CN117614654A - Firewall service data management method, device, computer equipment and storage medium - Google Patents

Firewall service data management method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN117614654A
CN117614654A CN202311447830.4A CN202311447830A CN117614654A CN 117614654 A CN117614654 A CN 117614654A CN 202311447830 A CN202311447830 A CN 202311447830A CN 117614654 A CN117614654 A CN 117614654A
Authority
CN
China
Prior art keywords
data
firewall
service data
field
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311447830.4A
Other languages
Chinese (zh)
Inventor
曾诗钦
叶睿显
欧阳宇宏
李曼
车向北
康文倩
黄颖祺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202311447830.4A priority Critical patent/CN117614654A/en
Publication of CN117614654A publication Critical patent/CN117614654A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/288Entity relationship models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application relates to a firewall service data management method, a firewall service data management device, computer equipment and a storage medium. The method comprises the following steps: acquiring service data of firewall service; calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model; invoking a relation extraction function, extracting an association relation and a nesting relation between firewall services from service data, and mining potential relation between the firewall services from the service data according to service attribute characteristics; and adding the extracted association relation, the nested relation and the mined potential relation to corresponding fields in the Yang model. By adopting the method, the standardization, integration and maintainability of the service data can be improved, and powerful support is provided for the safety and management of the power network.

Description

Firewall service data management method, device, computer equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a firewall service data management method, apparatus, computer device, storage medium, and computer program product.
Background
As the digitalization degree of the company is continuously increased, the network security protection boundary is continuously expanded, and the security threat faced by the internal and external network of the company is continuously increased. Firewalls, an important component of network security, were initially designed to protect internal networks from external threats and attacks, and then evolved into more complex network security devices. Heterogeneous firewall devices are deployed in enterprise network boundaries according to actual business requirements.
However, the service data of the heterogeneous firewall device is not uniform in data format, is difficult to integrate and integrate effectively, and may require complicated data conversion operation, thereby increasing the complexity of integration. Secondly, as the service data formats are not uniform, the configuration of different firewall devices is inconsistent, so that the overall network security and consistency are affected, and moreover, the maintenance and upgrading of the firewall devices are complicated due to the non-uniform service data model, so that the management difficulty is increased.
Therefore, how to improve standardization, integration and maintainability of service data and provide powerful support for safety and management of an electric power network is a technical problem to be solved at present.
Disclosure of Invention
In view of the foregoing, there is a need for a firewall service data management method, apparatus, computer device, computer readable storage medium, and computer program product that can promote standardization, integration, and maintainability of service data, and provide powerful support for security and management of an electric power network.
In a first aspect, the present application provides a firewall service data management method, including:
acquiring service data of firewall service;
calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
invoking a relation extraction function, extracting an association relation and a nesting relation between firewall services from service data, and mining potential relation between the firewall services from the service data according to service attribute characteristics;
and adding the extracted association relation, the nested relation and the mined potential relation to corresponding fields in the Yang model.
In one embodiment, the method further comprises:
identifying whether the service data are matched with a field mapping strategy between firewall service data and the Yang model;
If the service data and the Yang model are matched, a field mapping function is called, and each field of the service data is mapped to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
if the unmatched business data exist, adding a field mapping strategy matched with the unmatched business data into the field mapping strategy to obtain an updated field mapping strategy; and calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to the updated field mapping strategy.
In one embodiment, mapping each field of the business data to a corresponding field in the Yang model includes:
and assigning each field of the service data to a corresponding field in the Yang model.
In one embodiment, before acquiring the service data of the firewall service, the method further includes:
acquiring service data samples and service application form samples of a plurality of firewall devices; the service application form sample comprises a firewall policy;
identifying common data elements between the firewall device and the firewall policy according to the service data samples;
constructing an initial data model according to the common data elements;
and modeling the business relation of the initial data model according to the business relation among different businesses to which the business data sample belongs, so as to obtain the Yang model.
In one embodiment, constructing an initial data model from common data elements includes:
determining a container and list structure of the Yang model according to the common data elements;
respectively configuring data types for the common data elements according to the service scene requirements;
and adding the attribute and the characteristic corresponding to the data type in the list structure to obtain an initial data model.
In one embodiment, according to the business relationship between different businesses to which the business data sample belongs, modeling the business relationship of the initial data model to obtain the Yang model includes:
and modeling the business relation among different businesses to which the business data sample belongs through a container and list structure in the initial data model to obtain the Yang model.
In a second aspect, the present application further provides a firewall service data management device, including:
the data acquisition module is used for acquiring service data of the firewall service;
the data mapping module is used for calling a field mapping function and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
the relation extraction module is used for calling a relation extraction function, extracting the association relation and the nesting relation between firewall services from service data, and mining the potential relation between the firewall services from the service data according to service attribute characteristics;
And the relationship mapping module is used for adding the extracted association relationship, the nested relationship and the mined potential relationship to corresponding fields in the Yang model.
In a third aspect, the present application also provides a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring service data of firewall service;
calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
invoking a relation extraction function, extracting an association relation and a nesting relation between firewall services from service data, and mining potential relation between the firewall services from the service data according to service attribute characteristics;
and adding the extracted association relation, the nested relation and the mined potential relation to corresponding fields in the Yang model.
In a fourth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring service data of firewall service;
Calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
invoking a relation extraction function, extracting an association relation and a nesting relation between firewall services from service data, and mining potential relation between the firewall services from the service data according to service attribute characteristics;
and adding the extracted association relation, the nested relation and the mined potential relation to corresponding fields in the Yang model.
In a fifth aspect, the present application also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of:
acquiring service data of firewall service;
calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
invoking a relation extraction function, extracting an association relation and a nesting relation between firewall services from service data, and mining potential relation between the firewall services from the service data according to service attribute characteristics;
and adding the extracted association relation, the nested relation and the mined potential relation to corresponding fields in the Yang model.
According to the firewall service data management method, the firewall service data management device, the computer equipment, the storage medium and the computer program product, the Yang model is adopted, each field of service data is mapped to the corresponding field in the Yang model according to the field mapping strategy between the firewall service data and the Yang model, and the extracted association relationship and the extracted nesting relationship and the extracted potential relationship are added to the corresponding field in the Yang model, so that the description and definition of the firewall service data become standardized and consistent. Different types of firewall devices, even from different vendors, may use the same Yang model to describe the traffic data of the firewall services they provide, i.e., heterogeneous firewall devices may use the same Yang model to describe the traffic data of the heterogeneous firewall services they provide. The standardization promotes the consistency configuration and management of cross-equipment and cross-manufacturer, provides a general and extensible description framework, realizes the consistency representation of service data, reduces configuration errors and management difficulties caused by inconsistent service data formats among different equipment, realizes the formatting of firewall service data, and improves the standardization, integration and maintainability of service data.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for a person having ordinary skill in the art.
FIG. 1 is an application environment diagram of a firewall service data management method in one embodiment;
FIG. 2 is a flow diagram of a method for firewall traffic data management in one embodiment;
FIG. 3 is a schematic flow chart of a Yang model building process in one embodiment;
FIG. 4 is a schematic diagram of the structure of an initial data model in one embodiment;
FIG. 5 is a block diagram of a firewall service data management device in one embodiment;
fig. 6 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The firewall service data management method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The terminal 102 sends a firewall service data management request to the server 104, and the server 104 analyzes the request to obtain service data of the firewall service. And calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model. And then, a relation extraction function is called, the association relation and the nesting relation between firewall services are extracted from service data, potential relation between the firewall services is mined from the service data according to service attribute characteristics, and the extracted association relation and nesting relation and the mined potential relation are added to corresponding fields in the Yang model. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In an exemplary embodiment, as shown in fig. 2, a firewall service data management method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps 202 to 208. Wherein:
step 202, obtaining service data of firewall service.
The firewall service refers to network security service provided by the firewall device, and comprises security access, traffic filtering, intrusion detection and defense, log recording, report and the like. The service data of the firewall service refers to specific configuration information of the firewall needing unified management, and generally needs to be configured and managed in a firewall management system, including a firewall policy name, a policy applicant, a policy scope, a rule list contained in policy summary, such as a source IP (Internet Protocol, network protocol) address, a destination IP address, a data packet, and the like.
Optionally, the server acquires a firewall service data management request sent by the terminal, and the server analyzes the request to obtain service data of the firewall service. For example, the acquired service data may be heterogeneous firewall service data.
And step 204, calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model.
The server builds a Yang (Yet Another Next Generation) model in advance and is a data modeling language. The language defines the hierarchical structure of the data, can clearly distinguish the configuration and the state, and has strong expandability. In addition, the data model of the Yang model is structured data, and is positioned as a model interface facing to a machine through the attribute and the value defined by the label, so that the data structure and the constraint thereof are clearly defined, and the data description is more flexible and complete. After the Yang model is built, a field mapping policy, which may also be referred to as a field mapping rule, between firewall service data and the Yang model is defined. Specifically, the mapping relation of firewall service data in the Yang model is determined field by field. For each field, it is determined to which container, list or attribute it should map and the appropriate data type is selected. Mapping rules are written for each field, associating each field of business data with a corresponding portion of the Yang model. When defining the mapping rules, field names, data types, locations, and possibly translations or data processing are included. If a field in the business data has a default value or constraint condition (such as a value range, a regular expression, etc.), proper setting in the mapping rule is ensured. It should be noted that, the field mapping rule is dynamically updated, and the security operator can add and modify the field mapping rule according to the service change. By defining the mapping rules, each field of the business data can be mapped to the Yang model correctly and consistently, thereby supporting unified and standardized data management and operation.
Optionally, in this embodiment, a field mapping function is written by using Python, the field mapping function is called, corresponding field information is extracted from firewall service data according to the above-defined field mapping policy, and mapped to a data type defined in the Yang model, and the value of the field is assigned to an attribute, a list or a container of the data type in the Yang model according to the field mapping policy. By mapping the service data, unified and standardized description of the service data is realized.
In one embodiment, mapping each field of the business data to a corresponding field in the Yang model includes: and assigning each field of the service data to a corresponding field in the Yang model. The mapping may be to directly assign the original field value to the corresponding field in the Yang model. For example, the firewall service data has a source IP field of a rule, and the field is extracted by a field mapping function and assigned to the source IP attribute of the corresponding rule in the Yang model.
Further, format conversion can be performed on the mapped data. Format conversion refers to the change in data structure in the process, including conversion of data format, data structure, and data model, etc. For example, converting the structure of the heterogeneous firewall policy into a unified data structure defined by the Yang model; and converting the original firewall policy data into the Yang model.
And 206, calling a relation extraction function, extracting the association relation and the nesting relation between the firewall services from the service data, and mining the potential relation between the firewall services from the service data according to the service attribute characteristics.
And step 208, adding the extracted association relationship, the nested relationship and the mined potential relationship to corresponding fields in the Yang model.
Optionally, in this embodiment, a relationship extraction function is written by using Python, and the relationship extraction function is called to identify an association relationship and a nesting relationship between firewall services in service data. By analyzing service attribute characteristics of service data, potential relations among services are mined, the relations comprise the same actions, IP ranges related to the services are the same, and the extracted relations among the services and the mined potential relations are added to corresponding data fields according to data structures and data types of relation containers in a Yang model, so that unified and standardized description of firewall services is realized.
In the firewall service data management method, the Yang model is adopted, each field of service data is mapped to the corresponding field in the Yang model according to the field mapping strategy between the firewall service data and the Yang model, and the extracted association relationship, the extracted nesting relationship and the extracted potential relationship are added to the corresponding field in the Yang model, so that the description and definition of the protection wall service data become standardized and consistent. Different types of firewall devices, even from different vendors, may use the same Yang model to describe the traffic data of the firewall services they provide, i.e., heterogeneous firewall devices may use the same Yang model to describe the traffic data of the heterogeneous firewall services they provide. The standardization promotes the consistency configuration and management of cross-equipment and cross-manufacturer, provides a general and extensible description framework, realizes the consistency representation of service data, reduces configuration errors and management difficulties caused by inconsistent service data formats among different equipment, realizes the formatting of firewall service data, and improves the standardization, integration and maintainability of service data.
In an exemplary embodiment, the method further comprises: identifying whether the service data are matched with a field mapping strategy between firewall service data and the Yang model; if the service data and the Yang model are matched, a field mapping function is called, and each field of the service data is mapped to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model; if the unmatched business data exist, adding a field mapping strategy matched with the unmatched business data into the field mapping strategy to obtain an updated field mapping strategy; and calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to the updated field mapping strategy.
The field mapping policy between firewall service data and the Yang model is dynamically updatable. When the service data mapping is carried out, whether the service data are matched with a field mapping strategy between the firewall service data and the Yang model is firstly identified. If the unmatched service data exists, the field mapping strategy between the unmatched service data and the Yang model needs to be added into the original field mapping strategy, so that the field mapping strategy is updated. And then, calling a field mapping function to map each field of the service data to a corresponding field in the Yang model.
In this embodiment, the security operator may add and modify the field mapping policy according to the change of the service data, so as to implement flexible and unified management and operation of the service data.
In one exemplary embodiment, the firewall service data management method based on the Yang model provides extremely high scalability. With the change of service requirements, the design of the Yang model allows dynamic expansion of service data, and new attributes, containers and lists can be easily added into the Yang model without destroying the existing structure and logic. In conventional approaches, adding new functionality or data often requires modification of existing configuration files or data tables, which is prone to errors or instability. The method based on the Yang model supports rapid adaptation change through the flexibility of the model, and has higher agility and maintainability. This allows the traffic data modeling of the firewall to be synchronized with changing network environments and demands without causing cumbersome reconstruction or redesign.
In an exemplary embodiment, as shown in fig. 3, before acquiring service data of the firewall service, the method further includes: a step of constructing a Yang model, comprising steps 302 to 308, wherein:
Step 302, obtaining service data samples and service application form samples of a plurality of firewall devices; the service application form sample includes firewall policies.
Step 304, identifying common data elements between the firewall device and the firewall policy based on the traffic data samples.
Step 306, an initial data model is constructed from the common data elements.
And 308, modeling the business relation of the initial data model according to the business relation among different businesses to which the business data sample belongs, so as to obtain the Yang model.
The plurality of firewall devices are different types of firewall devices. The service data sample refers to service data of firewall service for constructing Yang model. The service application form sample refers to a service application form for constructing a Yang model.
In this embodiment, different firewall service data from different service parties in the enterprise security operation and maintenance process are collected and used as service data samples, and these data may exist in the form of text files, database records, etc. The service party applies for related services in the form of forms, and the application forms may include a firewall configuration change request such as adding rules, modifying policies, closing ports, and the like. Specifically, the model and type of firewall device needs to be determined and then a configuration file is exported from the device. This may typically be done through a Command Line Interface (CLI) or a network management interface (Web interface) of the device.
And analyzing the service data samples according to the actual service scenes, deeply knowing the relation between the service and the firewall policy, and determining the firewall equipment and the policy involved in different service scenes. The structure and fields of each data sample are analyzed to understand the meaning of each field, the data type, and the relationship between them. Data elements co-occurring in different data samples are identified, which may be core attributes of the traffic data, such as source IP, destination IP, port number, protocol, etc.
It is then necessary to know the service requirements of the firewall, including access control, security policies, data protection, etc. Operations involved in firewall policies, such as rule addition, deletion, query, policy organization, etc., are determined. It is known how the administrator operates the firewall device and in which cases the rules need to be configured, modified, deleted.
Based on the analysis, and the common data elements, an initial data model is constructed. And identifying the business relation among the businesses to which the business data samples belong, and modeling the business relation of the initial data model according to the business relation to obtain the Yang model.
In this embodiment, common data elements between the firewall device and the firewall policy are identified according to service data samples of different types of firewall devices, and a Yang model is constructed and obtained according to service relationships between different services to which the service data samples belong, so as to model heterogeneous firewall service data, accurately organize and describe hierarchical relationships and attributes of the firewall service data, and thereby improve operation and management efficiency of the firewall service.
In one exemplary embodiment, building an initial data model from common data elements includes: determining a container and list structure of the Yang model according to the common data elements; respectively configuring data types for the common data elements according to the service scene requirements; and adding the attribute and the characteristic corresponding to the data type in the list structure to obtain an initial data model.
Wherein the attributes and properties are a standardized and structured description of data types in the Yang model. A property is used to represent a situation where one property may contain a plurality of values. The characteristics are typically used to describe repeated values, such as multiple IP addresses, multiple port numbers, multiple strings, and so on.
The containers and lists are designed to organize firewall traffic data based on common data elements. Each container and list represents a business entity, respectively, wherein the container is a Yang statement for organizing related attributes, which, like a namespace, may contain leaf attributes, property (leaf-list) attributes, and other containers that may be used to represent business entities, such as rules, policies, etc.; the container definition in this example is shown in table 1.
TABLE 1
A list is used to store a set of instances having the same attributes, which is typically used to represent multiple business entities, such as multiple rules, multiple policies, etc., and may contain leaf attributes, property attributes, and containers. Furthermore, new attributes can be added into the list according to actual service requirements, so that the expansion of the data model can be realized, and the definition of the list is shown in table 2.
TABLE 2
Wherein each leaf contains data type requirements and descriptions for the attribute; based on the above definition, according to the actual firewall service scene and service requirement, the embodiment designs a firewall service data model, namely an initial data model, and a simple schematic diagram of the model structure is shown in fig. 4; it should be noted that fig. 4 only shows a basic data structure, and in actual data modeling, the data structure can be extended based on the service data. The firewall service data model is named as firewall and comprises a plurality of containers, each container comprises two lists, and the lists comprise a plurality of attributes and descriptions of the attributes.
In this embodiment, the container and list structure of the Yang model are determined according to the common data elements, the data types are respectively configured for the common data elements according to the service scene requirements, and the attributes and the characteristics corresponding to the data types are added in the list structure, so that the hierarchical relationship and the attributes of the firewall service data are organized and described according to the service scene requirements, and an effective and extensible Yang model is constructed.
In an exemplary embodiment, according to a business relationship between different businesses to which a business data sample belongs, performing business relationship modeling on an initial data model to obtain a Yang model includes: and modeling the business relation among different businesses to which the business data sample belongs through a container and list structure in the initial data model to obtain the Yang model.
Relationships between different services are identified based on attributes of intersections in the container and list structures, and the container and list are used to model the service relationships. For a list, a key is defined to identify each list item so that each data item can be uniquely identified and accessed in actual use. Attributes and properties of business relationships are added to the containers and lists to describe the attributes and attribute values of the business relationships. These attributes may be features or metadata of the business relationship, including relationship ID, relationship name, ID list of related policies (leaf-list), etc. If business relationships exist nested, i.e., other business relationships may be contained within a business relationship, nesting of containers and lists defining deeper levels may continue within the containers and lists to model the nested relationships.
Further, the relationships between firewall traffic may involve different levels and angles, which are critical to efficient traffic management and data modeling. In this embodiment, a firewall policy typically contains multiple rules, and a list (list) is used to represent the policies, with each policy containing a list of rules. Firewall rules define actions that are applied according to conditions, and in the rule list, an enumeration (enumeration) type is used to represent actions, such as "permission" or "dense". There are nested relationships in firewall traffic, and other lists and containers may be nested inside the container using the Yang data model to represent deeper nested relationships, for example, containers (firewall) and lists (policies, rules, ip-address-group) are used to represent nested relationships between firewall policies, rules, and object groups. Rule lists (rules) are nested in policy lists (policies), and object-group containers (objects) are nested in rule lists (rules).
In this embodiment, the association, nesting relationship, and the like between different services are modeled through the container and list structures, so that standardization of heterogeneous service data is realized.
In one exemplary embodiment, operation and status data may also be defined for configuration and management of the business data and presentation of status information for the business data.
The operation is a method for allowing an external system to perform a specific function, such as adding, deleting, and modifying service data. By defining operations, a standard way may be provided to configure and manage firewall traffic data, e.g., in some embodiments, an operation named "add-rule" is defined that accepts various attributes of the rule as input parameters and returns the status of the operation.
In addition, it is also necessary to specify an input parameter and an output parameter for each operation. For input parameters, data needed for performing operations are first determined, which may include configuration attributes, identifiers, setting options, etc., then an input parameter is defined for each required data item, a parameter name, a data type and a description are specified, ensuring that the roles and expected values of the parameters are clearly explained, finally default values can be specified for the input parameters, and constraint conditions such as a value range and a regular expression can be added. For output parameters, an output parameter is defined according to the operation result, and the name, data type and description of the parameter are specified, so that the output parameter can clearly convey the operation result. For a configuration type operation, the output parameters may include an operational state indicating whether the operation was completed successfully. In addition, the state data is used to reflect the current state of the service data, such as the matching times of the rules, the state of the policies, etc., and the state data can help the administrator monitor and understand the real-time situation of the service data, in this embodiment, the container name of the state data may be 'rule-status', and the list item includes the rule identifier (character string) and the matching times (integer) of the rules.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a firewall service data management device for implementing the firewall service data management method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of one or more firewall service data management devices provided below may refer to the limitation of the firewall service data management method hereinabove, and will not be repeated herein.
In an exemplary embodiment, as shown in fig. 5, there is provided a firewall service data management apparatus, including: a data acquisition module 502, a data mapping module 504, a relationship extraction module 506, and a relationship mapping module 508, wherein:
the data obtaining module 502 is configured to obtain service data of a firewall service.
The data mapping module 504 is configured to invoke a field mapping function, and map each field of the service data to a corresponding field in the Yang model according to a field mapping policy between the firewall service data and the Yang model.
And the relation extracting module 506 is configured to call a relation extracting function, extract an association relation and a nesting relation between firewall services from service data, and mine a potential relation between firewall services from service data according to service attribute characteristics.
And the relationship mapping module 508 is configured to add the extracted association relationship and the nested relationship and the mined potential relationship to corresponding fields in the Yang model.
In an exemplary embodiment, the apparatus further comprises:
the policy updating module is used for identifying whether the service data are matched with a field mapping policy between the firewall service data and the Yang model; if the service data and the Yang model are matched, a field mapping function is called, and each field of the service data is mapped to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model; if the unmatched business data exist, adding a field mapping strategy matched with the unmatched business data into the field mapping strategy to obtain an updated field mapping strategy; and calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to the updated field mapping strategy.
In an exemplary embodiment, the data mapping module 504 is configured to assign each field of the service data to a corresponding field in the Yang model.
In an exemplary embodiment, the apparatus further comprises:
the model training module is used for acquiring service data samples and service application form samples of a plurality of firewall devices; the service application form sample comprises a firewall policy; identifying common data elements between the firewall device and the firewall policy according to the service data samples; constructing an initial data model according to the common data elements; and modeling the business relation of the initial data model according to the business relation among different businesses to which the business data sample belongs, so as to obtain the Yang model.
In an exemplary embodiment, the model training module is further configured to determine a container and list structure of the Yang model based on the common data elements; respectively configuring data types for the common data elements according to the service scene requirements; and adding the attribute and the characteristic corresponding to the data type in the list structure to obtain an initial data model.
In an exemplary embodiment, the model training module is further configured to model a business relationship between different businesses to which the business data sample belongs through a container and list structure in the initial data model, so as to obtain a Yang model.
The above-mentioned each module in the firewall service data management device may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one exemplary embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing service data of firewall services and the like. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program when executed by a processor implements a firewall service data management method.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In an exemplary embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor performing the steps of the method embodiments described above when the computer program is executed.
In an exemplary embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the method embodiments described above.
In an exemplary embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use, and processing of the related data are required to meet the related regulations.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (10)

1. A method for firewall traffic data management, the method comprising:
acquiring service data of firewall service;
calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between firewall service data and the Yang model;
invoking a relation extraction function, extracting an association relation and a nesting relation between firewall services from the service data, and mining potential relation between firewall services from the service data according to service attribute characteristics;
And adding the extracted association relation, the nested relation and the mined potential relation to corresponding fields in the Yang model.
2. The method according to claim 1, wherein the method further comprises:
identifying whether the service data are matched with a field mapping strategy between firewall service data and a Yang model;
if the service data and the Yang model are matched, a field mapping function is called, and each field of the service data is mapped to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
if the unmatched business data exist, adding a field mapping strategy matched with the unmatched business data into the field mapping strategy to obtain an updated field mapping strategy; and calling a field mapping function, and mapping each field of the service data to a corresponding field in the Yang model according to the updated field mapping strategy.
3. The method of claim 1, wherein said mapping each field of the business data to a corresponding field in the Yang model comprises:
and assigning each field of the service data to a corresponding field in the Yang model.
4. The method of claim 1, wherein prior to said obtaining service data for firewall services, the method further comprises:
Acquiring service data samples and service application form samples of a plurality of firewall devices; the service application form sample comprises a firewall policy;
identifying common data elements between firewall equipment and a firewall policy according to the service data samples;
constructing an initial data model according to the common data elements;
and modeling the business relation of the initial data model according to the business relation among different businesses to which the business data sample belongs to obtain a Yang model.
5. The method of claim 4, wherein said constructing an initial data model from said common data elements comprises:
determining a container and list structure of the Yang model according to the common data elements;
respectively configuring data types for the common data elements according to service scene requirements;
and adding the attribute and the characteristic corresponding to the data type in the list structure to obtain an initial data model.
6. The method of claim 5, wherein modeling the initial data model according to the business relationship between different businesses to which the business data sample belongs, to obtain a Yang model comprises:
And modeling the business relation among different businesses to which the business data sample belongs through a container and a list structure in the initial data model to obtain the Yang model.
7. A firewall traffic data management device, the device comprising:
the data acquisition module is used for acquiring service data of the firewall service;
the data mapping module is used for calling a field mapping function and mapping each field of the service data to a corresponding field in the Yang model according to a field mapping strategy between the firewall service data and the Yang model;
the relation extraction module is used for calling a relation extraction function, extracting the association relation and the nesting relation between firewall services from the service data, and mining the potential relation between the firewall services from the service data according to service attribute characteristics;
and the relationship mapping module is used for adding the extracted association relationship, the nested relationship and the mined potential relationship to corresponding fields in the Yang model.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
CN202311447830.4A 2023-11-01 2023-11-01 Firewall service data management method, device, computer equipment and storage medium Pending CN117614654A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311447830.4A CN117614654A (en) 2023-11-01 2023-11-01 Firewall service data management method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311447830.4A CN117614654A (en) 2023-11-01 2023-11-01 Firewall service data management method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117614654A true CN117614654A (en) 2024-02-27

Family

ID=89945104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311447830.4A Pending CN117614654A (en) 2023-11-01 2023-11-01 Firewall service data management method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117614654A (en)

Similar Documents

Publication Publication Date Title
US11797558B2 (en) Generating data transformation workflows
US8180758B1 (en) Data management system utilizing predicate logic
US11146454B2 (en) Intent driven network policy platform
US20170017708A1 (en) Entity-relationship modeling with provenance linking for enhancing visual navigation of datasets
US20170068715A1 (en) System and Method For Correlating Cloud-Based Big Data in Real-Time For Intelligent Analytics and Multiple End Uses
CN110168522B (en) Maintaining data lineage to detect data event
US20180285596A1 (en) System and method for managing sensitive data
US20140074764A1 (en) Simplifying a graph of correlation rules while preserving semantic coverage
US11375015B2 (en) Dynamic routing of file system objects
BRPI0609334A2 (en) data management for mobile data system
US11100173B2 (en) Autolayout of visualizations based on graph data
CN111221791A (en) Method for importing multi-source heterogeneous data into data lake
US20130332422A1 (en) Defining Content Retention Rules Using a Domain-Specific Language
KR20200111687A (en) Method and system for encapsulating and storing information from multiple heterogeneous data sources
JP2022545303A (en) Generation of software artifacts from conceptual data models
US10747786B2 (en) Spontaneous networking
CN115544183A (en) Data visualization method and device, computer equipment and storage medium
KR101783298B1 (en) Method for creating and managing node information from input data based on graph database and server using the same
KR101150121B1 (en) Method and apparatus for constructing representations of objects and entities
Parmar et al. MongoDB as an efficient graph database: An application of document oriented NOSQL database
EP3062245A1 (en) Dynamic modular ontology
CN117614654A (en) Firewall service data management method, device, computer equipment and storage medium
US10664501B2 (en) Deriving and interpreting users collective data asset use across analytic software systems
US9621424B2 (en) Providing a common interface for accessing and presenting component configuration settings
US9946784B2 (en) Data cache architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination