IP type, detecting whether an added application range of the newly added security policy overlaps with an existing application range of a security policy in the local policy repository, includes:
step 11: extracting a target security policy with the type of IP from a local policy library;
step 12: judging whether the existing IP range corresponding to the target security policy is overlapped with the newly added IP range corresponding to the newly added security policy or not; if yes, go to step 13; if not, entering step 14;
step 13: generating a first detection result representing the overlap;
step 14: first detection results are generated indicating non-overlap.
Of course, before performing redundancy detection on the newly added IP range of the newly added security policy, format check may also be performed on the IP range information corresponding to the newly added IP range, so as to avoid interference of the format problem of the IP range information on the redundancy detection. Specifically, it may be detected whether the IP filled in the IP range information conforms to a preset IP format rule, and whether a boundary value in the IP range information conforms to the preset IP range format rule (for example, a start IP in the range should be smaller than an end IP), and redundancy detection may be performed only when the format of the IP range information is determined to be correct.
In a possible case, before determining whether there is a situation in the target security policy that an existing IP range corresponding to the target security policy overlaps with a newly added IP range corresponding to the newly added security policy, the method may further include:
step 21: judging whether the IP range information configured by the newly added security policy conforms to a preset rule or not; the preset rule comprises whether the IP in the IP range information conforms to a preset IP format rule or not and whether the boundary value in the IP range information conforms to the preset IP range format rule or not; if yes, go to step 22; if not, go to step 23;
step 22: and entering a step of judging whether the existing IP range corresponding to the target security policy is overlapped with the newly added IP range corresponding to the newly added security policy.
Step 23: and judging that the IP range information has errors.
It should be noted that, the embodiment of the present invention does not limit the specific preset IP format rule and the preset IP range format rule, and can be set according to the actual application requirement.
For another example, when the type of the newly added security policy is an application restricted list type, the object specifically restricted by the policy is an application. Therefore, whether the newly added security policy has redundancy can be determined only by determining whether the application program corresponding to the newly added security policy corresponds to another security policy in the local policy repository.
In a possible case, when the type of the newly added security policy is an application restricted list type, detecting whether an added application scope of the newly added security policy overlaps with an existing application scope of the security policy in the local policy repository may include:
step 31: extracting a target security policy of which the type is an application program restricted list type from a local policy library;
step 32: judging whether the situation that the application program corresponding to the target security policy is overlapped with the application program corresponding to the newly added security policy exists in the target security policy; if yes, go to step 33; if not, go to step 34;
step 33: generating a first detection result representing the overlap;
step 34: first detection results are generated indicating non-overlap.
Of course, before performing redundancy detection on the application program with the newly added security policy, format check may also be performed on the application program name corresponding to the application program, so as to avoid interference of the format problem of the application program name on the redundancy detection.
In a possible case, before determining whether there is an overlapping situation between the application program corresponding to the target security policy and the application program corresponding to the newly added security policy, the method may further include:
step 41: judging whether the application program name configured by the newly added security policy meets a preset rule or not; if yes, go to step 42; if not, go to step 43;
step 42: and entering a step of judging whether the application program corresponding to the target security policy is overlapped with the application program corresponding to the newly added security policy.
Step 43: and judging that the name of the application program has an error.
It should be noted that, the embodiment of the present invention does not limit the specific preset rule, and can be selected according to the actual application requirement.
S102, judging whether the first detection result is that the newly added application range is not overlapped with each existing application range; if yes, go to step S103; if not, the process proceeds to step S106.
S103, when the first detection result is that the newly added application range is not overlapped with each existing application range, configuring the newly added security policy to the security device, detecting whether the security device returns response information representing successful configuration, and generating a second detection result.
When it is determined that the newly added application policy does not overlap with the existing security policy in the local policy repository, the policy may be deployed to the corresponding security device, where the security device is a device that specifically executes each security policy. However, in the deployment process, a failure in deployment of the security device may occur, and thus the new security policy cannot be enabled to take effect, and such failed new security policy may also aggravate the redundancy situation, so the embodiment of the present invention will further determine the deployment situation of the new security policy. Specifically, after the newly added security policy is deployed to the security device, it may be detected whether the device returns response information indicating successful configuration, if so, it may be determined that the configuration is successful, otherwise, it indicates that the security device is abnormal, and the newly added security policy may not be configured, so that it may be determined that the policy has redundancy. It should be noted that the embodiment of the present invention does not limit the specific form of the response information, and may be set according to the actual application requirements.
S104, judging whether the second detection result is that the safety equipment returns response information or not; if yes, go to step S105; if not, the process proceeds to step S106.
S105, when the second detection result is that the safety equipment returns the response information, exiting the detection;
it can be understood that, when the newly added security policy does not overlap with the existing security policy in the local policy repository and can be correctly deployed to the security device, the policy does not have any redundancy condition, and the redundancy detection of the policy can be exited.
And S106, judging that the newly added security strategy is abnormal when the abnormal result exists in the first detection result and the second detection result.
It can be understood that when the newly added security policy overlaps with the existing security policy in the local policy repository, or cannot be correctly deployed to the security device, the policy has redundancy. At this time, in order to facilitate the network security personnel to adjust the policy in time, a corresponding mark may be added to the policy, for example, a mark representing that the policy overlaps with other security policies or a mark representing that the policy cannot be configured to the security device may be added. In addition, other security policies with the same marks in the local policy library can be further unified, a result list is formed and output, and therefore network security personnel can process the results in batches.
In a possible case, after determining that the new security policy is abnormal, the method may further include:
step 51: adding a corresponding mark for the newly added security policy according to the type of the abnormal result, and adding the newly added security policy added with the mark to a local policy library;
step 52: and writing the security policy added with the mark in the local policy library into a result list, and outputting the result list.
Based on the above embodiment, when acquiring a newly added security policy, the present invention may first detect whether a newly added application range corresponding to the policy overlaps with an existing application range corresponding to each security policy in a local policy repository, and if the newly added application range overlaps with the existing application range corresponding to each security policy in the local policy repository, it indicates that the newly added security policy has a redundancy condition and should be deleted or adjusted; if the new security policy is not overlapped, the method further configures the new security policy to the security device, judges whether the security device returns response information representing successful configuration, and if the information is determined not to be returned, the new security policy is indicated that the new security policy cannot be configured to the security device, namely the new security policy is not effective, and the new security policy should be redeployed or abnormal should be repaired. In other words, the invention can detect the redundancy of the newly added security policy when receiving the newly added security policy, so that related security personnel can adjust the newly added security policy in time, and the situation of policy redundancy is avoided.
The following introduces an abnormal security policy detection apparatus, an electronic device, and a storage medium according to embodiments of the present invention, and the abnormal security policy detection apparatus, the electronic device, and the storage medium described below may be referred to in correspondence with the abnormal security policy detection method described above.
Referring to fig. 2, fig. 2 is a block diagram of an abnormal security policy detection apparatus according to an embodiment of the present invention, where the apparatus may include:
a first detection module 201, configured to receive a new security policy, and detect whether an application range of the new security policy overlaps with an existing application range of a security policy in a local policy repository, to generate a first detection result;
the second detection module 202 is configured to, when it is determined that the first detection result is that the newly added application range does not overlap with each existing application range, configure the newly added security policy to the security device, and detect whether the security device returns response information indicating successful configuration, so as to generate a second detection result;
the exit module 203, configured to exit the detection when the second detection result is that the security device has returned the response information;
the determining module 204 is configured to determine that the newly added security policy is abnormal when an abnormal result exists in the first detection result and the second detection result.
Optionally, the first detecting module 201 may include:
and the receiving submodule is used for receiving the newly increased security policy issued by the superior device and/or receiving the locally input newly increased security policy.
Optionally, when the type of the newly added security policy is an IP type, the first detecting module 201 may include:
the first extraction submodule is used for extracting a target security policy of which the type is an IP type from a local policy library;
the first judgment sub-module is used for judging whether the existing IP range corresponding to the target security policy is overlapped with the newly added IP range corresponding to the newly added security policy or not;
a first result generation submodule, configured to generate a first detection result indicating overlap if the first result generation submodule is positive;
and the second result generation submodule is used for generating a first detection result which shows no overlap if the second result generation submodule is not used for generating the first detection result which shows no overlap.
Optionally, the first detecting module 201 may further include:
the first format checking submodule is used for judging whether the IP range information configured by the newly-added security policy conforms to a preset rule or not before judging whether the condition that the existing IP range corresponding to the target security policy is overlapped with the newly-added IP range corresponding to the newly-added security policy exists or not; the preset rule comprises whether the IP in the IP range information accords with a preset IP format rule or not and whether the boundary value in the IP range information accords with the preset IP range format rule or not;
and the first extraction submodule is also used for entering the step of judging whether the existing IP range corresponding to the target security policy is overlapped with the newly-added IP range corresponding to the newly-added security policy if the existing IP range is overlapped with the newly-added security policy.
Optionally, when the type of the newly added security policy is an application restricted list type, the first detecting module 201 may include:
the second extraction submodule is used for extracting the target security policy of which the type is the application program restricted list type from the local policy library;
the second judgment sub-module is used for judging whether the situation that the application program corresponding to the second judgment sub-module is overlapped with the application program corresponding to the newly added safety strategy exists in the target safety strategy or not;
a third result generation submodule, configured to generate, if yes, a first detection result indicating overlap;
and the fourth result generation submodule is used for generating a first detection result which shows that the detection result does not overlap if the detection result does not overlap.
Optionally, the first detecting module 201 may further include:
the second format checking submodule is used for judging whether the application program name configured by the newly added security policy conforms to a preset rule or not before judging whether the situation that the application program corresponding to the second format checking submodule is overlapped with the application program corresponding to the newly added security policy exists in the target security policy or not;
and the second extraction submodule is also used for entering the step of judging whether the situation that the application program corresponding to the second extraction submodule is overlapped with the application program corresponding to the newly-added security policy exists in the target security policy if the second extraction submodule is positive.
Optionally, the apparatus may further include:
the marking module is used for adding a corresponding mark to the newly added security policy according to the type of the abnormal result and adding the newly added security policy added with the mark to the local policy library;
and the list generation module is used for writing the security policy added with the mark in the local policy library into a result list and outputting the result list.
An embodiment of the present invention further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the above-mentioned abnormal security policy detection method when executing the computer program.
Since the embodiment of the electronic device portion corresponds to the embodiment of the abnormal security policy detection method portion, please refer to the description of the embodiment of the abnormal security policy detection method portion for the embodiment of the electronic device portion, which is not repeated here.
The embodiment of the present invention further provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the abnormal security policy detection method according to any of the above embodiments are implemented.
Since the embodiment of the storage medium portion corresponds to the embodiment of the abnormal security policy detection method portion, please refer to the description of the embodiment of the abnormal security policy detection method portion for the embodiment of the storage medium portion, which is not repeated here.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The foregoing describes a method, an apparatus, an electronic device, and a storage medium for detecting an abnormal security policy provided by the present invention in detail. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (10)

1. An abnormal security policy detection method, comprising:
receiving a newly added security policy, detecting whether the newly added application range of the newly added security policy is overlapped with the existing application range of the security policy in a local policy library, and generating a first detection result;
when the first detection result is that the newly added application range is not overlapped with each existing application range, configuring the newly added security policy to security equipment, detecting whether the security equipment returns response information representing successful configuration, and generating a second detection result;
when the second detection result is that the safety equipment returns the response information, exiting the detection;
and when the first detection result and the second detection result have abnormal results, judging that the newly added security policy has abnormality.
2. The abnormal security policy detection method of claim 1, wherein the receiving a new security policy comprises:
and receiving a newly added security policy issued by the superior device and/or receiving a locally input newly added security policy.
3. The abnormal security policy detection method of claim 1, wherein when the type of the newly added security policy is an IP type, the detecting whether the newly added application range of the newly added security policy overlaps with an existing application range of a security policy in a local policy repository comprises:
extracting a target security policy of which the type is the IP type from the local policy library;
judging whether the existing IP range corresponding to the target security policy is overlapped with the newly added IP range corresponding to the newly added security policy or not;
if yes, generating a first detection result representing the overlapping;
if not, generating a first detection result indicating non-overlapping.
4. The abnormal security policy detection method according to claim 3, further comprising, before determining whether there is an overlap between an existing IP range corresponding to the target security policy and a newly added IP range corresponding to the newly added security policy, the following:
judging whether the IP range information configured by the newly added security policy conforms to a preset rule or not; the preset rule comprises whether the IP in the IP range information conforms to a preset IP format rule or not and whether the boundary value in the IP range information conforms to the preset IP range format rule or not;
if yes, the step of judging whether the existing IP range corresponding to the target security policy is overlapped with the newly added IP range corresponding to the newly added security policy exists or not is carried out.
5. The abnormal security policy detection method of claim 1, wherein when the type of the newly added security policy is an application restricted list type, the detecting whether the newly added application scope of the newly added security policy overlaps with an existing application scope of a security policy in a local policy repository comprises:
extracting a target security policy of which the type is the application program restricted list type from the local policy library;
judging whether the situation that the application program corresponding to the target security policy is overlapped with the application program corresponding to the newly added security policy exists in the target security policy;
if yes, generating a first detection result representing the overlapping;
if not, generating a first detection result indicating non-overlapping.
6. The abnormal security policy detection method according to claim 3, before determining whether there is an overlap between the application corresponding to the target security policy and the application corresponding to the newly added security policy, further comprising:
judging whether the application program name configured by the newly added security policy meets a preset rule or not;
if so, the step of judging whether the application program corresponding to the target security policy is overlapped with the application program corresponding to the newly added security policy exists or not is carried out.
7. The abnormal security policy detection method according to any one of claims 1 to 6, further comprising, after determining that there is an abnormality in the newly added security policy:
adding a corresponding mark for the newly added security policy according to the type of the abnormal result, and adding the newly added security policy added with the mark to the local policy library;
and writing the security policy added with the mark in the local policy library into a result list, and outputting the result list.
8. An abnormal security policy detection apparatus, comprising:
the first detection module is used for receiving the newly added security policy, detecting whether the newly added application range of the newly added security policy is overlapped with the existing application range of the security policy in the local policy library or not, and generating a first detection result;
a second detection module, configured to configure the newly added security policy to a security device when it is determined that the first detection result is that the newly added application range is not overlapped with each existing application range, and detect whether the security device returns response information indicating successful configuration, so as to generate a second detection result;
the exit module is used for exiting detection when the second detection result indicates that the safety equipment returns the response information;
and the judging module is used for judging that the newly added security policy is abnormal when the abnormal result exists in the first detection result and the second detection result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the anomalous security policy detection method of any one of claims 1 to 7 when said computer program is executed.
10. A storage medium, characterized in that the storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the anomalous security policy detection method as claimed in any one of the claims 1 to 7.
CN202211465635.XA 2022-11-22 2022-11-22 Abnormal security policy detection method and device, electronic equipment and storage medium Pending CN115834193A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211465635.XA CN115834193A (en) 2022-11-22 2022-11-22 Abnormal security policy detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211465635.XA CN115834193A (en) 2022-11-22 2022-11-22 Abnormal security policy detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115834193A true CN115834193A (en) 2023-03-21

Family

ID=85530171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211465635.XA Pending CN115834193A (en) 2022-11-22 2022-11-22 Abnormal security policy detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115834193A (en)

Similar Documents

Publication Publication Date Title
CN107516547A (en) The processing method and processing device of internal memory hard error
CN111931172A (en) Financial system business process abnormity early warning method and device
CN109643271B (en) Identifying unstable testing
CN116361807A (en) Risk management and control method and device, storage medium and electronic equipment
CN110414218B (en) Kernel detection method and device, electronic equipment and storage medium
CN114116170A (en) Timed task execution method and device, computer equipment and storage medium
CN115834193A (en) Abnormal security policy detection method and device, electronic equipment and storage medium
US7310791B2 (en) Method for correcting layout errors
CN110502380B (en) Self-checking method of Hash algorithm coprocessor
JP2011150716A (en) Program, apparatus and method for auditing vulnerability
JP5492593B2 (en) Operation deviation prevention support system, operation deviation prevention support method, and program therefor during IT system change work
CN111538994A (en) System security detection and repair method, device, storage medium and terminal
Sljivo et al. Deriving safety contracts to support architecture design of safety critical systems
CN114237665A (en) Patch updating method and device, computing equipment and storage medium
CN107992749A (en) A kind of method and device for detecting patch packet conflict
CN112131582A (en) SELinux rule generation method and device and electronic equipment
CN113297628A (en) Modification behavior auditing method, device, equipment and readable storage medium
CN111475400A (en) Verification method of service platform and related equipment
CN108845932B (en) Unit testing method and device of network library, storage medium and terminal
CN108446882B (en) Insurance policy processing method and device
CN115639972B (en) Data migration method and device, electronic equipment and storage medium
CN112347403B (en) Page checking method, device, equipment and storage medium
CN113656043B (en) Code verification method and device, electronic equipment and storage medium
CN110502209B (en) Method for preventing random number generator from injection attack
CN114401124B (en) Firewall login method and device, electronic equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination