CN117714204A - Domain environment protection method, device, equipment and storage medium - Google Patents

Domain environment protection method, device, equipment and storage medium Download PDF

Info

Publication number
CN117714204A
CN117714204A CN202410093036.2A CN202410093036A CN117714204A CN 117714204 A CN117714204 A CN 117714204A CN 202410093036 A CN202410093036 A CN 202410093036A CN 117714204 A CN117714204 A CN 117714204A
Authority
CN
China
Prior art keywords
event
information
sub
domain
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410093036.2A
Other languages
Chinese (zh)
Inventor
李宗霖
何帅
张金涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202410093036.2A priority Critical patent/CN117714204A/en
Publication of CN117714204A publication Critical patent/CN117714204A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The disclosure provides a domain environment protection method, device, equipment and storage medium, which can be applied to the technical field of network security and the technical field of financial science and technology. The method comprises the following steps: acquiring event logic information and event log information in a domain environment, wherein the event logic information comprises event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information comprises event log sub-information of at least one event, and the event log sub-information comprises event keywords and event identifications of the same event; determining target event logic sub-information from at least one event logic sub-information according to the event identification; under the condition that the target event logic sub-information has an event keyword, determining an event corresponding to the event log sub-information as an abnormal event; and generating a domain protection strategy corresponding to the abnormal event according to the event keywords.

Description

Domain environment protection method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of network security technologies and financial technology, and in particular, to a domain environment protection method, apparatus, device, medium, and program product.
Background
With the development of the information age, the work group mode of independent management of each host gradually cannot meet business requirements, more and more enterprises and institutions use domains to build an office network, and huge potential safety hazards are brought while convenience is provided. The domain environment is provided with a plurality of hosts, the hosts have interaction rights, an attacker can use the host with weak protection as a springboard, and other hosts in the domain can be permeated easily, so that the security of the domain environment is lower.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a domain environment protection method, apparatus, device, medium, and program product.
According to a first aspect of the present disclosure, there is provided a protection method for a domain environment, including: event logic information and event log information in a domain environment are acquired, wherein the event logic information comprises event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information comprises event log sub-information of at least one event, the event log sub-information comprises event keywords and event identifications of the same event, and target event logic sub-information is determined from the at least one event logic sub-information according to the event identifications. And determining that the event corresponding to the event log sub-information is an abnormal event when the target event logic sub-information has the event keyword. And generating a domain protection strategy corresponding to the abnormal event according to the event keywords.
According to an embodiment of the present disclosure, the event keyword includes a judgment keyword, the event log sub-information further includes an event address and an event user, the domain environment includes at least one device therein, and the domain protection policy includes a domain protection device list and a domain disabled account list. Generating a domain protection strategy corresponding to the abnormal event according to the event keyword comprises the following steps: under the condition that the keyword represents that the abnormal event is executed, an intra-domain protection equipment list is generated according to the event address, the intra-domain protection equipment list represents that an N-th equipment corresponding to the event address is forbidden to access an M-th equipment in a domain environment, N, M is a positive integer greater than or equal to 1, and N is not equal to M. And generating a domain forbidden account list according to the event user, wherein the domain forbidden account list characterizes that the event user is forbidden to log in the Mth device.
According to an embodiment of the present disclosure, the method further comprises: and sending the intra-domain protection device list to the Mth device through a policy control interface of the domain environment. And sending the domain forbidden account list to the Mth device through a domain account control interface of the domain environment.
According to an embodiment of the present disclosure, the domain protection policy further includes a permission list, and generating the domain protection policy corresponding to the abnormal event according to the event keyword includes: and storing the event address and the event user into a database under the condition that the keyword characterization abnormal event is not executed. And under the condition that the event address or the event user in the database meets the preset condition, generating a permission list according to the event address and the event user, wherein the permission list characterizes that the Nth device corresponding to the event address has the right to access the Mth device in the domain environment, and the event user has the right to log in the Mth device.
According to an embodiment of the present disclosure, the event keyword includes a behavior keyword, and in a case where the target event logic sub-information has the event keyword, determining that the event corresponding to the event log sub-information is an abnormal event includes: and determining that the event corresponding to the event log sub-information is an abnormal event under the condition that the target event logic sub-information has the behavior keyword.
According to an embodiment of the present disclosure, the domain protection policy further includes an anomaly protection sub-policy, and generating the domain protection policy corresponding to the anomaly event according to the event keyword includes: and determining an abnormal protection sub-strategy corresponding to the abnormal event from the event log sub-information according to the behavior keyword. And sending the abnormal protection sub-strategy to the equipment corresponding to the event.
According to an embodiment of the present disclosure, the method further comprises: and under the condition that the target event logic sub-information does not have a behavior keyword, determining that the event corresponding to the event log sub-information is a normal event.
In accordance with an embodiment of the present disclosure, before acquiring the event logic information and the event log information within the domain environment, the method further comprises: from at least one device, a target device is determined. And acquiring domain control log information corresponding to the target equipment to obtain the domain control log information. And slicing the domain control log information to obtain domain control log sub-information. And determining event log sub-information from the domain control log sub-information according to the event identification.
According to an embodiment of the present disclosure, the method further comprises: and normalizing the domain control log sub-information to obtain at least one event log sub-information, wherein the event log sub-information also comprises event time.
A second aspect of the present disclosure provides a guard for a domain environment, comprising: the first acquisition module is used for acquiring event logic information and event log information in a domain environment, wherein the event logic information comprises event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information comprises event log sub-information of at least one event, and the event log sub-information comprises event keywords and event identifications of the same event. And the first determining module is used for determining target event logic sub-information from at least one event logic sub-information according to the event identification. And the second determining module is used for determining that the event corresponding to the event log sub-information is an abnormal event when the target event logic sub-information has the event keyword. And the generation module is used for generating a domain protection strategy corresponding to the abnormal event according to the event keywords.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.
According to the protection method, the protection device, the protection equipment, the protection medium and the protection program product of the domain environment, event logic information and event log information in a domain controller are acquired; determining target event logic sub-information from at least one event logic sub-information according to the event identification; in the case that the target event logic sub-information has an event keyword, the event corresponding to the log sub-information is determined to be an abnormal event, so that detection of the abnormal event is realized by judging whether the target event logic sub-information has the event keyword. And generating domain protection information corresponding to the abnormal event according to the event keywords, so that protection against the abnormal event in the domain environment is realized, and the security of the domain environment is improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of protection of a domain environment according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of safeguarding a domain environment in accordance with an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of determining an event corresponding to event log sub-information as an abnormal event in the case where target event logic sub-information has an event keyword, according to another embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of generating a domain protection policy corresponding to an abnormal event from an event keyword according to yet another embodiment of the present disclosure;
FIG. 5 schematically illustrates a block diagram of a guard of a domain environment, according to an embodiment of the disclosure; and
fig. 6 schematically illustrates a block diagram of an electronic device adapted to implement a method of safeguarding a domain environment in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the invention, the related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the processing of the related data such as collection, storage, use, processing, transmission, provision, disclosure, application and the like are all conducted according to the related laws and regulations and standards of related countries and regions, necessary security measures are adopted, no prejudice to the public welfare is provided, and corresponding operation inlets are provided for the user to select authorization or rejection.
The domain environment is provided with a plurality of hosts, the hosts have interaction rights, an attacker can use the host with weak protection as a springboard, and other hosts in the domain can be permeated easily, so that the security of the domain environment is lower.
In view of this, an embodiment of the present disclosure provides a protection method for a domain environment, including: event logic information and event log information in a domain environment are acquired, wherein the event logic information comprises event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information comprises event log sub-information of at least one event, the event log sub-information comprises event keywords and event identifications of the same event, and target event logic sub-information is determined from the at least one event logic sub-information according to the event identifications. And determining that the event corresponding to the event log sub-information is an abnormal event when the target event logic sub-information has the event keyword. And generating a domain protection strategy corresponding to the abnormal event according to the event keywords.
Fig. 1 schematically illustrates an application scenario diagram of protection of a domain environment according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 through the network 104 using at least one of the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages, etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.
The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the protection method for the domain environment provided by the embodiments of the present disclosure may be generally executed by the server 105. Accordingly, the protection device for the domain environment provided by the embodiments of the present disclosure may be generally disposed in the server 105. The protection method of the domain environment provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, the protection apparatus for domain environment provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of a method of safeguarding a domain environment according to an embodiment of the present disclosure.
As shown in fig. 2, the protection method of the domain environment of this embodiment includes operations S210 to S240.
Event logic information and event log information within the domain environment are acquired in operation S210.
In operation S220, target event logic sub-information is determined from the at least one event logic sub-information according to the event identification.
