CN116346460A - Network security operation method, device, computing equipment and storage medium - Google Patents

Network security operation method, device, computing equipment and storage medium Download PDF

Info

Publication number
CN116346460A
CN116346460A CN202310307990.2A CN202310307990A CN116346460A CN 116346460 A CN116346460 A CN 116346460A CN 202310307990 A CN202310307990 A CN 202310307990A CN 116346460 A CN116346460 A CN 116346460A
Authority
CN
China
Prior art keywords
stage
target
data
app
knowledge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310307990.2A
Other languages
Chinese (zh)
Inventor
孙俊虎
闫印强
姜海昆
范宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changyang Technology Beijing Co ltd
Original Assignee
Changyang Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changyang Technology Beijing Co ltd filed Critical Changyang Technology Beijing Co ltd
Priority to CN202310307990.2A priority Critical patent/CN116346460A/en
Publication of CN116346460A publication Critical patent/CN116346460A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention relates to the field of network security technologies, and in particular, to a network security operation method, device, computing device, and storage medium. The method comprises the following steps: when an instruction for executing the target activity is received, determining at least one target case, and configuring at least one script for each target case; determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from a database; based on each scenario configured by the current target case, the knowledge reasoning data are sequentially processed according to the stage sequence by utilizing a plurality of target nodes APP of the current scenario. The scheme can improve the automation capability of network security operation and the real-time performance and accuracy of detecting the network threat.

Description

Network security operation method, device, computing equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a network security operation method, a device, computing equipment and a storage medium.
Background
In the traditional network security operation method, most security experts manually monitor data such as logs and flow of each host in an enterprise, after reasoning out security knowledge data, the security experts manually analyze whether the security knowledge data has abnormality according to the security processing flow, and when analyzing an alarm event, the security experts manually execute corresponding response flow according to different alarm events.
As can be seen, with the continuous development of cyber-space attack technologies, it has been difficult for the conventional cyber-security operation method to meet the real-time, accuracy and automation requirements of enterprises on cyber-threat detection.
Therefore, a new network security operation method is needed.
Disclosure of Invention
In order to solve the problem that the traditional network security operation method is difficult to meet the real-time, accuracy and automation requirements of enterprises on network threat detection, the embodiment of the invention provides a network security operation method, a device, computing equipment and a storage medium.
In a first aspect, an embodiment of the present invention provides a network security operation method, including:
Writing a plurality of node APP based on each activity; the node APP is used for executing the data processing step of the node;
acquiring a database for storing knowledge reasoning results of the network data of each host computer so as to establish a corresponding relation between each case and a storage position in the database;
when an instruction for executing the target activity is received, determining at least one target case, and configuring at least one script for each target case;
determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; each stage at least corresponds to one target node APP;
for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from the database;
and based on each scenario configured by the current target case, utilizing a plurality of target nodes APP of the current scenario to sequentially process the knowledge reasoning data according to the stage sequence.
In a second aspect, an embodiment of the present invention further provides a network security operation device, including:
A writing unit for writing a plurality of node APP based on each activity; the node APP is used for executing the data processing step of the node;
the establishing unit is used for acquiring a database for storing knowledge reasoning results of the network data of each host computer so as to establish a corresponding relation between each case and a storage position in the database;
the determining unit is used for determining at least one target case and configuring at least one script for each target case when receiving an instruction for executing the target activity;
the generation unit is used for determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; each stage at least corresponds to one target node APP;
an acquisition unit configured to perform, for each target case: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from the database;
the processing unit is used for sequentially carrying out data processing on the knowledge reasoning data according to the stage sequence by utilizing a plurality of target nodes APP of the current scenario based on each scenario configured by the current target case.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method according to any embodiment of the present specification when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a network security operation method, a network security operation device, a network security computing device and a network security storage medium, wherein a plurality of node APP are written based on each activity; then, a database for storing knowledge reasoning results of the network data of each host is obtained, so that a corresponding relation between each case and a storage position in the database is established; when an instruction for executing the target activity is received, determining at least one target case, and configuring at least one script for each target case; next, determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; then, for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from a database; and finally, based on each scenario configured by the current target case, utilizing a plurality of target nodes APP of the current scenario to sequentially process the knowledge reasoning data according to the stage sequence. Therefore, the method and the device can greatly improve the automation capacity of network security operation, and can effectively meet the real-time performance and accuracy of network threat detection of enterprises.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network security operation method according to an embodiment of the present invention;
FIG. 2 is a diagram of an overall architecture of a network security operation method according to an embodiment of the present invention;
FIG. 3 is a hardware architecture diagram of an electronic device according to an embodiment of the present invention;
fig. 4 is a block diagram of an operation device with network security according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As mentioned above, in the conventional network security operation method, most security experts manually monitor data such as logs and flow of each host in an enterprise, and after reasoning out security knowledge data, the security experts manually analyze whether the security knowledge data has an abnormality according to a security processing flow, and when analyzing an alarm event, manually execute a corresponding response flow according to different alarm events. Therefore, the traditional network security operation method is mostly manually processed, so that the real-time performance and accuracy of detecting the network threat are naturally lower.
In order to solve the technical problems, the inventor can consider the safety operation capabilities of complex information identification, vulnerability identification, automatic response and the like, and can freely perform function visualization arrangement and response by utilizing the custom node APP so as to improve the automation capability of network safety operation. When each target case is executed, knowledge reasoning data of the current target case can be accessed from a database, based on each scenario configured by the current target case, the knowledge reasoning data are sequentially processed according to stage sequences by utilizing a plurality of target nodes APP of the current scenario, and compared with the traditional network security operation method of manual detection and analysis response, the scheme can improve the real-time performance and accuracy of network threat detection.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a network security operation method, which includes:
step 100: writing a plurality of node APP based on each activity; the node APP is used for executing the data processing step of the node;
step 102: acquiring a database for storing knowledge reasoning results of the network data of each host computer so as to establish a corresponding relation between each case and a storage position in the database;
step 104: when an instruction for executing the target activity is received, determining at least one target case, and configuring at least one script for each target case;
step 106: determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; each stage at least corresponds to one target node APP;
step 108: for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from a database;
step 110: based on each scenario configured by the current target case, a plurality of target nodes APP of the current scenario are utilized to sequentially process the knowledge reasoning data according to the stage sequence.
In the embodiment of the invention, firstly, a plurality of node APP are written based on each activity; then, a database for storing knowledge reasoning results of the network data of each host is obtained, so that a corresponding relation between each case and a storage position in the database is established; when an instruction for executing the target activity is received, determining at least one target case, and configuring at least one script for each target case; next, determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; then, for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from a database; and finally, based on each scenario configured by the current target case, utilizing a plurality of target nodes APP of the current scenario to sequentially process the knowledge reasoning data according to the stage sequence. Therefore, the method and the device can greatly improve the automation capacity of network security operation, and can effectively meet the real-time performance and accuracy of network threat detection of enterprises.
The manner in which the individual steps shown in fig. 1 are performed is described below.
For step 100:
as shown in fig. 2, the application market includes a plurality of node APPs (not all of which are shown), each node APP can execute defined data processing steps, for example, an external system APP can determine which alarm information in the input target data needs to be sent to an external processing department, and send the alarm information to a corresponding external person or department according to a preset response mode; the triage APP can carry out alarm aggregation and credibility calculation on alarm information in input target data, then set priority according to the alarm aggregation and credibility calculation, and can also carry out alarm investigation so as to reject false alarms.
It should be noted that, in the embodiment of the present invention, the activities include a regular activity, a protection activity, and a re-protection activity. The compiled node APP can be built in advance based on each activity, and when the built-in APP cannot be met in certain special scenes, the node APP can be compiled according to system rules, and logic processing is customized.
For step 102:
in the embodiment of the invention, the data such as the log, the flow and the like of each host in the target enterprise are converted into the knowledge graph for storage, and then the knowledge graph is utilized to carry out knowledge reasoning on the network data of each host in the target enterprise, so that the knowledge data is deduced. The knowledge data are data that may have a threat, and in step 104-step 110, the knowledge data may be subjected to data processing according to the stage in the scenario, so as to identify the type of threat data in the knowledge data, for example, the type of threat information, vulnerability, hacking, etc., and then automatically respond according to the stage in the scenario according to the identification result.
The manner of generating the knowledge reasoning result in step 102 will be described below.
In some embodiments, the generation mode of the knowledge reasoning result may include the following steps S1-S5:
step S1: acquiring external known data and network data of each host computer in real time; wherein the network data includes log data and traffic data;
step S2: modeling the data structure of the ontology based on network data and a pre-acquired professional knowledge base to obtain a knowledge model; the data structure comprises names, attributes and association relations of the ontology;
step S3: based on the professional knowledge base and the knowledge model, carrying out knowledge extraction on the knowledge entity, the attribute and the association relation of the network data to generate a plurality of target knowledge;
step S4: generating a knowledge graph based on the target knowledge, and storing the knowledge graph and external known data into a database;
step S5: and determining analysis rules based on the external known data so as to carry out knowledge reasoning on the target knowledge based on the analysis rules, thereby obtaining a knowledge reasoning result.
In this embodiment, by generating a knowledge graph from the network data of each host, the context of threat event analysis can be effectively expanded by using the association relationship between each entity in the knowledge graph, and further effective detection, comprehensive tracing and accurate prediction of threat events can be realized.
The manner in which the individual steps are performed is described below.
For step S1:
in the present embodiment, the externally known data includes: consultation data of ChatGPT, knowledge data of ATT & CK sites and characteristic data of expert labels.
In this embodiment, network security of each host in the enterprise needs to be predicted, so log data and flow data of each host in the enterprise need to be obtained. In order to perform knowledge reasoning on network data of each host in an enterprise by using an ATT & CK engine, an NLP reasoning engine and other machine learning engines, consultation data of the ChatGPT, knowledge data of an ATT & CK site and characteristic data of expert labels are required to be obtained at fixed time to serve as external known data, and the external known data is used as basic data for determining analysis rules and performing knowledge reasoning by the ATT & CK engine, the NLP reasoning engine and the other machine learning engines.
For step S2:
in this embodiment, in order to build a knowledge graph of correlation between network data of each type, and improve the detection, tracing and prediction capabilities of network security, knowledge modeling and knowledge extraction are required to be performed on unstructured data and semi-structured data in the network data.
Knowledge modeling mainly refers to modeling of names, attributes and association relations of ontologies of various data types, including modeling of fields and ranges of ontologies, ontological classes and class structures, ontological attributes, ontological attribute relations and relations among ontologies.
For step S3:
in this embodiment, knowledge extraction on knowledge entities, attributes and association relationships of network data may be implemented at least in three ways:
and carrying out knowledge extraction based on the knowledge extraction template and the professional knowledge base.
And secondly, carrying out knowledge extraction based on a deep learning model of network security.
And thirdly, carrying out knowledge extraction based on the knowledge extraction template and the professional knowledge base, carrying out knowledge extraction based on the network safety deep learning model, comparing the extraction results of the two modes, and summarizing the final knowledge extraction result.
The three modes are described below.
First, mode one will be described.
In this mode one, step S3 may include:
acquiring a knowledge extraction template containing each knowledge entity, attribute and association relation;
for each network data, performing:
based on the knowledge extraction template, carrying out knowledge extraction on the knowledge entity, attribute and association relation of the current network data;
when the knowledge entity cannot be identified, carrying out knowledge extraction on the knowledge entity, the attribute and the association relation of the current network data based on the professional knowledge base;
And converting the extracted knowledge into target knowledge based on the data structure of the ontology in the knowledge model.
In this embodiment, firstly, a knowledge extraction template set by an expert is obtained, for each network data, the knowledge extraction template is used for extracting knowledge, and when the knowledge extraction template does not contain knowledge entities or features in the current network data, a professional knowledge base is used for extracting knowledge of the knowledge entities, attributes and association relations of the current network data; if the expert knowledge base does not contain the knowledge entity or the feature in the current network data, an expert is required to extract the knowledge of the current network data, and the knowledge extraction result is supplemented to the knowledge extraction template and the expert knowledge base so as to update the knowledge extraction template and the expert knowledge base. And then, according to the data structure of the ontology in the knowledge model, converting the extracted knowledge to the corresponding position in the ontology data structure to generate target knowledge.
The first embodiment is completed, and the second embodiment is described below.
In the second mode, step S3 may include:
inputting each network data into a deep learning model trained on the basis of network security data in advance so as to classify and identify knowledge entities, attributes and association relations in the network data;
And generating target knowledge based on the data structure of the ontology in the knowledge model and the classification and identification result of each piece of network data.
In this embodiment, a deep learning model is required to be generated by training network security data in advance, and then each network data is input into the deep learning model to classify and identify a knowledge entity, an attribute and an association relationship in the network data; and then, according to the classification and identification result of each network data, converting the corresponding knowledge to the corresponding position in the ontology data structure in the knowledge model to generate target knowledge.
It can be appreciated that continuous iterative optimization of the deep learning model is required to make the knowledge extraction result more accurate.
Mode three will be described next.
In this third aspect, step S3 may include:
acquiring a knowledge extraction template containing each knowledge entity, attribute and association relation;
for each network data, performing:
based on the knowledge extraction template, carrying out knowledge extraction on the knowledge entity, attribute and association relation of the current network data;
when the knowledge entity cannot be identified, carrying out knowledge extraction on the knowledge entity, the attribute and the association relation of the current network data based on the professional knowledge base;
Converting the extracted knowledge into first target knowledge based on a data structure of the ontology in the knowledge model;
inputting each network data into a deep learning model trained on the basis of network security data in advance so as to classify and identify knowledge entities, attributes and association relations in the network data;
generating second target knowledge based on the data structure of the ontology in the knowledge model and the classification and identification result of each piece of network data;
the target knowledge is generated based on the first target knowledge and the second target knowledge.
In this embodiment, the extraction results of the first mode and the second mode (i.e., the first target knowledge and the second target knowledge) may be compared, and the final target knowledge may be generated by summarizing. The knowledge extraction template, the professional knowledge base and the deep learning model are used for carrying out knowledge extraction on each network data, then the knowledge extraction in the two modes is compared and analyzed, more accurate target knowledge is generated through summarization, and the accuracy of the knowledge extraction can be improved.
For step S4:
the structured network data, the target knowledge extracted in step S3, and the externally known data are stored in a database.
For step S5:
In this embodiment, various inference engines such as ATT & CK engine, NLP inference engine, etc. are integrated, and therefore, before step "determining analysis rule based on externally known data", it further includes: determining a target engine from the engine list to determine analysis rules and perform knowledge reasoning by using the target engine; the engine list comprises an ATT & CK engine and an NLP reasoning engine.
In the embodiment of the present invention, when the target engine is determined to be an NLP inference engine, step S5 may include:
acquiring a data range and a rule instruction;
acquiring target knowledge in a data range from a database to create a session based on the target knowledge;
the NLP reasoning engine acquires rule features from the consultation data of the ChatGPT and the feature data marked by the expert according to the rule instructions;
detecting target knowledge in the session based on rule features to obtain first inference knowledge;
acquiring second inference knowledge based on the association relation of the first inference knowledge;
a knowledge reasoning result is generated based on the first reasoning knowledge and the second reasoning knowledge.
In this embodiment, the data range of the analysis needs to be determined first, and the data range includes a computer range and a time range. For example, the computer scope may be determined as a financial department, the time scope is determined by determining the operation policy of the session, the operation policy of the session includes manual and scheduling, the manual mode is to perform analysis once, and the scheduling mode is to perform periodic analysis according to the time point (such as performing analysis once every 10 minutes or every 1 hour).
Then, manually confirming the rule instruction, and then the NLP reasoning engine acquires rule features from the consultation data of the ChatGPT and the feature data marked by the expert in the database according to the rule instruction. For example, if the rule instruction is "detect DDOS attack", then the NLP inference engine would identify the rule instruction first and then obtain DDOS features from the consultation data of ChatGPT and the feature data of expert annotation.
Then, based on rule characteristics, target knowledge in the session is detected to obtain first inference knowledge, second inference knowledge can be obtained according to the association relation of the first inference knowledge, and then the first inference knowledge and the second inference knowledge are used as knowledge inference results.
In an embodiment of the present invention, when the target engine is determined to be an ATT & CK engine, step S5 may include:
acquiring a data range and a rule instruction;
acquiring target knowledge in a data range from a database to create a session based on the target knowledge;
the ATT & CK engine acquires rule features from knowledge data of the ATT & CK site according to the rule instruction;
detecting target knowledge in the session based on rule features to obtain first inference knowledge;
acquiring second inference knowledge based on the association relation of the first inference knowledge;
A knowledge reasoning result is generated based on the first reasoning knowledge and the second reasoning knowledge.
In this embodiment, similar to the reasoning process of the NLP reasoning engine, the data range of this analysis is first determined, and the data range includes a computer range and a time range. Then, the rule instruction is confirmed manually, and then the NLP reasoning engine acquires rule features from knowledge data of the ATT & CK sites in the database according to the rule instruction. Then, based on rule characteristics, target knowledge in the session is detected to obtain first inference knowledge, second inference knowledge can be obtained according to the association relation of the first inference knowledge, and then the first inference knowledge and the second inference knowledge are used as knowledge inference results.
In the embodiment of the invention, the cases are event processing sources for defining the same kind of properties, can be events of the same organization or region, can be events of the same equipment, can be events of the same event classification, and can be events of the same event class. For example, when the target activity is "protection activity", the case may be "threat detection of finance department", and then the knowledge reasoning data corresponding to the case is the knowledge reasoning data of finance department. It can be understood that, according to different cases, knowledge reasoning data to be acquired are different, so that a corresponding relation between each case and a storage position in the database needs to be established, and when the case is executed, the required knowledge reasoning data can be acquired from the corresponding storage position in the database.
For step 104:
in some embodiments, after the step of determining at least one target case, before the step of determining the target node APP corresponding to each scenario, the method further includes: team personnel are configured for each target case, and rights are divided for each team personnel.
In this embodiment, after determining a target activity to be performed, it is necessary to determine target cases of the target activity, where the number of target cases is at least one, then configure team personnel for each target case in the target activity, and divide rights for each team personnel. The scenario may be configured for each target case by team personnel, and each target case may be configured with one scenario, or may be configured with multiple scenarios.
For step 106:
in the embodiment of the invention, the stage comprises a starting stage, an automatic stage, an artificial stage and an ending stage; the automatic stage comprises: an intelligence recognition stage, a vulnerability recognition stage, a hacking recognition stage, an external response stage, and/or a worksheet system stage.
It should be noted that, each scenario has only one stage to start and one stage to end, other stages are divided into two types of automatic and manual, according to the actual condition of each scenario, team personnel can only set up the automatic stage in one scenario, can only set up the manual stage, also can both set up the automatic stage and the manual stage, and the automatic stage in one scenario can only be one, also can have a plurality of, the manual stage is the same. Therefore, a unified space combat system with multi-person cooperation is constructed, and the script and stage are defined through the multi-person cooperation. Since the scenario of the previous case can be stored, and each stage is generated by calling the corresponding node APP from the application market, the embodiment can realize the quick call of each scenario or each stage, not only realize the cooperation of people, but also realize the efficient cooperation between people and the machine, and the scenario is not limited to be linked at any time, so that the operation freedom degree of network security is improved, and the application range can be enlarged.
It should be noted that the functions that the automatic stage and the manual stage can implement are not limited to those listed in this embodiment, and the automatic stage may also be a data optimization stage, a traceability evidence obtaining stage, and the like, which are not limited herein.
For step 108:
after the scenario is configured for each target case of the target activity, execution of the target case is started. For each target case, perform: based on the corresponding relation between each case in step 102 and the storage position in the database, knowledge reasoning data of the current target case is obtained from the database, so that the knowledge reasoning data are sequentially processed according to the stage sequence by utilizing a plurality of target nodes APP of the current scenario according to each scenario configured by the current target case.
For step 110:
for example, assume that the stage sequence of the current scenario is a start stage, a first automatic stage (alert triage stage), a second automatic stage (intelligence recognition stage), an artificial stage, an externally responsive stage, a work order system stage, and an end stage. The knowledge reasoning data of the current target case enters a first automatic stage from a starting stage, the first automatic stage utilizes a triage APP to carry out warning triage and warning investigation on the knowledge reasoning data to obtain triage results, and the target data transmitted into the next stage is determined based on the knowledge reasoning data and the triage results; the second automatic stage utilizes the information APP to carry out the request recognition on the target data of the first automatic stage to obtain an information recognition result, and the target data of the next stage is determined based on the target data of the first automatic stage and the information recognition result; the artificial stage acquires target data of the second automatic stage, the target data of the second automatic stage is manually processed, and a processing result is used as target data to be transmitted to an external system APP; and by analogy, carrying out data processing on the knowledge reasoning data according to the stage sequence of the current script.
In some embodiments, when the current stage is an intelligence recognition stage, the intelligence recognition stage performs data processing as follows:
acquiring target data transmitted by a stage at the upper stage;
identifying an address in target data according to a data processing step defined by the target node APP by utilizing at least one target node APP corresponding to the current information identification stage to obtain an information identification result;
and determining the target data of the next stage of stage which is transmitted by the current information identification stage based on the target data transmitted by the previous stage of stage and the information identification result.
Similarly, when the current stage is a vulnerability identification stage, the vulnerability identification stage performs data processing according to the following manner:
acquiring target data transmitted by a stage at the upper stage;
utilizing at least one target node APP corresponding to the current vulnerability identification stage, and carrying out vulnerability identification on target data transmitted by a stage at the previous stage according to data processing steps defined by the target node APP to obtain a vulnerability identification result;
and determining the target data of the next stage transmitted by the current emotion vulnerability recognition stage based on the target data transmitted by the previous stage and the vulnerability recognition result.
It should be noted that, the current stage determines the target data of the next stage by:
And carrying out data superposition and data filtering on the target data transmitted by the previous stage and the data processing result of the current stage to obtain the target data transmitted by the current stage to the next stage.
In some embodiments, when the front stage is an external response stage, the external response stage is data processed as follows:
acquiring target data transmitted by a stage at the upper stage;
according to the data processing steps defined by the external system APP, the warning information which is required to be transmitted to the outside in the target data transmitted by the stage of the previous stage is sent to the outside by utilizing the external system APP corresponding to the current external response stage;
judging whether unprocessed alarm information exists in target data transmitted by a stage at the upper stage;
if not, transmitting an ending signal to an ending stage;
if yes, the unprocessed alarm information is used as target data transmitted into the next stage, and the next stage is a work order system stage.
In some embodiments, the worksheet system stage is data processed as follows:
acquiring target data transmitted by a stage at the upper stage;
and generating work order data based on each alarm information in the target data by using a notification APP corresponding to the work order system stage, and disposing the work order data according to a defined issuing mode.
Therefore, the scheme has at least the following beneficial effects:
1) According to the scheme, manpower is liberated from heavy and low-efficiency manual safe operation work, technical experience of first-line personnel and management requirements of actual work are converted into operation steps of visual arrangement, various work flows can be permanently stored and used as experience accumulation, and accuracy and timeliness of safety event processing are guaranteed.
2) The scheme performs standardized processing on various alarms, logs and traffic, provides capability of behavior analysis and mining of abnormal alarms based on the combination of various APP (information, loopholes, hackers and the like), and provides security guarantee for scenes such as alarm convergence, abnormal traffic discovery and advanced threat and the like.
3) The platform of the invention abstracts and arranges the process which can be solidified in daily operation into a directed acyclic flow chart (namely script), realizes the automatic and visual execution of the script, and aims at the 'zero guard' network security of 7 x 24 hours.
3) The security plan or the process is digitalized, all the parts which can be automated are finished by an automation technology, the parts which need manual treatment are still delivered to people for processing, and the people, the technology and the process are organically combined through a visual arrangement tool, so that a standard unified, repeatable and efficient security operation process is formed.
As shown in fig. 3 and fig. 4, the embodiment of the invention provides a network security operation device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 3, a hardware architecture diagram of a computing device where a network security operation device provided in an embodiment of the present invention is located, where the computing device where the embodiment is located may include other hardware, such as a forwarding chip responsible for processing a packet, besides the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3. Taking a software implementation as an example, as shown in fig. 4, as a device in a logic sense, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of a computing device where the device is located.
As shown in fig. 4, the network security operation device provided in this embodiment includes:
a writing unit 401, configured to write a plurality of node APPs based on each activity; the node APP is used for executing the data processing step of the node;
the establishing unit 402 is configured to obtain a database for storing knowledge reasoning results of the network data of each host, so as to establish a corresponding relationship between each case and a storage location in the database;
A determining unit 403, configured to determine at least one target case when an instruction for executing a target activity is received, and configure at least one scenario for each target case;
the generating unit 404 is configured to determine a target node APP corresponding to each scenario, connect the target nodes APP in series according to a predetermined stage sequence, and define a data processing step in each target node APP, so as to generate a stage corresponding to the scenario by using the target node APP; each stage at least corresponds to one target node APP;
an obtaining unit 405, configured to, for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from a database;
the processing unit 406 is configured to sequentially perform data processing on the knowledge reasoning data according to the stage sequence by using a plurality of target nodes APP of the current scenario based on each scenario configured by the current target case.
In one embodiment of the present invention, the determining unit 403 is further configured to configure team personnel for each target case after executing the determining of at least one target case and before executing the determining of the target node APP corresponding to each scenario, and divide rights for each team personnel.
In one embodiment of the present invention, the stage in the generating unit 404 includes a start stage, an automatic stage, an artificial stage, and an end stage; the automatic stage comprises: an intelligence recognition stage, a vulnerability recognition stage, a hacking recognition stage, an external response stage, and/or a worksheet system stage.
In one embodiment of the present invention, when the current stage in the processing unit 406 is the information recognition stage, the information recognition stage performs data processing as follows:
acquiring target data transmitted by a stage at the upper stage;
identifying an address in target data according to a data processing step defined by the target node APP by utilizing at least one target node APP corresponding to the current information identification stage to obtain an information identification result;
and determining the target data of the next stage of stage which is transmitted by the current information identification stage based on the target data transmitted by the previous stage of stage and the information identification result.
In one embodiment of the present invention, the current stage in the processing unit 406 is determined to be the target data of the next stage by:
and carrying out data superposition and data filtering on the target data transmitted by the previous stage and the data processing result of the current stage to obtain the target data transmitted by the current stage to the next stage.
In one embodiment of the present invention, when the current stage in the processing unit 406 is the external response stage, the external response stage is subjected to data processing in the following manner:
acquiring target data transmitted by a stage at the upper stage;
according to the data processing steps defined by the external system APP, the warning information which is required to be transmitted to the outside in the target data transmitted by the stage of the previous stage is sent to the outside by utilizing the external system APP corresponding to the current external response stage;
judging whether unprocessed alarm information exists in target data transmitted by a stage at the upper stage;
if not, transmitting an ending signal to an ending stage;
if yes, the unprocessed alarm information is used as target data transmitted into the next stage, and the next stage is a work order system stage.
In one embodiment of the present invention, the worksheet system stage in processing unit 406 performs data processing as follows:
acquiring target data transmitted by a stage at the upper stage;
and generating work order data based on each alarm information in the target data by using a notification APP corresponding to the work order system stage, and disposing the work order data according to a defined issuing mode.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the network security operation method in any embodiment of the invention when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program causes the processor to execute a network security operation method in any embodiment of the invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A method of network security operation, comprising:
writing a plurality of node APP based on each activity; the node APP is used for executing the data processing step of the node;
Acquiring a database for storing knowledge reasoning results of the network data of each host computer so as to establish a corresponding relation between each case and a storage position in the database;
when an instruction for executing the target activity is received, determining at least one target case, and configuring at least one script for each target case;
determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; each stage at least corresponds to one target node APP;
for each target case, perform: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from the database;
and based on each scenario configured by the current target case, utilizing a plurality of target nodes APP of the current scenario to sequentially process the knowledge reasoning data according to the stage sequence.
2. The method of claim 1, further comprising, after said determining at least one target case, before said determining a target node APP for each scenario: team personnel are configured for each target case, and rights are divided for each team personnel.
3. The method of claim 1, wherein the stage comprises a starting stage, an automatic stage, an artificial stage, an ending stage; the automatic stage includes: an intelligence recognition stage, a vulnerability recognition stage, a hacking recognition stage, an external response stage, and/or a worksheet system stage.
4. A method according to claim 3, wherein when the current stage is an intelligence recognition stage, the intelligence recognition stage performs data processing in the following manner:
acquiring target data transmitted by a stage at the upper stage;
identifying an address in target data according to a data processing step defined by at least one target node APP corresponding to a current information identification stage to obtain an information identification result;
and determining the target data of the stage of which the current information is identified and the target data of the stage of which the next stage is identified based on the target data of the stage of which the previous stage is imported and the information identification result.
5. The method of claim 4, wherein the current stage is determined by determining target data incoming to a next stage by:
and carrying out data superposition and data filtering on the target data transmitted by the previous stage and the data processing result of the current stage to obtain the target data transmitted by the current stage to the next stage.
6. A method according to claim 3, wherein when the front stage is an externally responsive stage, the externally responsive stage is data processed as follows:
acquiring target data transmitted by a stage at the upper stage;
according to the data processing steps defined by the external system APP, the warning information which is required to be transmitted to the outside in the target data transmitted by the stage of the previous stage is sent to the outside by utilizing the external system APP corresponding to the current external response stage;
judging whether unprocessed alarm information exists in target data transmitted by a stage at the upper stage;
if not, transmitting an ending signal to an ending stage;
if yes, the unprocessed alarm information is used as target data transmitted into the next stage, and the next stage is a work order system stage.
7. The method of claim 6, wherein the work order system stage performs data processing as follows:
acquiring target data transmitted by a stage at the upper stage;
and generating work order data based on each alarm information in the target data by using a notification APP corresponding to the work order system stage, and disposing the work order data according to a defined issuing mode.
8. A network secured operator, comprising:
a writing unit for writing a plurality of node APP based on each activity; the node APP is used for executing the data processing step of the node;
the establishing unit is used for acquiring a database for storing knowledge reasoning results of the network data of each host computer so as to establish a corresponding relation between each case and a storage position in the database;
the determining unit is used for determining at least one target case and configuring at least one script for each target case when receiving an instruction for executing the target activity;
the generation unit is used for determining a target node APP corresponding to each scenario, connecting the target nodes APP in series according to a predetermined stage sequence, and defining a data processing step in each target node APP so as to generate a corresponding stage of the scenario by using the target nodes APP; each stage at least corresponds to one target node APP;
an acquisition unit configured to perform, for each target case: based on the corresponding relation, knowledge reasoning data of the current target case are obtained from the database;
the processing unit is used for sequentially carrying out data processing on the knowledge reasoning data according to the stage sequence by utilizing a plurality of target nodes APP of the current scenario based on each scenario configured by the current target case.
9. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-7 when the computer program is executed.
10. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-7.
CN202310307990.2A 2023-03-27 2023-03-27 Network security operation method, device, computing equipment and storage medium Pending CN116346460A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310307990.2A CN116346460A (en) 2023-03-27 2023-03-27 Network security operation method, device, computing equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310307990.2A CN116346460A (en) 2023-03-27 2023-03-27 Network security operation method, device, computing equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116346460A true CN116346460A (en) 2023-06-27

Family

ID=86887393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310307990.2A Pending CN116346460A (en) 2023-03-27 2023-03-27 Network security operation method, device, computing equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116346460A (en)

Similar Documents

Publication Publication Date Title
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
US12120146B1 (en) Systems and methods for applying attack tree models and physics-based models for detecting cyber-physical threats
CN108471429B (en) Network attack warning method and system
CN116662989B (en) Security data analysis method and system
CN111813960B (en) Knowledge graph-based data security audit model device, method and terminal equipment
Tomaszewski et al. Situation-Aware Malware Detection on Windows OS Based on Environmental Information
CN108833185B (en) Network attack route restoration method and system
CN114528457B (en) Web fingerprint detection method and related equipment
CN113642023A (en) Data security detection model training method, data security detection device and equipment
CN112799722A (en) Command recognition method, device, equipment and storage medium
CN113709170A (en) Asset safe operation system, method and device
Vast et al. Artificial intelligence based security orchestration, automation and response system
CN116648939A (en) Method and network node for detecting abnormal access behavior
CN118381627A (en) LLM driven industrial network intrusion detection method and response system
Ghorbanian et al. Signature-based hybrid Intrusion detection system (HIDS) for android devices
Shaik et al. Utilizing Blockchain and Deep Learning for Decentralized Discovery of Deceptive Practices in Healthcare Insurance
Shukla et al. UInDeSI4. 0: An efficient Unsupervised Intrusion Detection System for network traffic flow in Industry 4.0 ecosystem
CN115706669A (en) Network security situation prediction method and system
CN118041587A (en) Network security test evaluation system and method
CN116346458A (en) Network security prediction method, device, computing equipment and storage medium
CN116346460A (en) Network security operation method, device, computing equipment and storage medium
CN114756401A (en) Abnormal node detection method, device, equipment and medium based on log
Salhab et al. A systematic literature review on ai safety: Identifying trends, challenges and future directions
Abualkas et al. Methodologies for Predicting Cybersecurity Incidents
Mihailescu et al. Towards Data Science for Cybersecurity: Machine Learning Advances as Glowing Perspective

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination