CN117389655A

CN117389655A - Task execution method, device, equipment and storage medium in cloud native environment

Info

Publication number: CN117389655A
Application number: CN202311482554.5A
Authority: CN
Inventors: 张昭朝
Original assignee: Jingdong Technology Information Technology Co Ltd
Current assignee: Jingdong Technology Information Technology Co Ltd
Priority date: 2023-11-08
Filing date: 2023-11-08
Publication date: 2024-01-12

Abstract

The embodiment of the invention provides a task execution method, a device, equipment and a storage medium in a cloud native environment, wherein the task execution method comprises the following steps: determining a current node task in the safety response script, and determining a task type of the current node task; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform; determining a target service instance according to a service instance registry of the target plugin; and calling the target service instance to execute the current node task. The invention accesses the user-defined or researched plug-in into the safety response platform, respectively builds and stores the customized plug-in and the cloud native plug-in, and uniformly dispatches the plug-in capable of executing the current node task from the plug-in library when executing the safety response script, thereby expanding the service capacity or type of the platform through the customized plug-in and meeting the service requirements under more scenes; the customized plug-in and the cloud native plug-in are stored separately and scheduled uniformly, so that resource isolation is realized, and management risk is reduced.

Description

Task execution method, device, equipment and storage medium in cloud native environment

Technical Field

The embodiment of the invention relates to the technical field of information security, in particular to a task execution method, device, equipment and storage medium in a cloud native environment.

Background

The security arrangement automation and response (Security Orchestration Automation and Response, SOAR) is a new concept proposed in recent years in the field of information security, and is a series of technology integration, with the security arrangement and automation as a core, people, processes, technologies and tools are integrated, daily work of security operators is assisted, and security operation efficiency is improved. The SOAR completes the original safety tasks which can be handled only by a plurality of persons, a plurality of systems, a plurality of interfaces and online cooperation through arranging and executing the safety response script, thereby greatly saving response time, reducing personnel dependence, improving working efficiency and guaranteeing emergency handling quality.

The SOAR platform has some cloud native plug-ins for supporting execution of the safety response scenario. In the process of realizing the invention, the inventor finds that the cloud native plug-in of the SOAR platform cannot meet the service requirement along with the continuous change of the service scene.

Disclosure of Invention

The embodiment of the invention provides a task execution method, device, equipment and storage medium in a cloud native environment, which expand the service capacity or type of a platform and meet the service requirements in more scenes.

In a first aspect, a task execution method in a cloud native environment provided by an embodiment of the present invention includes:

determining a current node task in a safety response scenario, and determining a task type of the current node task;

inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of a safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform;

determining a target service instance for executing the current node task according to the service instance registry of the target plugin;

and calling the target service instance to execute the current node task.

In a second aspect, a task execution device in a cloud native environment provided by an embodiment of the present invention includes:

the task determining module is used for determining a current node task in the safety response script and determining a task type of the current node task;

the query module is used for querying a target plugin matched with the task type from a cloud native plugin library or a custom plugin library of the safety response platform, wherein the cloud native plugin library comprises a cloud native plugin of the safety response platform, and the custom plugin library comprises a custom plugin registered in the safety response platform;

An instance determining module, configured to determine a target service instance for executing the current node task according to a service instance registry of the target plugin;

and the calling module is used for calling the target service instance to execute the current node task.

In a third aspect, an electronic device provided by an embodiment of the present invention includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the task execution method in the cloud native environment according to any embodiment of the present invention is implemented when the processor executes the program.

In a fourth aspect, a computer readable storage medium according to an embodiment of the present invention stores a computer program, where the program when executed by a processor implements a task execution method in a cloud native environment according to any embodiment of the present invention.

The scheme of the embodiment of the invention can determine the current node task in the safety response scenario and determine the task type of the current node task; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform; determining a target service instance for executing the current node task according to the service instance registry of the target plugin; and calling the target service instance to execute the current node task. The invention accesses the custom plug-in which is custom or researched and developed by the user into the safety response platform, respectively builds and stores the custom plug-in and the cloud native plug-in of the platform, uniformly dispatches the plug-in which can execute the current node task from the plug-in library when executing the safety response script, expands the service capability or type of the platform through the custom plug-in of the user, and meets the service requirements in more scenes; in addition, the customized plug-in and the cloud native plug-in are stored separately and scheduled uniformly, so that resource isolation is realized, management risk is reduced, the requirement of dynamic management of the customized plug-in the cloud native environment is met, and application and popularization of the SOAR technology in the cloud environment are facilitated.

Drawings

In order to more clearly illustrate the technical solutions of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and should not be considered as limiting the scope, and that other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a task execution method in a cloud native environment according to an embodiment of the present invention;

FIG. 2a is a schematic flow chart of a custom plug-in registration and configuration method provided by an embodiment of the present invention;

FIG. 2b is a diagram of one example page of a custom plug-in configuration process provided by an embodiment of the present invention;

FIG. 3 is another flow chart of a task execution method in a cloud native environment according to an embodiment of the present invention;

FIG. 4 is a diagram illustrating an example of a task execution method in a cloud native environment according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a task processing device in a cloud native environment according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Fig. 1 is a schematic flow chart of a task execution method in a cloud native environment according to an embodiment of the present invention, where the task execution method in a cloud native environment according to an embodiment of the present invention may be used in a scenario where an SOAR platform executes a security response scenario, and the task execution method in a cloud native environment may be executed by a task execution device according to an embodiment of the present invention, where the task execution device may be implemented in software and/or hardware. In a specific embodiment, the apparatus may be integrated in an electronic device, for example, a computer, a server, etc., where a background program of an SOAR platform is deployed, that is, the electronic device may be a background corresponding to the SOAR platform, and the SOAR platform may cope with a network security event.

Step 101, determining a current node task in the safety response scenario, and determining a task type of the current node task.

The safety response scenario may be an SOAR scenario, which is a script or set of instructions in the SOAR platform for describing, defining and executing safety responses and treatment procedures. The SOAR script can be designed and created by a security team in a visual arrangement mode according to actual requirements and flows, and the purpose of the SOAR script is to provide a structural mode for guiding automatic security operation and workflow. The SOAR script contains a series of steps, tasks and logic that define the actions, techniques and tools that should be taken in a particular situation, as well as decisions and branches that are made during processing. Specifically, the following may be included in the security response scenario:

Triggering conditions: defining conditions triggering the execution of the scenario, such as occurrence of specific threat events, attack types, abnormal activities, reaching timing time and the like;

steps and tasks: describing execution steps and specific tasks of the script, including calling external tools, analyzing logs, investigating events, acquiring threat information and the like;

workflow and decision logic: specifying dependency relationships, execution sequences and logic control among different tasks, and describing decisions and response paths to be taken under specific conditions;

automation operations and custom scripts: including automatically executed operations, commands, scripts, or interface calls, for implementing specific functions or custom security procedures.

In this embodiment, a security response scenario may include a plurality of node tasks, which may be executed according to a designed flow and logic, and after the security response scenario is triggered to be executed, a current node task, that is, a task that should be executed at a current node, may be determined. The task may be classified in advance, and after the current node task is determined, the classification to which the current node task belongs in the previous classification may be determined, so as to obtain the task type of the current node task. By way of example, task types may include, but are not limited to, data collection tasks, data analysis tasks, tracking tasks, alert tasks, notification tasks, reporting tasks, approval tasks.

Taking the example of a security response scenario for responding to and handling malicious activity alarms from an intrusion detection system, the security response scenario may include, in order, a data collection task, a data integration task, a survey and tracking task, an automation tool and script execution task, a notification task, an archiving and reporting task. The data collection task can call a network flow analysis tool and a log collector to acquire data related to the alarm; the data integration task can integrate external threat data and match and analyze the external threat data with the alarm; the investigation and tracking tasks can call a network security analysis tool to track the path, address, attack load and the like of the attack; the automation tool and script execution task can call a firewall management interface to block malicious addresses or disable malicious domain names; the notification task may employ communication means (e.g., text message, mail, phone, etc.), send alert information to security team members, and coordinate task allocation for work; the archiving and reporting task may archive the processing results and related data to a security event management system and generate reports for subsequent review and summarization. For example, if the task to be executed at the current moment is a notification task, the current node task is a notification task, and the task type is a notification class.

And 102, inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform.

Plug-ins are pluggable components that may be dynamically loaded into an application or system to provide additional functionality or services. In this embodiment, a plug-in may correspondingly provide a class of services, where the class of services may create multiple service instances, where a service instance is a specific instantiation object of the plug-in, and represents a specific entity of the plug-in during operation. Service instances are running instances of plug-ins that can be dynamically created and destroyed in an application or system according to requirements, each having its own state and configuration, and can independently provide related functions and services. In this regard, a plug-in is a prototype or definition of a service instance, and a service instance is a specific instantiation object of the plug-in. A plug-in may have multiple service instances that may provide services in different contexts or needs, and the service instances may be flexibly created, started, stopped, or destroyed according to the needs of the application or system.

By associating plug-ins with service instances, applications or systems may implement more flexible functionality extensions. The plug-in provides general function definition and specification, and the service instance provides customized service implementation according to specific application scenarios or configuration requirements. The association relation allows a plurality of instances of the plug-in to run simultaneously, and flexibly manages and schedules service instances according to the needs, thereby realizing high availability and high load of the service.

In this embodiment, the secure response platform has two plug-in libraries, namely a cloud native plug-in library and a custom plug-in library, which can both run in a cloud native environment, which is an application environment that can design, implement, deploy, deliver, and operate an application program by utilizing the advantages of cloud computing. The cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the cloud native plug-in can be understood as a plug-in inherent to the platform; the customized plugin library comprises customized plugins registered by users or tenants on the safety response platform, and the customized plugins can be understood as plugins customized or personalized by the users on the platform. The SOAR platform provides corresponding services through these plug-ins, supporting the execution of the various tasks in the secure response scenario.

And after determining the task type of the current node task, the plug-ins in the cloud native plug-in library or the custom plug-in library can be queried for a target plug-in matched with the task type of the current node task, namely, the cloud native plug-in library or the custom plug-in library can be queried for a target plug-in capable of processing the current node task.

Specifically, the cloud native plug-in library can be queried first to find a target plug-in, if the target plug-in does not exist in the cloud native plug-in library, the custom plug-in library is queried to find the target plug-in, so that the cloud native plug-in is started preferentially, and the stability of the platform or the system is ensured. Or the customized plug-in library can be queried to search the target plug-in, and if the target plug-in does not exist in the customized plug-in library, the cloud native plug-in library is queried to search the target plug-in, so that individuation or customization of the service is ensured. Of course, in practical application, the cloud native plug-in library and the custom plug-in library may also be queried at the same time, and the method is not specifically limited herein.

And step 103, determining a target service instance for executing the task of the current node according to the service instance registry of the target plugin.

The service instance registry of the target plugin may record relevant information of each service instance of the target plugin, in particular, the service instance registry may record creator information, calling address, load condition, etc. of each service instance of the target plugin, the creator information may be a user identifier of a user creating the corresponding service instance, and the user identifier may be a user name, a user account, etc.

Specifically, a service instance may be selected as the target service instance from the service instances recorded in the service instance registry of the target plug-in according to a preset rule. The preset rule may be a load balancing rule, for example, one service instance with the least load may be selected from the service instances as a target service instance; alternatively, the preset rule may be a user matching rule, for example, it may be determined that the user associated with the current node task (i.e., the current user), and the service instance created by the current user is selected from the service instances as the target service instance.

And step 104, calling the target service instance to execute the current node task.

Specifically, the service instance registry of the target plugin may be queried to obtain a call address of the target service instance, and the target service instance is called according to the call address to execute the current node task. For example, the current node task is a notification task, which may be performed by a target service instance of the notification plug-in.

According to the scheme of the embodiment, the current node task in the safety response scenario can be determined, and the task type of the current node task is determined; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform; determining a target service instance for executing the current node task according to the service instance registry of the target plugin; and calling the target service instance to execute the current node task. The invention accesses the custom plug-in which is custom or researched and developed by the user into the safety response platform, respectively builds and stores the custom plug-in and the cloud native plug-in of the platform, uniformly dispatches the plug-in which can execute the current node task from the plug-in library when executing the safety response script, expands the service capability or type of the platform through the custom plug-in of the user, and meets the service requirements in more scenes; in addition, the customized plug-in and the cloud native plug-in are stored separately and scheduled uniformly, so that resource isolation is realized, management risk is reduced, the requirement of dynamic management of the customized plug-in the cloud native environment is met, and application and popularization of the SOAR technology in the cloud environment are facilitated.

The cloud native plug-ins in the cloud native plug-in library of the safety response platform are built-in plug-ins of the platform, and the registration and configuration process does not need user participation; custom plug-ins in the custom plug-in library of the secure response platform are plug-ins customized or personalized for users, and the registration and configuration process requires user participation. The user here may be a security team member. The registration and configuration process of the custom plug-in is described below, and as shown in fig. 2a, may specifically include the following steps:

step 201, receiving a plug-in registration request initiated by a user terminal corresponding to a target user, where the plug-in registration request includes a user identifier of the target user and a plug-in description of the target plug-in.

The user terminal can be a mobile phone, a personal computer and other terminals of the target user, and when the target user wants to access a customized plug-in (namely, the target plug-in) on the safety response platform, a plug-in registration request can be initiated to the electronic equipment through the user terminal, and the plug-in registration request can comprise a user identifier of the target user and a plug-in description of the target plug-in. The user identification of the target user can be a user name, a user account number and the like, the user identification can be carried in a digital certificate applied by the target user, namely, a plug-in registration request can carry the digital certificate of the target user, and the digital certificate can be applied in advance and is used for registering the self-defined plug-in of the target user. The plug-in description may be related information for defining or describing the plug-in, such as information describing the type of plug-in, the functions implemented by the plug-in, the parameter definition of the plug-in, etc.

Step 202, authenticating the identity of the target user based on the user identification.

I.e. to verify if the target user is a trusted user to protect the security and confidentiality of the data.

Step 203, after the identity of the target user passes, registering the target plugin into the customized plugin library of the security response platform based on the plugin description.

I.e., the target plug-in can be recorded in the custom plug-in library.

And 204, generating a service configuration page of the target plug-in according to the plug-in description, and sending the service configuration page to the user side.

Specifically, the electronic device may determine, according to the plug-in description, a basic configuration item, an input parameter configuration item, an output parameter configuration item, a setting item, and the like required by the target plug-in, and determine a configuration constraint, a configuration range, a configuration manner, and the like of each item, so as to generate a service configuration page of the target plug-in. The user side can display the service configuration page to the target user so that the target user can configure relevant parameters for the target plug-in the service configuration page.

Step 205, service configuration information configured for the target plugin through the service configuration page is obtained from the user side.

That is, specific data or values of each configuration of the target user on the service configuration page are obtained, for example, taking the target plug-in as a notification plug-in, the service configuration page of the target plug-in may be as shown in fig. 2b, and the obtained service configuration information may include the notification type selected by the target user, the input notification content, the set receiver, the title, and the like.

In this embodiment, the electronic device may set two functional layers: the middle layer and the scheduling layer forward each parameter item to be acquired to the scheduling layer through the middle layer, and then the scheduling layer calls the plug-in service interface to acquire specific data or values of each parameter item configured by a user, so that the front end and the back end of the safety response service are decoupled, and the high dynamic expansion of the plug-in type is supported.

And 206, instantiating the target plugin based on the service configuration information to obtain a target service instance, and updating a service instance registry of the target plugin according to the target service instance.

Plug-in instantiation refers to creating a specific instance of a plug-in at run-time, based on the definition or template of the plug-in. When a plug-in is instantiated, memory and resources are allocated to create a separate plug-in object. Each plug-in instance has its own state, configuration and behavior and can independently provide related functions and services. After the target plug-in is instantiated based on the service configuration information provided by the target user, a service instance of the target plug-in, namely, a target service instance, can be obtained, wherein the target service instance is equivalent to the personalized service instance of the target user. Because the target plugin is a customized plugin, the service instance obtained after the target plugin is instantiated can be deployed in the customized plugin server, and the address of the customized plugin server can be carried in the plugin registration request initiated by the user side, and the target plugin can be instantiated in the customized plugin server according to the address of the customized plugin server.

A service instance registry may be pre-configured for the target plug-in, which may be used to record information about each service instance of the target plug-in. For example, the service instance registry may record creator information, call addresses, etc. for each service instance of the target plugin, the creator information may be a user identification of a user creating the corresponding service instance, the user identification may be a user name, user account, etc. After the target service instance is created, the service instance registry of the target plugin may be updated to enter information about the target service instance into the service instance registry of the target plugin.

In practical application, the cloud native plug-in also has a configuration process, the configuration of the cloud native plug-in can be uniformly configured by a platform developer, the cloud native plug-in can also have a plurality of service instances, the service instance registry of the cloud native plug-in can also be utilized to record the relevant information of each service instance of the cloud native plug-in, and the recorded relevant information of each service instance of the cloud native plug-in can comprise a calling address, a load condition and the like.

In this embodiment, the user is supported to access the customized plug-in to the secure response platform, and the customized plug-in is instantiated by acquiring the service configuration information of the customized plug-in, so that the service capability or type of the platform is expanded, and the personalized requirements of the user are satisfied. In addition, the creator is recorded in the service instance registry of the customized plug-in, so that the customized plug-in can be conveniently and specifically called, the service isolation of different users is realized, and the requirement of dynamic management of the customized plug-in the cloud primary environment is met.

The following describes the plug-in registration and configuration process in combination with the foregoing embodiment, and further describes a task processing method in a cloud native environment provided by the embodiment of the present invention, as shown in fig. 3, the task execution method of the present embodiment may include the following steps:

step 301, determining a current node task in the security response scenario, and determining a task type of the current node task.

Specifically, it may be determined whether the execution condition of the safety response scenario is reached; and if the execution condition of the safety response scenario is met, determining the current node task in the safety response scenario. The execution conditions of the safety response scenario may include time conditions, event conditions, and the like. When the execution condition of the safety response scenario is a time condition, judging whether the preset time or the preset period is reached, and if the preset time or the preset period is reached, determining that the execution condition of the safety response scenario is reached; when the execution condition of the safety response scenario is an event condition, whether a preset event occurs can be judged, and if the preset event occurs, the execution condition of the safety response scenario is determined to be reached.

The safety response scenario may include a plurality of node tasks, which may be executed according to a designed flow and logic, and may determine tasks that should be executed at the current node and determine task types of the current node tasks. By way of example, task types may include, but are not limited to, data collection tasks, data analysis tasks, tracking tasks, alert tasks, notification tasks, reporting tasks, approval tasks.

Step 302, determining whether there is a target plug-in matching the task type in the plug-in library Yun Yuansheng, if so, executing step 303, and if not, executing step 308.

The cloud native plug-in library can record each cloud native plug-in and the task type (namely the service type capable of providing service) of the task executed by the corresponding cloud native plug-in, if the plug-in with the task type capable of executing the task consistent with the task type of the current node task exists in the cloud native plug-in library, the matched target plug-in is determined to exist in the cloud native plug-in library, and the matched target plug-in is the plug-in with the task type capable of executing the task consistent with the task type of the current node task.

And step 303, inquiring a target plug-in matched with the task type from the cloud native plug-in library.

In this case, the queried target plugin belongs to the cloud native plugin of the secure response platform.

Step 304, obtaining the load condition of each service instance related to the service instance registry.

And 305, determining a target service instance from the service instances according to the load condition.

Specifically, the target service instance can be the service instance with the least load, the lightest load or the least load in all service instances of the target plug-in, and by determining the target service instance through the method, the load balancing can be realized, and the stability of the system is ensured.

Step 306, the native call address of the target service instance is obtained from the service instance registry.

The service instance obtained after the cloud native plug-in is instantiated is deployed in the cloud native plug-in server, so when the target plug-in is the cloud native plug-in, the call address of the target service instance obtained from the service instance registry is the address of the cloud native plug-in server, namely, the native call address.

And step 307, calling the target service instance from the cloud native plug-in server to execute the current node task according to the native call address.

Step 308, query the custom plug-in library for the target plug-in matching the task type.

In this case, the queried target plug-in belongs to a custom plug-in registered by the user in the secure response platform.

Step 309, determining the target user associated with the current node task, and obtaining the user identification of the target user.

The current node task is executed for which user, and the user is the target user associated with the current node task. For example, if the current node task is a notification task and a notification is to be sent to the user U, the user U is a target user associated with the current node task, and the user identifier of the target user is the identifier of the user U.

Step 310, the service instance registry is queried according to the user identification of the target user to determine the target service instance.

By querying the service instance registry of the target plugin, which service instance is created by the target user can be determined, and the service instance created by the target user is determined as the target service instance, namely, who creates the service instance and who uses the service instance, so that service personalization and data isolation are realized.

Step 311, the custom call address of the target service instance is obtained from the service instance registry.

The service instance obtained after the customized plug-in is instantiated is deployed in the customized plug-in server, so when the target plug-in is the customized plug-in, the call address of the target service instance obtained from the service instance registry is the address of the customized plug-in server, namely the customized call address. In the customized plug-in registration stage, the plug-in registration request initiated by the user side can carry the address of the customized plug-in server to be deployed after the customized plug-in is instantiated, so that after the customized plug-in is instantiated to obtain the service instance, the service instance can be deployed on the customized plug-in server according to the address of the customized plug-in server, and the subsequent call is convenient.

Step 312, the current node task is executed by calling the target service instance from the custom plug-in server according to the custom call address.

The task execution method of the present invention is illustrated below with reference to fig. 4, as shown in fig. 4, when a safety response scenario is triggered to be executed, a current node task and a task type may be determined first, then, whether a cloud native plug-in matched with the task type exists or not is queried from a cloud native plug-in library by using a scheduling service, if so, a target service instance for executing the current node task is determined according to a service instance registry of the Yun Yuansheng plug-in, and the target service instance is invoked to execute the current node task; if the task type is not available, a custom plug-in matched with the task type is queried from the custom plug-in library, a target service instance for executing the current node task is determined according to a service instance registry of the custom plug-in, and the target service instance is called to execute the current node task.

In a specific application scenario, for example, the security response platform lacks a plug-in Y for providing the X service, and the user U develops the plug-in Y, the plug-in Y can be accessed into a customized plug-in library of the security response platform and instantiated to obtain a service instance of the plug-in Y. When a security response script needs to provide an X service for a user U in the execution process, the customized plugin library can be queried to be matched with a plugin Y provided by the user U, and a service instance of the plugin Y is called to provide the X service for the user U.

The scheme of the embodiment of the invention can determine the current node task in the safety response scenario and determine the task type of the current node task; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform; determining a target service instance for executing the current node task according to the service instance registry of the target plugin; and calling the target service instance to execute the current node task. The invention accesses the custom plug-in which is custom or researched and developed by the user into the safety response platform, respectively builds and stores the custom plug-in and the cloud native plug-in of the platform, uniformly dispatches the plug-in which can execute the current node task from the plug-in library when executing the safety response script, expands the service capability or type of the platform through the custom plug-in of the user, and meets the service requirements in more scenes; in addition, the customized plug-in and the cloud native plug-in are stored separately and scheduled uniformly, so that resource isolation is realized, management risk is reduced, the requirement of dynamic management of the customized plug-in the cloud native environment is met, and the application and popularization of the SOAR technology in the cloud environment are facilitated; further, the creator is recorded in the service instance registry of the customized plug-in, so that the targeted calling of the service instance can be facilitated, and the service isolation of different users can be realized.

Fig. 5 is a schematic structural diagram of a task execution device in a cloud native environment according to an embodiment of the present invention, where the device is adapted to execute a task execution method in the cloud native environment according to an embodiment of the present invention, and as shown in fig. 5, the device may specifically include:

the task determination module 501 is configured to determine a current node task in the security response scenario, and determine a task type of the current node task;

the query module 502 is configured to query a target plugin matched with the task type from a cloud native plugin library or a custom plugin library of a security response platform, where the cloud native plugin library includes a cloud native plugin of the security response platform, and the custom plugin library includes a custom plugin registered in the security response platform;

an instance determining module 503, configured to determine a target service instance for executing the current node task according to a service instance registry of the target plugin;

and a calling module 504, configured to call the target service instance to execute the current node task.

In one embodiment, the query module 502 is specifically configured to:

determining whether a target plug-in matched with the task type exists in the cloud native plug-in library;

If the cloud native plug-in library has the target plug-in matched with the task type, inquiring the target plug-in matched with the task type from the cloud native plug-in library;

and if the target plug-in matched with the task type does not exist in the cloud native plug-in library, inquiring the target plug-in matched with the task type from the customized plug-in library.

In one embodiment, when the target plugin is from the cloud native plugin library, the instance determination module 503 determines a target service instance for performing the current node task according to a service instance registry of the target plugin, including:

acquiring the load condition of each service instance related to the service instance registry;

and determining the target service instance from the service instances according to the load condition.

In one embodiment, the calling module 504 is specifically configured to:

acquiring a native call address of the target service instance from the service instance registry;

and calling the target service instance from the cloud native plug-in server according to the native call address to execute the current node task.

In one embodiment, when the target plugin is from the custom plugin library, the instance determination module 503 determines a target service instance for performing the current node task according to a service instance registry of the target plugin, including:

Determining a target user associated with the current node task, and acquiring a user identification of the target user;

and inquiring the service instance registry according to the user identification of the target user so as to determine the target service instance.

In one embodiment, the apparatus further includes a registration module, where the registration module is specifically configured to:

receiving a plug-in registration request initiated by a user terminal corresponding to the target user, wherein the plug-in registration request comprises a user identifier of the target user and a plug-in description of the target plug-in;

authenticating the identity of the target user based on the user identification;

and registering the target plugin into the customized plugin library of the safety response platform based on the plugin description after the identity authentication of the target user is passed.

In one embodiment, the apparatus further includes a configuration module, where the configuration module is specifically configured to:

generating a service configuration page of the target plug-in according to the plug-in description, and sending the service configuration page to the user side;

acquiring service configuration information configured for the target plug-in through the service configuration page from the user side;

and instantiating the target plugin based on the service configuration information to obtain the target service instance, and updating a service instance registry of the target plugin according to the target service instance.

In one embodiment, the calling module 504 is specifically configured to:

acquiring a customized call address of the target service instance from the service instance registry;

and calling the target service instance from the customized plug-in server to execute the current node task according to the customized calling address.

In one embodiment, the device further includes a judging module, where the judging module is specifically configured to:

judging whether the execution condition of the safety response script is reached or not;

and if the execution condition of the safety response scenario is reached, triggering a task determination module 501 to execute the current node task in the determined safety response scenario.

It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional modules is illustrated, and in practical application, the above-described functional allocation may be performed by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. The specific working process of the functional module described above may refer to the corresponding process in the foregoing method embodiment, and will not be described herein.

The device of the embodiment of the invention can determine the current node task in the safety response scenario and determine the task type of the current node task; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform; determining a target service instance for executing the current node task according to the service instance registry of the target plugin; and calling the target service instance to execute the current node task. The invention accesses the custom plug-in which is custom or researched and developed by the user into the safety response platform, respectively builds and stores the custom plug-in and the cloud native plug-in of the platform, uniformly dispatches the plug-in which can execute the current node task from the plug-in library when executing the safety response script, expands the service capability or type of the platform through the custom plug-in of the user, and meets the service requirements in more scenes; in addition, the customized plug-in and the cloud native plug-in are stored separately and scheduled uniformly, so that resource isolation is realized, management risk is reduced, the requirement of dynamic management of the customized plug-in the cloud native environment is met, and application and popularization of the SOAR technology in the cloud environment are facilitated.

The embodiment of the invention also provides electronic equipment, which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the processor realizes the task execution method under the cloud native environment provided by any embodiment when executing the program.

The embodiment of the invention also provides a computer readable medium, on which a computer program is stored, which when executed by a processor, implements the task execution method in the cloud native environment provided by any of the above embodiments.

Referring now to FIG. 6, there is illustrated a schematic diagram of a computer system 600 suitable for use in implementing an electronic device of an embodiment of the present invention. The electronic device shown in fig. 6 is only an example and should not impose any limitation on the functionality and scope of use of the present invention.

As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the computer system 600 are also stored. The CPU 601, ROM602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.

The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.

In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 601.

The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules and/or units described in the present invention may be implemented in software or in hardware. The described modules and/or units may also be provided in a processor, e.g., may be described as: a processor includes a task determination module, a query module, an instance determination module, and a call module. The names of these modules do not constitute a limitation on the module itself in some cases.

As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:

determining a current node task in a safety response scenario, and determining a task type of the current node task; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of a safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform; determining a target service instance for executing the current node task according to the service instance registry of the target plugin; and calling the target service instance to execute the current node task.

According to the technical scheme of the invention, the current node task in the safety response scenario can be determined, and the task type of the current node task can be determined; inquiring a target plug-in matched with the task type from a cloud native plug-in library or a custom plug-in library of the safety response platform, wherein the cloud native plug-in library comprises a cloud native plug-in of the safety response platform, and the custom plug-in library comprises a custom plug-in registered in the safety response platform; determining a target service instance for executing the current node task according to the service instance registry of the target plugin; and calling the target service instance to execute the current node task. The invention accesses the custom plug-in which is custom or researched and developed by the user into the safety response platform, respectively builds and stores the custom plug-in and the cloud native plug-in of the platform, uniformly dispatches the plug-in which can execute the current node task from the plug-in library when executing the safety response script, expands the service capability or type of the platform through the custom plug-in of the user, and meets the service requirements in more scenes; in addition, the customized plug-in and the cloud native plug-in are stored separately and scheduled uniformly, so that resource isolation is realized, management risk is reduced, the requirement of dynamic management of the customized plug-in the cloud native environment is met, and application and popularization of the SOAR technology in the cloud environment are facilitated.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

It should be noted that, in the technical solution of the present disclosure, the related aspects of collecting, updating, analyzing, processing, using, transmitting, storing, etc. of the personal information of the user all conform to the rules of the related laws and regulations, and are used for legal purposes without violating the public order colloquial. Necessary measures are taken for the personal information of the user, illegal access to the personal information data of the user is prevented, and the personal information security, network security and national security of the user are maintained.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. The task execution method in the cloud native environment is characterized by comprising the following steps:

and calling the target service instance to execute the current node task.

2. The task execution method according to claim 1, wherein the querying the target plugin matched with the task type from a cloud native plugin library or a custom plugin library of a security response platform includes:

3. The task execution method according to claim 1, wherein when the target plug-in is from the cloud native plug-in library, the determining, according to a service instance registry of the target plug-in, a target service instance for executing the current node task includes:

4. A task execution method according to claim 3, wherein said invoking said target service instance to execute said current node task comprises:

5. The task execution method according to claim 1, wherein the determining a target service instance for executing the current node task according to a service instance registry of the target plug-in when the target plug-in is from the custom plug-in library, comprises:

6. The method of claim 5, further comprising, prior to querying a target plug-in matching the task type from a cloud native plug-in library or a custom plug-in library of a secure response platform:

7. The task execution method according to claim 6, further comprising, after registering the target plug-in into the custom plug-in library of the secure response platform based on the plug-in description:

8. The method of any of claims 5 to 7, wherein the invoking the target service instance to perform the current node task comprises:

9. The task execution method according to claim 1, further comprising, before determining a current node task in the safety response scenario:

and if the execution condition of the safety response script is met, triggering and executing the current node task in the determined safety response script.

10. A task execution device in a cloud native environment, comprising:

11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the task execution method in a cloud native environment as claimed in any one of claims 1 to 9 when the program is executed.

12. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements the task execution method in a cloud-native environment according to any one of claims 1 to 9.