In operation S230, in case the target event logic sub-information has an event keyword, it is determined that an event corresponding to the event log sub-information is an abnormal event.
In operation S240, a domain protection policy corresponding to the abnormal event is generated according to the event keyword.
According to embodiments of the present disclosure, a domain may be a combination of devices that have a security boundary. Devices may communicate with each other, and the environment of communication may be a domain environment.
According to embodiments of the present disclosure, an event characterizes operational information within a domain environment, e.g., an event may be that a log within the domain environment is cleared; an event may also be a normal start of a system within the domain environment.
According to an embodiment of the present disclosure, the event logic information includes event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, and the event log information includes event log sub-information of the at least one event.
According to an embodiment of the present disclosure, the event log sub-information includes event keywords and event identifications of the same event. The event keywords may characterize key information of the event, for example, event names. The event identification may be a unique identification of the event, for example, the event identification may be an event ID (Identity document, identity identification), the event ID may be 6005, the event 6005 may represent that the event is "the system is normally started on the same day". The event ID may be 104, 104 may indicate that the log is "cleared".
According to embodiments of the present disclosure, the event logic information may be information that performs different logic monitoring methods on the event log information. Different logic monitoring method information corresponds to different abnormal behaviors of the event. Different abnormal behaviors have different event logic information. The abnormal behavior may be an attack behavior. For example, the event is "normal system start up" and the event logic information may be information that monitors the power state.
For example, according to different event identifications, different logic monitoring methods can be performed on the event log sub-information, and attack behaviors can be detected. Such as: eventid= 4742and spn.startswith = "GC/" and spn.startswith= "E3514235-4B06-11D1-AB04-00C04FC2DCD2/". It may be determined whether the event of event identification "4742" is an aggressive event of "DCShadow".
According to embodiments of the present disclosure, target event logic sub-information corresponding to an event identification may be determined from event logic information according to the event identification.
According to embodiments of the present disclosure, having the event key for the target event logic sub-information may indicate that the event has abnormal behavior. Determining that the event has abnormal behavior, and generating a domain protection strategy aiming at the abnormal behavior.
According to an embodiment of the present disclosure, event logic information and event log information in a domain controller are acquired; determining target event logic sub-information from at least one event logic sub-information according to the event identification; in the case that the target event logic sub-information has an event keyword, the event corresponding to the log sub-information is determined to be an abnormal event, so that detection of the abnormal event is realized by judging whether the target event logic sub-information has the event keyword. And generating domain protection information corresponding to the abnormal event according to the event keywords, so that protection against the abnormal event in the domain environment is realized, and the security of the domain environment is improved.
Fig. 3 schematically illustrates a flowchart of determining an event corresponding to event log sub-information as an abnormal event in case that target event logic sub-information has an event keyword according to another embodiment of the present disclosure.
As shown in fig. 3, in the case where the target event logic sub-information has an event keyword, the method of determining that the event corresponding to the event log sub-information is an abnormal event according to the embodiment includes operations S301 to S307.
In operation S301, event logic information and event log information within a domain environment are acquired.
In operation S302, target event logic sub-information is determined from at least one event logic sub-information according to an event identification.
In operation S303, if the target event logic sub-information has a behavior keyword, executing operation S304; if not, operation S307 is performed.
In operation S304, it is determined that an event corresponding to the event log sub-information is an abnormal event.
In operation S305, an abnormality protection sub-policy corresponding to an abnormality event is determined from the event log sub-information according to the behavior keyword.
In operation S306, an exception guard sub-policy is transmitted to a device corresponding to the event.
In operation S307, it is determined that the event corresponding to the event log sub-information is a normal event.
According to an embodiment of the present disclosure, the event keywords include behavior keywords. The behavior keyword characterizes the related information of the execution event and is used for identifying the behavior attribute of the event. For example, event behavior attributes are classified into abnormal events and normal events.
According to the embodiment of the disclosure, the event log sub-information includes protection strategy information for the abnormal event, namely, an abnormal protection sub-strategy. The exception guard sub-policy is used for guard policies made by the device (the attacked host) corresponding to the event address for the exception event.
For example, there are different logic monitoring methods for different exception events. The logical monitoring method may be "eventid=5136 and AttributeLDAPDisplayName =" gpcs machine extensions names "and AttributeValue contains (" 827D319E-6EAC-11D 2-A4 EA-00c 04F7 f 83a ") and Attribute Valuecontains (" 803E14A0-B4FB-11D0-A0D0-0 A0c90f574b ")", and it may be determined whether the event identified as "5136" is a GPO authority maintenance attack event.
According to the embodiment of the disclosure, whether the event is an abnormal event can be determined according to the behavior keyword; in the state that the event is an abnormal event, an abnormal protection sub-strategy corresponding to the abnormal event can be determined from the event log sub-information according to the behavior keywords, and then the abnormal protection sub-strategy is sent to the equipment corresponding to the event, so that the precise protection of the attacked equipment is realized.
Fig. 4 schematically illustrates a flowchart of generating a domain protection policy corresponding to an abnormal event from an event keyword according to yet another embodiment of the present disclosure.
As shown in fig. 4, the method of generating a flow chart of domain protection policies corresponding to abnormal events according to the event keywords of this embodiment includes operations S401 to S409.
In operation S401, in the case where the target event logic sub-information has an event keyword, it is determined that an event corresponding to the event log sub-information is an abnormal event.
In operation S402, it is determined whether the keyword characterizes the abnormal event being executed, if yes, S403 is executed; if not, then S407 is performed.
In operation S403, a domain guard list is generated according to the event address.
In operation S404, a domain forbidden account list is generated from the event user.
In operation S405, a list of intra-domain protection devices is transmitted to an mth device through a policy control interface of a domain environment.
In operation S406, a domain forbidden account list is transmitted to the mth device through a domain account control interface of the domain environment.
In operation S407, the event address and the event user are stored to the database.
In operation S408, if the event address and the event user in the database meet the preset conditions, operation S409 is executed if yes; if not, operation S403 is performed.
According to an embodiment of the present disclosure, at least one device is included within a domain environment. A domain is a management boundary for a group of devices to share a common secure database. The various strategies are uniformly set by the domain controller, and the account can be logged in any device in the same domain. The device may be a host computer. N, M are positive integers greater than or equal to 1, and N is not equal to M.
According to an embodiment of the present disclosure, the domain protection policy includes a domain protection device list and a domain forbidden account list. The list of domain protection devices characterizes an nth device corresponding to the event address as prohibiting access to an mth device within the domain environment. The in-domain forbidden account list characterizes that event users are forbidden to log on to the mth device.
According to an embodiment of the present disclosure, the authority list characterizes that an nth device corresponding to an event address has access to an mth device within a domain environment, and an event user has access to log in to the mth device.
According to an embodiment of the present disclosure, the event keywords include judgment keywords. Judging the execution state of the keyword characterization event, for example, judging that the keyword can be 'successful audit', and characterizing the event is executed. The judgment keyword can also be 'audit failure', and the characterization event is not executed.
According to embodiments of the present disclosure, the event log sub-information further includes an event address and an event user. The event address may be an IP address (Internet Protocol Address ) of the execution event. The event user may be a user who logs in to the device corresponding to the event, and the event user may be a device account number or a login user.
According to an embodiment of the present disclosure, the preset condition may be that the number of times the event address or the event user is recorded in the database does not exceed a threshold value.
For example, if the keyword is judged to be "audit successful", the event user is forbidden to log in through domain account control of the domain environment, domain policy issuing is performed on the event address to isolate the event address (other hosts do not interact with the device corresponding to the event address), and other hosts send alarm prompts. If the keyword is judged to be 'audit failure', the event IP and the event user are recorded in a database. And judging whether the times exceeds a threshold value according to the event address or the times recorded in the event user for one hour, and if so, generating an intra-domain protection equipment list according to the event address. And generating a forbidden account list in the domain according to the event user.
According to the embodiment of the disclosure, by judging whether the keyword characterizes the abnormal event to be executed or not, protection is carried out for the two conditions that the abnormal event is executed and not executed, and under the condition that the abnormal event is not executed, attack can be blocked in time, so that the safety of the domain environment is improved, and an attacker is difficult to permeate the host in the domain.
In accordance with an embodiment of the present disclosure, before acquiring the event logic information and the event log information within the domain environment, the method further comprises: from at least one device, a target device is determined. And acquiring domain control log information corresponding to the target equipment to obtain the domain control log information. And slicing the domain control log information to obtain domain control log sub-information. And determining event log sub-information from the domain control log sub-information according to the event identification.
According to embodiments of the present disclosure, the target device may be a domain master. Obtaining the domain control log information requires the domain controller system to first open the audit rights of "audit directory service change", "audit directory service access", "audit user account management", "audit security system extension", "audit Kerberos service ticket operation", "audit login". Thereby obtaining domain control log information, wherein the domain control log information comprises security log information, system log information, application program log information, starting log information and forwarding event log information.
According to an embodiment of the present disclosure, the event identification may be an event ID (Identity document, identity) which may be an event number, e.g., event number 6005, for which the system is normally started on the day.
According to an embodiment of the present disclosure, a target device is determined by from at least one device. Because most of the behavior logs in the domain are stored in the domain control log, the domain control log information corresponding to the target equipment is acquired, the domain control log information is obtained, and the log information in the domain environment is quickly acquired.
According to an embodiment of the present disclosure, the method further comprises: and normalizing the domain control log sub-information to obtain at least one event log sub-information, wherein the event log sub-information also comprises event time.
According to an embodiment of the present disclosure, the event log sub-information includes event time, event keyword, event ID, event user, and event address.
Fig. 5 schematically illustrates a block diagram of a domain environment guard according to an embodiment of the present disclosure.
As shown in fig. 5, the guard 500 of the domain environment of this embodiment includes a first acquisition module 510, a first determination module 520, a second determination module 530, and a generation module 540.
The first obtaining module 510 is configured to obtain event logic information and event log information in a domain environment, where the event logic information includes event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information includes event log sub-information of at least one event, and the event log sub-information includes event keywords and event identifiers of the same event. In an embodiment, the first obtaining module 510 may be configured to perform the operation S210 described above, which is not described herein.
The first determining module 520 is configured to determine target event logic sub-information from at least one event logic sub-information according to the event identification. In an embodiment, the first determining module 520 may be configured to perform the operation S220 described above, which is not described herein.
The second determining module 530 determines that the event corresponding to the event log sub-information is an abnormal event in the case that the target event logic sub-information has an event keyword. In an embodiment, the second determining module 530 may be configured to perform the operation S230 described above, which is not described herein.
The generating module 540 is configured to generate a domain protection policy corresponding to the abnormal event according to the event keyword. In an embodiment, the generating module 540 may be configured to perform the operation S240 described above, which is not described herein.
According to an embodiment of the present disclosure, the generation module 540 includes a first generation sub-module and a second generation sub-module. The first generation sub-module is used for generating an intra-domain protection equipment list according to the event address under the condition that the keyword represents that the abnormal event is executed, wherein the intra-domain protection equipment list represents that the N-th equipment corresponding to the event address is forbidden to access the M-th equipment in the domain environment, N, M is a positive integer which is more than or equal to 1, and N is not equal to M. And the second generation sub-module is used for generating a domain forbidden account list according to the event user, wherein the domain forbidden account list characterizes the event user to forbidden to log in the Mth device.
According to an embodiment of the disclosure, the apparatus further includes a first transmitting module and a second transmitting module. And the first sending module is used for sending the intra-domain protection device list to the Mth device through the policy control interface of the domain environment. And the second sending module is used for sending the domain forbidden account list to the M-th device through a domain account control interface of the domain environment.
According to an embodiment of the present disclosure, the generation module 540 includes a storage sub-module and a third generation sub-module. And the storage sub-module is used for storing the event address and the event user into the database under the condition that the keyword characterization abnormal event is not executed. And the third generation sub-module is used for generating a permission list according to the event address and the event user under the condition that the event address or the event user in the database meets the preset condition, wherein the permission list represents that the N-th device corresponding to the event address has access to the M-th device in the domain environment, and the event user has access to log in the M-th device.
According to an embodiment of the present disclosure, the second determination module comprises a first determination sub-module. The first determining sub-module is used for determining that the event corresponding to the event log sub-information is an abnormal event when the target event logic sub-information has a behavior keyword.
According to an embodiment of the present disclosure, the generating module includes a second determining sub-module and a transmitting sub-module. And the second determination sub-module is used for determining an abnormal protection sub-strategy corresponding to the abnormal event from the event log sub-information according to the behavior keyword. And the sending sub-module is used for sending the abnormal protection sub-strategy to the equipment corresponding to the event.
According to an embodiment of the disclosure, the apparatus further includes a third determining module, where the third determining module is configured to determine that an event corresponding to the event log sub-information is a normal event if the target event logic sub-information does not have a behavior keyword.
According to an embodiment of the disclosure, the apparatus further includes a fourth determining module, a second acquiring module, a slicing module, and a fifth determining module. And a fourth determining module, configured to determine a target device from at least one device before acquiring the event logic information and the event log information in the domain environment. The second acquisition module is used for acquiring the domain control log information corresponding to the target equipment before acquiring the event logic information and the event log information in the domain environment to obtain the domain control log information. And the slicing module is used for slicing the domain control log information before acquiring the event logic information and the event log information in the domain environment to obtain domain control log sub-information. And a fifth determining module, configured to determine, according to the event identifier, event log sub-information from the domain control log sub-information before acquiring the event logic information and the event log information in the domain environment.
According to an embodiment of the disclosure, the apparatus further includes a normalization module. The normalization module is used for normalizing the domain control log sub-information to obtain at least one event log sub-information, wherein the event log sub-information also comprises event time.
It should be noted that, in the embodiment of the present disclosure, the protection device portion of the domain environment corresponds to the protection method portion of the domain environment in the embodiment of the present disclosure, and the description of the protection device portion of the domain environment specifically refers to the protection method portion of the domain environment, which is not described herein.
According to an embodiment of the present disclosure, any of the plurality of modules of the first acquisition module 510, the first determination module 520, the second determination module 530, and the generation module 540 may be combined in one module to be implemented, or any of the plurality of modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the first acquisition module 510, the first determination module 520, the second determination module 530, and the generation module 540 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the first acquisition module 510, the first determination module 520, the second determination module 530, and the generation module 540 may be at least partially implemented as a computer program module, which when executed, may perform the respective functions.
Fig. 6 schematically illustrates a block diagram of an electronic device adapted to implement a method of safeguarding a domain environment in accordance with an embodiment of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. The processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 601 may also include on-board memory for caching purposes. The processor 601 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. The processor 601 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or the RAM 603. Note that the program may be stored in one or more memories other than the ROM 602 and the RAM 603. The processor 601 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 600 may also include an input/output (I/O) interface 605, the input/output (I/O) interface 605 also being connected to the bus 604. The electronic device 600 may also include one or more of the following components connected to an input/output (I/O) interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to an input/output (I/O) interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 602 and/or RAM 603 and/or one or more memories other than ROM 602 and RAM 603 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. When the computer program product runs in a computer system, the program code is used for enabling the computer system to realize the protection method of domain environment provided by the embodiment of the disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 601. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and/or installed from the removable medium 611. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 601. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (13)

1. A method of protecting a domain environment, comprising:
acquiring event logic information and event log information in the domain environment, wherein the event logic information comprises event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information comprises event log sub-information of at least one event, and the event log sub-information comprises event keywords and event identifications of the same event;
Determining target event logic sub-information from at least one event logic sub-information according to the event identification;
determining that an event corresponding to the event log sub-information is an abnormal event under the condition that the target event logic sub-information has the event keyword;
and generating a domain protection strategy corresponding to the abnormal event according to the event keyword.
2. The method of claim 1, wherein the event keywords comprise judgment keywords, the event log information further comprises event addresses and event users, the domain environment comprises at least one device therein, and the domain protection policy comprises a domain protection device list and a domain disabled account list;
the generating the domain protection strategy corresponding to the abnormal event according to the event keyword comprises the following steps:
generating the intra-domain protection equipment list according to the event address under the condition that the judging keyword represents that the abnormal event is executed, wherein the intra-domain protection equipment list represents that an N-th equipment corresponding to the event address is forbidden to access an M-th equipment in the domain environment, N, M is a positive integer greater than or equal to 1, and N is not equal to M;
And generating the in-domain forbidden account list according to the event user, wherein the in-domain forbidden account list characterizes that the event user is forbidden to log in the Mth device.
3. The method of claim 2, the method further comprising:
sending the intra-domain protection equipment list to the Mth equipment through a strategy control interface of the domain environment;
and sending the in-domain forbidden account list to the Mth device through a domain account control interface of the domain environment.
4. The method of claim 2, the domain protection policy further comprising a permission list, the generating the domain protection policy corresponding to the abnormal event according to the event keyword comprising:
storing the event address and the event user to a database under the condition that the judgment keyword represents that the abnormal event is not executed; and
and under the condition that the event address or the event user in the database meets a preset condition, generating the authority list according to the event address and the event user, wherein the authority list characterizes that an Nth device corresponding to the event address has the right to access an Mth device in the domain environment, and the event user has the right to log in the Mth device.
5. The method of claim 1, wherein the event keyword comprises a behavior keyword, and wherein determining that an event corresponding to the event log sub-information is an abnormal event if the target event logic sub-information has the event keyword comprises:
and under the condition that the target event logic sub-information has the behavior keyword, determining an event corresponding to the event log sub-information as an abnormal event.
6. The method of claim 5, wherein the domain protection policy further comprises an anomaly protection sub-policy, the generating the domain protection policy corresponding to the anomaly event according to the event keyword comprising:
determining the abnormal protection sub-strategy corresponding to the abnormal event from the event log sub-information according to the behavior keyword;
and sending the abnormal protection sub-strategy to the equipment corresponding to the event.
7. The method of claim 5, the method further comprising:
and under the condition that the target event logic sub-information does not have the behavior keyword, determining that the event corresponding to the event log sub-information is a normal event.
8. The method of claim 1, prior to the acquiring event logic information and event log information within the domain environment, the method further comprising:
determining a target device from at least one of the devices;
acquiring domain control log information corresponding to the target equipment to obtain domain control log information;
slicing the domain control log information to obtain domain control log sub-information; and
and determining event log sub-information from the domain control log sub-information according to the event identification.
9. The method of claim 8, the method further comprising:
and normalizing the domain control log sub-information to obtain at least one event log sub-information, wherein the event log sub-information also comprises event time.
10. A guard for a domain environment, comprising:
the first acquisition module is used for acquiring event logic information and event log information in the domain environment, wherein the event logic information comprises event logic sub-information of at least one event, the event logic sub-information is operation information for executing the event, the event log information comprises event log sub-information of at least one event, and the event log sub-information comprises event keywords and event identifications of the same event;
The first determining module is used for determining target event logic sub-information from at least one event logic sub-information according to the event identification;
the second determining module is used for determining that the event corresponding to the event log sub-information is an abnormal event under the condition that the target event logic sub-information has the event keyword;
and the generation module is used for generating a domain protection strategy corresponding to the abnormal event according to the event keyword.
11. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-9.
12. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1 to 9.
13. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 9.
CN202410093036.2A 2024-01-23 2024-01-23 Domain environment protection method, device, equipment and storage medium Pending CN117714204A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410093036.2A CN117714204A (en) 2024-01-23 2024-01-23 Domain environment protection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410093036.2A CN117714204A (en) 2024-01-23 2024-01-23 Domain environment protection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117714204A true CN117714204A (en) 2024-03-15

Family

ID=90157320

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410093036.2A Pending CN117714204A (en) 2024-01-23 2024-01-23 Domain environment protection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117714204A (en)

Similar Documents

Publication Publication Date Title
EP3854047B1 (en) Supervised learning system for identity compromise risk computation
CN111416811B (en) Unauthorized vulnerability detection method, system, equipment and storage medium
US20150244735A1 (en) Systems and methods for orchestrating runtime operational integrity
US11050773B2 (en) Selecting security incidents for advanced automatic analysis
US20080183603A1 (en) Policy enforcement over heterogeneous assets
US20220217169A1 (en) Malware detection at endpoint devices
US20230308460A1 (en) Behavior detection and verification
US10587652B2 (en) Generating false data for suspicious users
Mutemwa et al. Integrating a security operations centre with an organization’s existing procedures, policies and information technology systems
US10733324B2 (en) Privacy enabled runtime
CN112926048A (en) Abnormal information detection method and device
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
EP3172692A1 (en) Remedial action for release of threat data
US10848491B2 (en) Automatically detecting a violation in a privileged access session
CN112000719A (en) Data security situation awareness system, method, device and storage medium
US8978150B1 (en) Data recovery service with automated identification and response to compromised user credentials
Ouda et al. The impact of cloud computing on network security and the risk for organization behaviors
CN111542811B (en) Enhanced network security monitoring
Alouane et al. Security, privacy and trust in cloud computing: A comparative study
Kang et al. A strengthening plan for enterprise information security based on cloud computing
JP2015195042A (en) Business information protection device and business information protection method, and program
CN114189383B (en) Method, apparatus, electronic device, medium and computer program product for blocking
US11989294B2 (en) Detecting and preventing installation and execution of malicious browser extensions
CN117714204A (en) Domain environment protection method, device, equipment and storage medium
US7895650B1 (en) File system based risk profile transfer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination