CN114039853B - Method and device for detecting security policy, storage medium and electronic equipment - Google Patents
Method and device for detecting security policy, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN114039853B CN114039853B CN202111349994.4A CN202111349994A CN114039853B CN 114039853 B CN114039853 B CN 114039853B CN 202111349994 A CN202111349994 A CN 202111349994A CN 114039853 B CN114039853 B CN 114039853B
- Authority
- CN
- China
- Prior art keywords
- policy
- security
- security policy
- detection mode
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a method, a device, a storage medium and electronic equipment for detecting a security policy, wherein the method comprises the following steps: acquiring a security policy set; determining a policy detection mode for detecting a plurality of security policies in a security policy set, wherein the policy detection mode comprises a redundant policy detection mode and/or a conflict policy detection mode; detecting a plurality of security policies according to a policy detection mode to obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through redundancy policy detection mode detection and/or a conflict policy detection result obtained through conflict policy detection mode detection. By means of the technical scheme, the embodiment of the application can realize detection of the redundancy strategy and the conflict strategy.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a storage medium, and an electronic device for detecting a security policy.
Background
The safety equipment is equipment applied to a computer network, and can isolate an intranet from an extranet through configuring a series of functions such as a safety strategy, behavior detection and the like on the safety equipment, so that the safety of intranet data is protected, and the safe and stable operation of the intranet is ensured.
In addition, a plurality of security devices are deployed in the local area network, different administrators can respectively configure security policies of the security devices deployed in different areas, and along with long-term use of the security devices, the configured security policies may have unreasonable parts such as redundancy, conflict and the like.
Therefore, detection of security policies is necessary.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device, a storage medium and electronic equipment for detecting security policies, so as to realize detection of redundancy policies and conflict policies.
In a first aspect, an embodiment of the present application provides a method for detecting a security policy, where the method includes: acquiring a security policy set; determining a policy detection mode for detecting a plurality of security policies in a security policy set, wherein the policy detection mode comprises a redundant policy detection mode and/or a conflict policy detection mode; detecting a plurality of security policies according to a policy detection mode to obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through redundancy policy detection mode detection and/or a conflict policy detection result obtained through conflict policy detection mode detection.
Therefore, the embodiment of the application detects the plurality of security policies according to the redundancy policy detection mode and/or the conflict policy detection mode, so that compared with the existing method for detecting the security policies, the method can greatly reduce the calculated amount, and therefore the method can rapidly and efficiently detect policy redundancy and conflict.
In one possible embodiment, the policy detection mode is a redundant detection mode, and each of the plurality of security policies has a corresponding matching priority;
detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result, including: determining an undeleted target security policy from a plurality of security policies according to the sequence of the matching priority of each security policy from low to high; deleting a target security policy from the security policy set to obtain a policy set to be compared; testing the preset data stream by utilizing all security policies in the to-be-compared policy set to obtain a to-be-compared test result; and determining a redundancy strategy detection result according to the test result to be compared.
Therefore, by means of the technical scheme, the embodiment of the application can rapidly realize detection of the redundancy strategy.
In one possible embodiment, determining the redundancy policy detection result according to the test result to be compared includes: obtaining a target test result corresponding to the security policy set; the target test result is obtained after all the security policies in the plurality of security policies are utilized to test the preset data stream; and if the target test result is consistent with the test result to be compared, determining that the target security policy is a redundancy policy in the security policy set.
In one possible embodiment, the policy detection mode is a conflict policy detection mode, and each of the plurality of security policies has a corresponding matching priority;
detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result, including: under the condition that a preset data stream passes through the security policy set according to the matching priority sequence of each security policy, determining the currently hit security policy from a plurality of security policies; determining an execution action of a currently hit security policy on a preset data stream, wherein the execution action comprises a release action or a blocking action; and under the condition that the execution action of the currently hit security policy on the preset data stream is inconsistent with the execution action of the predetermined reference security policy on the preset data stream, determining that the currently hit security policy is a conflict policy of the predetermined reference security policy.
Therefore, by means of the technical scheme, the embodiment of the application can rapidly realize detection of the conflict strategy.
In a second aspect, an embodiment of the present application provides an apparatus for detecting a security policy, where the apparatus includes: the acquisition module is used for acquiring the security policy set; a determining module, configured to determine a policy detection mode for detecting a plurality of security policies in a security policy set, where the policy detection mode includes a redundancy policy detection mode and/or a conflict policy detection mode; the detection module is used for detecting a plurality of security policies according to the policy detection mode to obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through redundancy policy detection mode detection and/or a conflict policy detection result obtained through conflict policy detection mode detection.
In one possible embodiment, the policy detection mode is a redundant detection mode, and each of the plurality of security policies has a corresponding matching priority;
the detection module is specifically used for: determining an undeleted target security policy from a plurality of security policies according to the sequence of the matching priority of each security policy from low to high; deleting a target security policy from the security policy set to obtain a policy set to be compared; testing the preset data stream by utilizing all security policies in the to-be-compared policy set to obtain a to-be-compared test result; and determining a redundancy strategy detection result according to the test result to be compared.
In one possible embodiment, the detection module is specifically configured to: obtaining a target test result corresponding to the security policy set; the target test result is obtained after all the security policies in the plurality of security policies are utilized to test the preset data stream; and if the target test result is consistent with the test result to be compared, determining that the target security policy is a redundancy policy in the security policy set.
In one possible embodiment, the policy detection mode is a conflict policy detection mode, and each of the plurality of security policies has a corresponding matching priority;
the detection module is specifically used for: under the condition that a preset data stream passes through the security policy set according to the matching priority sequence of each security policy, determining the currently hit security policy from a plurality of security policies; determining an execution action of a currently hit security policy on a preset data stream, wherein the execution action comprises a release action or a blocking action; and under the condition that the execution action of the currently hit security policy on the preset data stream is inconsistent with the execution action of the predetermined reference security policy on the preset data stream, determining that the currently hit security policy is a conflict policy of the predetermined reference security policy.
In a third aspect, embodiments of the present application provide a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect or any alternative implementation of the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory in communication via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any alternative implementation of the first aspect.
In a fifth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any of the possible implementations of the first aspect.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for detecting security policies according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating a method for detecting a redundancy policy according to an embodiment of the present application;
fig. 3 shows a flowchart of a method for detecting a conflict policy according to an embodiment of the present application;
FIG. 4 is a block diagram of an apparatus for detecting security policies according to an embodiment of the present application;
fig. 5 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
As more and more security devices are accessed into a network, the security policies become larger in scale, and the problems of policy redundancy and conflict become more and more prominent.
At present, the existing method for detecting the security policy is to compare whether the matching condition of each policy has a subset relationship or not and judge whether the actions conflict or not, so as to judge the policy relationship.
For example, if the IP address range of one security policy is contained by the IP address range of its neighboring security policy, then both policies are redundant policies; for another example, if the execution of one security policy is different from the execution of an adjacent security policy, then the two policies are conflicting.
However, since the condition subset and the action of each policy need to be compared in a cyclic manner, there is a problem that the calculation amount is large, and thus the detection efficiency is not high.
Based on this, referring to fig. 1, fig. 1 shows a flowchart of a method for detecting a security policy according to an embodiment of the present application. It should be understood that the method as shown in fig. 1 may be performed by a device for detecting a security policy, and that the device may be a device for detecting a security policy as shown in fig. 4. And the specific device of the device can be set according to actual requirements, for example, the device can be a computer, a server and the like. Specifically, the method comprises the following steps:
step S110, a security policy set is acquired.
Step S120, determining a policy detection mode for detecting a plurality of security policies in the security policy set. Wherein the policy detection mode includes a redundancy policy detection mode and/or a conflict policy detection mode.
It should be understood that the redundancy policy detection mode and/or the conflict policy detection mode refers to that only the redundancy policy detection mode may be performed, only the conflict policy detection mode may be performed, and both the redundancy policy detection mode and the conflict policy detection mode may be performed at the same time.
Step S130, detecting a plurality of security policies according to the policy detection mode to obtain a security policy detection result. The security policy detection result comprises a redundancy policy detection result obtained through redundancy policy detection mode detection and/or a conflict policy detection result obtained through conflict policy detection mode detection.
Therefore, the embodiment of the application detects the plurality of security policies according to the redundancy policy detection mode and/or the conflict policy detection mode, so that compared with the existing method for detecting the security policies, the method can greatly reduce the calculated amount, and therefore the method can rapidly and efficiently detect policy redundancy and conflict.
In order to facilitate an understanding of embodiments of the present application, the following description is made by way of specific examples.
Specifically, the device may create two detection modes, namely, a redundant policy detection mode and a collision policy detection mode, and then may collect security policies in a real environment using mirroring, and construct a security policy set using the collected security policies, and then may detect the security policy set using the two detection modes.
The redundant strategy detection mode is executed according to the action of the safety strategy when the data passes through; the collision policy detection mode refers to recording connection information and policy information when data passes through.
It should be appreciated that the redundancy policy detection mode may be referred to as an action validation mode, and the redundancy policy detection mode may be referred to as an action record mode, and embodiments of the present application are not limited thereto.
It should also be understood that the specific information included in the connection information and the specific information included in the policy information may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the connection information may be quintuple information.
For another example, the policy information may include an identification ID of the security policy and an execution action corresponding to the policy. Wherein the performing action may include a pass action and a block action.
In addition, in order to facilitate understanding of the redundancy policy detection mode, a description is made below by way of specific embodiments.
Specifically, referring to fig. 2, fig. 2 shows a flowchart of a method for detecting a redundancy policy according to an embodiment of the present application. Specifically, the detection method comprises the following steps:
in step S210, in the case where the security policy set is acquired, a redundancy policy detection mode is started.
It should be appreciated that this set of security policies may also be referred to as an initial set of security policies, and may also be referred to as an original set of security policies.
Step S220, presetting a data stream to obtain a target test result by a security policy set. Wherein the security policy set includes a plurality of security policies.
That is, all security policies in the plurality of security policies are utilized to test the preset data stream, and a target test result is obtained.
It should be understood that the ranking order of the plurality of security policies in the security policy set may be ranked according to the matching priority of each of the plurality of security policies, or may be randomly ranked, and embodiments of the present application are not limited to the ranking order.
For example, the plurality of security policies may be ranked according to the order of the matching priority of each security policy from high to low, to obtain a ranked plurality of security policies. And then, testing the preset data stream by using the sequenced multiple security policies, and executing a release action or a blocking action by the multiple security policies according to the action of the security policies, and finally obtaining a target test result after the preset data stream passes through the security policy set.
It should also be understood that the data stream size, the data stream type, etc. of the preset data stream may be set according to actual requirements, and the embodiments of the present application are not limited thereto.
Step S230, deleting a current target security policy from the security policy set according to the order of the matching priority of each security policy from low to high, and obtaining a current policy set to be compared.
Specifically, when the security policy set includes n security policies, during the first round of redundant policy detection, the security policy with the lowest matching priority may be deleted from the security policy set, so as to obtain a first policy set to be compared, and then the first policy set to be compared may be used to detect the redundant policy. And when the redundant strategy detection of the second round is carried out, deleting the safety strategy with the lowest matching priority from the safety strategy set to obtain a second strategy set to be compared, and then carrying out the redundant strategy detection by utilizing the second strategy set to be compared. Similarly, when the redundancy strategy detection of the nth round is performed, the security strategy with the highest matching priority can be deleted from the security strategy set to obtain the nth strategy set to be compared, and then the redundancy strategy detection can be performed by using the nth strategy set to be compared. Wherein n is a positive integer of 2 or more.
Step S240, the preset data stream obtains the current comparison test result through the current comparison strategy set.
That is, all security policies in the policy set to be compared are utilized to test the preset data stream, and the result of the test to be compared is obtained.
Step S250, judging whether the target test result is consistent with the current test result to be compared.
If the target test result is consistent with the current test result to be compared, step S260 is executed, and if the target test result is inconsistent with the current test result to be compared, step S270 is executed.
Step S260, determining the current target security policy as a redundancy policy in the security policy set.
That is, since a plurality of security policies in the security policy set have matching priorities, policy deletion can be sequentially performed from a low matching priority, and then the result of the preset data stream can be checked, and if the result is consistent with the initial security policy set result, the deleted security policy can be determined as a redundant policy. The matching priority of each security policy in the plurality of security policies may be set by a user, or may be determined by a preset calculation formula, which is not limited in this embodiment.
For example, in the case where the security policy set includes a first security policy, a second security policy, and a third security policy, the matching priorities of the three security policies are the first security policy, the second security policy, and the third security policy in this order from high to low. In addition, under the condition that the data flow is preset, a target test result corresponding to the security policy set is obtained. Then, deleting the third security policy from the security policy combination to obtain a policy set to be compared, and then presetting the data stream to pass through the policy set to be compared to obtain a test result to be compared. If the test result to be compared is consistent with the target test result, the third security policy can be determined to be a redundancy policy. Then, a third security policy may be added or restored in the policy set to be compared, and then the second security policy may be deleted therefrom, and then all security policies in the security policy set may be traversed according to a detection process of the third security policy, so that all redundancy policies in the security policy set may be determined.
It should also be noted here that the apparatus may also create a redundancy policy table with which to record redundancy policies in the security policy set. Thus, in the case where the apparatus determines that the currently deleted security policy is a redundancy policy, the redundancy policy may be recorded in a redundancy policy table so that, after all the security policies have been traversed, the recorded redundancy policy may be deleted from the security policy set according to the records in the redundancy policy table.
Step S270, determining the current target security policy as a non-redundant policy in the security policy set.
Step S280, judging whether all the security policies in the security policy set are traversed.
If it is determined that all the security policies in the security policy set have been traversed, step S290 is performed; if it is determined that all the security policies in the security policy set have not been traversed, the process returns to step S230.
Step S290 ends.
It should be noted that, after determining the redundancy policy in the security policy set, the security policy set may be used for verification.
In addition, in order to facilitate understanding of the conflict policy detection mode, the following description is made by way of specific embodiments.
Specifically, referring to fig. 3, fig. 3 shows a flowchart of a method for detecting a conflict policy according to an embodiment of the present application. Specifically, the detection method comprises the following steps:
in step S310, in the case where the security policy set is acquired, a collision policy detection mode is started.
Step S320, determining a current reference security policy from the security policy set.
It should be appreciated that the reference security policy may be a predetermined security policy.
It should also be understood that the selection manner of the reference security policy may be set according to actual requirements, and embodiments of the present application are not limited thereto.
Alternatively, the reference security policies may be selected sequentially in order of the matching priority of each security policy from high to low.
For example, in the case where the security policy set includes n security policies, when performing first round collision policy detection, the security policy with the highest matching priority may be used as the reference security policy of the first round, and when performing second round collision policy detection, the security policy with the second highest matching priority may be used as the reference security policy of the second round. And so on, when the conflict strategy of the nth round is detected, the security strategy with the lowest matching priority can be used as the reference security strategy of the nth round.
Step S330, determining the currently hit security policy in the process of presetting the security policy for the data stream.
It should be understood that, for the related scheme of the preset data flow through the security policy, reference may be made to the related description of step S220 in fig. 2, which is not repeated herein.
It should also be appreciated that during the course of a preset data stream passing through a security policy, it may be the case that the next adjacent policy is missed. For example, after the preset data stream passes through the third security policy, it flows not to the fourth security policy but to the sixth security policy, i.e., the hit security policy is the sixth security policy.
Step S340, determining the execution action of the currently hit security policy on the preset data stream.
Step S350, determining whether the execution action of the currently hit security policy on the preset data stream is consistent with the execution action of the reference security policy on the preset data stream.
If the two execution actions are inconsistent, step S360 may be executed; if the two execution actions are identical, step S370 may be executed.
Step S360, determining the currently hit security policy as the conflict policy of the reference security policy.
That is, in the process that the preset data stream sequentially passes through the plurality of security policies, if the currently hit security policy is obtained by matching and the execution actions of the currently hit security policy and the execution actions of the reference security policy are different, it may be determined that the two security policies are conflicting policies.
It should be noted here that the apparatus may also create the conflict policy table in advance. Wherein the entries of the conflict policy table may include policy information and connection information. Therefore, under the condition that the two security policies are determined to be conflict policies, the policy information and the connection information of the two security policies can be acquired, and the two security policies can be recorded into the conflict policy table according to the policy information and the connection information of the two security policies. Thus, a plurality of conflict policies corresponding to each reference security policy can be determined subsequently according to the security policy table. And fault tolerance processing can be performed according to the conflict strategy table.
Step S370, judging whether all the security policies in the security policy set are traversed.
That is, it is determined whether all conflict policies corresponding to the current reference security policy are acquired.
If it is determined that all the security policies in the security policy set have been traversed, executing step S380; if it is determined that all the security policies in the security policy set have not been traversed, the process returns to step S330.
Step S380, determining whether a collision policy of the next reference security policy needs to be acquired.
If it is determined that the conflict policy of the next reference security policy needs to be acquired, returning to step S320; if it is determined that the collision policy of the next reference security policy does not need to be acquired, step S390 is performed.
Step S390, end.
It should be noted here that after determining the conflict policy, the security policy set may also be used for verification.
It should be understood that the above method for detecting a security policy is only exemplary, and those skilled in the art can make various modifications, modifications or modifications according to the above method, which are also within the scope of protection of the present application.
Referring to fig. 4, fig. 4 is a block diagram illustrating an apparatus 400 for detecting a security policy according to an embodiment of the present application. It should be understood that, in correspondence with the above method embodiments, the apparatus 400 is capable of executing the steps involved in the above method embodiments, and specific functions of the apparatus 400 may be referred to in the foregoing description, and detailed descriptions are omitted herein as appropriate to avoid redundancy. The device 400 includes at least one software functional module that can be stored in memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the device 400. Specifically, the apparatus 400 includes:
an acquisition module 410, configured to acquire a security policy set;
a determining module 420, configured to determine a policy detection mode for detecting a plurality of security policies in the security policy set, where the policy detection mode includes a redundancy policy detection mode and/or a conflict policy detection mode;
the detection module 430 is configured to detect a plurality of security policies according to a policy detection mode, and obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through redundancy policy detection mode detection and/or a conflict policy detection result obtained through conflict policy detection mode detection.
In one possible embodiment, the policy detection mode is a redundant detection mode, and each of the plurality of security policies has a corresponding matching priority;
the detection module 430 is specifically configured to: determining an undeleted target security policy from a plurality of security policies according to the sequence of the matching priority of each security policy from low to high; deleting a target security policy from the security policy set to obtain a policy set to be compared; testing the preset data stream by utilizing all security policies in the to-be-compared policy set to obtain a to-be-compared test result; and determining a redundancy strategy detection result according to the test result to be compared.
In one possible embodiment, the detection module 430 is specifically configured to: obtaining a target test result corresponding to the security policy set; the target test result is obtained after all the security policies in the plurality of security policies are utilized to test the preset data stream; and if the target test result is consistent with the test result to be compared, determining that the target security policy is a redundancy policy in the security policy set.
In one possible embodiment, the policy detection mode is a conflict policy detection mode, and each of the plurality of security policies has a corresponding matching priority;
the detection module 430 is specifically configured to: under the condition that a preset data stream passes through the security policy set according to the matching priority sequence of each security policy, determining the currently hit security policy from a plurality of security policies; determining an execution action of a currently hit security policy on a preset data stream, wherein the execution action comprises a release action or a blocking action; and under the condition that the execution action of the currently hit security policy on the preset data stream is inconsistent with the execution action of the predetermined reference security policy on the preset data stream, determining that the currently hit security policy is a conflict policy of the predetermined reference security policy.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the apparatus described above, and this will not be repeated here.
Referring to fig. 5, fig. 5 shows a block diagram of an electronic device 500 according to an embodiment of the present application. The electronic device 500 may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used to enable direct connection communication for these components. Wherein, the communication interface 520 in the embodiment of the present application is used for signaling or data communication with other devices. Processor 510 may be an integrated circuit chip with signal processing capabilities. The processor 510 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 530 has stored therein computer readable instructions which, when executed by the processor 510, enable the electronic device 500 to perform the steps of the method embodiments described above.
The electronic device 500 may further include a memory controller, an input-output unit, an audio unit, a display unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected directly or indirectly to each other, so as to realize data transmission or interaction. For example, the elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is configured to execute executable modules stored in the memory 530. And, the electronic device 500 is configured to perform the following method: acquiring a security policy set; determining a policy detection mode for detecting a plurality of security policies in the security policy set, wherein the policy detection mode comprises a redundancy policy detection mode and/or a conflict policy detection mode; detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through the redundancy policy detection mode detection and/or a conflict policy detection result obtained through the conflict policy detection mode detection.
The input-output unit is used for providing the user with input data to realize the interaction between the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g. a user-operated interface) between the electronic device and the user or is used to display image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the touch display may be a capacitive touch screen or a resistive touch screen, etc. supporting single-point and multi-point touch operations. Supporting single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are passed to the processor for calculation and processing.
It is to be understood that the configuration shown in fig. 5 is illustrative only, and that the electronic device 500 may also include more or fewer components than shown in fig. 5, or have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
The present application also provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the method embodiment.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the system described above, and this will not be repeated here.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. For the apparatus class embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference is made to the description of the method embodiments for relevant points.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes. It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the same, but rather, various modifications and variations may be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A method of detecting a security policy, comprising:
acquiring a security policy set;
determining a policy detection mode for detecting a plurality of security policies in the security policy set, wherein the policy detection mode comprises a redundancy policy detection mode and/or a conflict policy detection mode;
detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through the redundancy policy detection mode detection and/or a conflict policy detection result obtained through the conflict policy detection mode detection;
the policy detection mode is the redundant policy detection mode, and each security policy of the plurality of security policies has a corresponding matching priority;
the detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result includes:
determining an undeleted target security policy from the plurality of security policies according to the order of the matching priority of each security policy from low to high;
deleting the target security policy from the security policy set to obtain a set of countermeasures to be compared;
testing the preset data stream by utilizing all the security policies in the to-be-compared policy set to obtain a to-be-compared test result;
and determining the redundancy strategy detection result according to the test result to be compared.
2. The method of claim 1, wherein the determining the redundancy policy detection result according to the test result to be compared comprises:
obtaining a target test result corresponding to the security policy set; the target test result is obtained after the preset data stream is tested by utilizing all security policies in the plurality of security policies;
and if the target test result is consistent with the test result to be compared, determining that the target security policy is a redundancy policy in the security policy set.
3. The method of claim 1, wherein the policy detection mode is the conflict policy detection mode and each security policy of the plurality of security policies has a corresponding matching priority;
the detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result includes:
under the condition that the preset data stream passes through the security policy set according to the matching priority order of each security policy, determining the currently hit security policy from the plurality of security policies;
determining an execution action of the currently hit security policy on a preset data stream, wherein the execution action comprises a release action or a blocking action;
and under the condition that the execution action of the currently hit security policy on the preset data stream is inconsistent with the execution action of the preset reference security policy on the preset data stream, determining that the currently hit security policy is a conflict policy of the preset reference security policy.
4. An apparatus for detecting a security policy, comprising:
the acquisition module is used for acquiring the security policy set;
a determining module, configured to determine a policy detection mode for detecting a plurality of security policies in the security policy set, where the policy detection mode includes a redundancy policy detection mode and/or a collision policy detection mode;
the detection module is used for detecting the plurality of security policies according to the policy detection mode to obtain a security policy detection result; the security policy detection result comprises a redundancy policy detection result obtained through the redundancy policy detection mode detection and/or a conflict policy detection result obtained through the conflict policy detection mode detection;
the policy detection mode is the redundant policy detection mode, and each security policy of the plurality of security policies has a corresponding matching priority;
the detection module is specifically configured to: determining an undeleted target security policy from the plurality of security policies according to the order of the matching priority of each security policy from low to high; deleting the target security policy from the security policy set to obtain a set of countermeasures to be compared; testing the preset data stream by utilizing all the security policies in the to-be-compared policy set to obtain a to-be-compared test result; and determining the redundancy strategy detection result according to the test result to be compared.
5. The device according to claim 4, wherein the detection module is specifically configured to: obtaining a target test result corresponding to the security policy set; the target test result is obtained after the preset data stream is tested by utilizing all security policies in the plurality of security policies; and if the target test result is consistent with the test result to be compared, determining that the target security policy is a redundancy policy in the security policy set.
6. The apparatus of claim 4, wherein the policy detection mode is the conflict policy detection mode and each security policy of the plurality of security policies has a corresponding matching priority;
the detection module is specifically configured to: under the condition that the preset data stream passes through the security policy set according to the matching priority order of each security policy, determining the currently hit security policy from the plurality of security policies; determining an execution action of the currently hit security policy on a preset data stream, wherein the execution action comprises a release action or a blocking action; and under the condition that the execution action of the currently hit security policy on the preset data stream is inconsistent with the execution action of the preset reference security policy on the preset data stream, determining that the currently hit security policy is a conflict policy of the preset reference security policy.
7. A storage medium having stored thereon a computer program which, when executed by a processor, performs a method of detecting a security policy as claimed in any one of claims 1 to 3.
8. An electronic device, the electronic device comprising: a processor, a memory and a bus, said memory storing machine readable instructions executable by said processor, said processor and said memory communicating via the bus when said electronic device is running, said machine readable instructions when executed by said processor performing the method of detecting a security policy as claimed in any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111349994.4A CN114039853B (en) | 2021-11-15 | 2021-11-15 | Method and device for detecting security policy, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111349994.4A CN114039853B (en) | 2021-11-15 | 2021-11-15 | Method and device for detecting security policy, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114039853A CN114039853A (en) | 2022-02-11 |
| CN114039853B true CN114039853B (en) | 2024-02-09 |
Family
ID=80137638
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111349994.4A Active CN114039853B (en) | 2021-11-15 | 2021-11-15 | Method and device for detecting security policy, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114039853B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114389897B (en) * | 2022-03-18 | 2022-06-10 | 苏州市卫生计生统计信息中心 | IT infrastructure security policy centralized management and control optimization method |
| CN115065491A (en) * | 2022-03-30 | 2022-09-16 | 成都市以太节点科技有限公司 | Function and information security policy comprehensive selection method, electronic equipment and storage medium |
| CN115065538B (en) * | 2022-06-16 | 2023-09-26 | 北京天融信网络安全技术有限公司 | Optimization method and device of security policy, electronic equipment and storage medium |
| CN114884821B (en) * | 2022-06-17 | 2023-07-18 | 北京邮电大学 | A Multi-Strategy Conflict Avoidance Method in Autointelligence Network |
| CN115834193A (en) * | 2022-11-22 | 2023-03-21 | 杭州安恒信息技术股份有限公司 | Abnormal security policy detection method and device, electronic equipment and storage medium |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2023567A1 (en) * | 2007-08-08 | 2009-02-11 | Mitsubishi Electric Corporation | Managing security rule conflicts |
| US7516475B1 (en) * | 2002-07-01 | 2009-04-07 | Cisco Technology, Inc. | Method and apparatus for managing security policies on a network |
| CN102760076A (en) * | 2012-06-05 | 2012-10-31 | 华为技术有限公司 | Policy conflict processing method for system and policy conflict processing system |
| CN104104615A (en) * | 2014-07-21 | 2014-10-15 | 华为技术有限公司 | Strategy conflict solution method and device |
| CN104717181A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Security policy configuration system and method for virtual security gateway |
| CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN107094143A (en) * | 2017-04-28 | 2017-08-25 | 杭州迪普科技股份有限公司 | A kind of detection method and device of tactful redundancy |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
| CN108768879A (en) * | 2018-04-26 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of policy priority grade method of adjustment and device |
| CN109802960A (en) * | 2019-01-08 | 2019-05-24 | 深圳中兴网信科技有限公司 | Firewall policy processing method and processing device, computer equipment and storage medium |
| CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
| CN112615856A (en) * | 2020-12-16 | 2021-04-06 | 上海道客网络科技有限公司 | Multi-cluster network security policy management and control method and system |
| CN112804221A (en) * | 2020-12-30 | 2021-05-14 | 北京天融信网络安全技术有限公司 | Firewall rule processing method and device, network equipment and readable storage medium |
| CN112866251A (en) * | 2021-01-20 | 2021-05-28 | 哈尔滨工业大学 | Multi-domain cloud protection wall security policy conflict resolution method and device |
| CN113572780A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Equipment security policy configuration method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7337230B2 (en) * | 2002-08-06 | 2008-02-26 | International Business Machines Corporation | Method and system for eliminating redundant rules from a rule set |
| US9246945B2 (en) * | 2013-05-29 | 2016-01-26 | International Business Machines Corporation | Techniques for reconciling permission usage with security policy for policy optimization and monitoring continuous compliance |
-
2021
- 2021-11-15 CN CN202111349994.4A patent/CN114039853B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7516475B1 (en) * | 2002-07-01 | 2009-04-07 | Cisco Technology, Inc. | Method and apparatus for managing security policies on a network |
| EP2023567A1 (en) * | 2007-08-08 | 2009-02-11 | Mitsubishi Electric Corporation | Managing security rule conflicts |
| CN102760076A (en) * | 2012-06-05 | 2012-10-31 | 华为技术有限公司 | Policy conflict processing method for system and policy conflict processing system |
| CN104717181A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Security policy configuration system and method for virtual security gateway |
| CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
| CN104104615A (en) * | 2014-07-21 | 2014-10-15 | 华为技术有限公司 | Strategy conflict solution method and device |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN107094143A (en) * | 2017-04-28 | 2017-08-25 | 杭州迪普科技股份有限公司 | A kind of detection method and device of tactful redundancy |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
| CN108768879A (en) * | 2018-04-26 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of policy priority grade method of adjustment and device |
| CN109802960A (en) * | 2019-01-08 | 2019-05-24 | 深圳中兴网信科技有限公司 | Firewall policy processing method and processing device, computer equipment and storage medium |
| CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
| CN112615856A (en) * | 2020-12-16 | 2021-04-06 | 上海道客网络科技有限公司 | Multi-cluster network security policy management and control method and system |
| CN112804221A (en) * | 2020-12-30 | 2021-05-14 | 北京天融信网络安全技术有限公司 | Firewall rule processing method and device, network equipment and readable storage medium |
| CN112866251A (en) * | 2021-01-20 | 2021-05-28 | 哈尔滨工业大学 | Multi-domain cloud protection wall security policy conflict resolution method and device |
| CN113572780A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Equipment security policy configuration method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114039853A (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114039853B (en) | Method and device for detecting security policy, storage medium and electronic equipment | |
| CN107025153B (en) | Disk failure prediction method and device | |
| CN113656168B (en) | Method, system, medium and equipment for automatically disaster recovery and scheduling of traffic | |
| CN107798047B (en) | Duplicate work order detection method, apparatus, server and medium | |
| KR20190084946A (en) | User abnormal behavior detection method, device and system | |
| CN104361285B (en) | The safety detection method and device of mobile device application program | |
| US20170329685A1 (en) | Non-destructive analysis to determine use history of processor | |
| JP2014134956A (en) | Failure analysis support device, failure analysis support method, and program | |
| US20120310849A1 (en) | System and method for validating design of an electronic product | |
| US9686310B2 (en) | Method and apparatus for repairing a file | |
| US20200334358A1 (en) | Method for detecting computer virus, computing device, and storage medium | |
| US11843530B2 (en) | System, method, and computer program for unobtrusive propagation of solutions for detected incidents in computer applications | |
| CN120234809A (en) | A method, storage medium, device and product for automatic vulnerability repair | |
| CN118660312B (en) | Automatic test method and device suitable for wireless test of data link system | |
| CN107633173B (en) | File processing method and device | |
| CN116776338B (en) | Multilayer filtering high-precision vulnerability detection method, device, equipment and medium | |
| US9690639B2 (en) | Failure detecting apparatus and failure detecting method using patterns indicating occurrences of failures | |
| CN117544536A (en) | Dial test methods, devices, electronic equipment and storage media | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN113364791B (en) | System and method for detecting interference version | |
| CN117453567A (en) | Chaos testing method, device and equipment | |
| CN112395594B (en) | Method, device and equipment for processing instruction execution sequence | |
| CN115525501A (en) | Method and device for reporting crash information, electronic equipment and storage medium | |
| CN119536227B (en) | Fault handling method, device, electronic device and storage medium | |
| CN115686960B (en) | Test method, test device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231228 Address after: 071000 Conference Center 1-184, South Section of Baojin Expressway, Xiong'an Area, Xiong'an New District, Baoding City, Hebei Province Applicant after: Tianrongxin Xiongan Network Security Technology Co.,Ltd. Address before: 100000 4th floor, building 3, yard 1, Shangdi East Road, Haidian District, Beijing Applicant before: Beijing Topsec Network Security Technology Co.,Ltd. Applicant before: Topsec Technologies Inc. Applicant before: BEIJING TOPSEC SOFTWARE Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |