CN112202724A - Data aggregation method and device of all-in-one arrangement mode - Google Patents

Data aggregation method and device of all-in-one arrangement mode Download PDF

Info

Publication number
CN112202724A
CN112202724A CN202010943671.7A CN202010943671A CN112202724A CN 112202724 A CN112202724 A CN 112202724A CN 202010943671 A CN202010943671 A CN 202010943671A CN 112202724 A CN112202724 A CN 112202724A
Authority
CN
China
Prior art keywords
response
event data
data
node
upstream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010943671.7A
Other languages
Chinese (zh)
Other versions
CN112202724B (en
Inventor
郭兰杰
高辉力
赵粤征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202010943671.7A priority Critical patent/CN112202724B/en
Publication of CN112202724A publication Critical patent/CN112202724A/en
Application granted granted Critical
Publication of CN112202724B publication Critical patent/CN112202724B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the technical field of network security, in particular to a data aggregation method and a device of an all-in-one arrangement mode, wherein the method is applied to an all-in-one arrangement structure, the all-in-one arrangement structure comprises at least two upstream response nodes, virtual nodes and downstream response nodes, the output ends of the at least two upstream response nodes are connected with the input ends of the virtual nodes, the output ends of the virtual nodes are connected with the input ends of the downstream response nodes, and the method comprises the following steps: the virtual nodes respectively acquire the security event data output by each upstream response node; the safety event data are combined to generate a data set containing the safety event data, so that the downstream response node obtains the safety event data from the data set and performs corresponding response operation according to the safety event data, and thus, a plurality of same downstream response nodes are not required to be arranged, the downstream response nodes only need to be in butt joint with the safety event data of the virtual nodes, and the execution efficiency is improved.

Description

Data aggregation method and device of all-in-one arrangement mode
Technical Field
The present application relates to the field of network security technologies, and in particular, to a data aggregation method and apparatus for an all-in-one arrangement mode.
Background
At present, Security Organization and Automated Response (SOAR) is very important in the technical field of network Security, the SOAR can flexibly organize the existing Security capability, access various data sources, complete scene construction by writing scripts and realize automatic operation, and the modes of the organization process include a serial organization mode, a parallel organization mode, a one-in-many organization mode, a multi-in-one organization mode and the like.
Particularly, in the all-in-one orchestration mode, since the input of the downstream response node is determined by the upstream response node, and the number of the upstream response nodes is larger, the selection of the security event data by the downstream response node is more complicated, and since the downstream response node only supports the response operation of the data of one upstream response node, under the condition that all the upstream response nodes have response operation requirements and the response operation requirements are the same, the downstream response nodes with the same function need to be orchestrated to be able to meet the response operation requirements of the plurality of upstream response nodes, but the method in the prior art causes a complicated operation flow and reduces the CPU utilization.
Disclosure of Invention
The embodiment of the application provides a data aggregation method and device of an all-in-one arrangement mode, so as to simplify the operation flow of an all-in-one scene and simplify the complexity of arrangement of a user.
The embodiment of the application provides the following specific technical scheme:
a data aggregation method of an all-in-one layout mode is applied to an all-in-one layout framework, the all-in-one layout framework comprises at least two upstream response nodes, a virtual node and a downstream response node, the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, and the output end of the virtual node is connected with the input end of the downstream response node, and the method comprises the following steps:
the virtual nodes respectively acquire the security event data output by each upstream response node;
and merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
Optionally, merging the security event data to generate a data set including the security event data, specifically including:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
Optionally, after generating the data set including the security event data, the method further includes:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
Optionally, the security event data at least includes one or any combination of the following: source IP, destination port, security event name, security event type.
An all-in-one arrangement mode data aggregation device is applied to an all-in-one arrangement structure, the all-in-one arrangement structure comprises at least two upstream response nodes, a virtual node and a downstream response node, the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, and the output end of the virtual node is connected with the input end of the downstream response node, and the device comprises:
the acquisition module is used for respectively acquiring the security event data output by each upstream response node;
and the processing module is used for merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
Optionally, when merging the security event data to generate a data set including the security event data, the processing module is specifically configured to:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
Optionally, after generating the data set including the security event data, the processing module is further configured to:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
Optionally, the security event data at least includes one or any combination of the following: source IP, destination port, security event name, security event type.
An electronic device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor implements the steps of the data aggregation method of the all-in-one arrangement mode when executing the program.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the data aggregation method of the above-mentioned all-in-one orchestration mode.
In the embodiment of the application, the virtual node respectively acquires the security event data output by each upstream response node, combines the acquired security event data, and generates a data set containing each security event data, so that the downstream response node acquires each security event data from the data set of the virtual node, and performs corresponding response operation according to each security event data, thus, a virtual node is arranged between the upstream response node and the downstream response node, each upstream response node outputs the security event data to the virtual node, the downstream response node acquires each security event data from the data set of the virtual node, when each upstream response node needs to execute the response operation defined by the downstream response node, a plurality of downstream response nodes with the same function do not need to be arranged, and only each security event data needs to be acquired from the data set of the virtual node, the SOAR engine does not need to acquire data from each upstream response node, only needs to butt joint the security event data of the virtual node, reduces the utilization rate of a CPU and improves the execution efficiency.
Drawings
FIG. 1 is a schematic diagram illustrating an arrangement of an all-in-one arrangement mode in the prior art;
FIG. 2 is a flowchart illustrating a data aggregation method for an all-in-one layout mode according to an embodiment of the present disclosure;
FIG. 3 is a diagram illustrating a data structure of an all-in-one layout pattern according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an organization interface in an embodiment of the present application;
FIG. 5 is a schematic diagram of constructing virtual nodes in an embodiment of the present application;
FIG. 6 is a schematic diagram of an arrangement including a logic decision module according to an embodiment of the present application;
FIG. 7 is a schematic structural diagram of a data aggregation apparatus with an all-in-one arrangement mode according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, Security Organization and Automated Response (SOAR) is very important in the technical field of network Security, the SOAR can flexibly organize the existing Security capability, access various data sources, complete scene construction by writing scripts, realize automatic operation, and support complex and flexible modes for an organization process, such as a serial organization mode, a parallel organization mode, a one-to-many organization mode, a multiple-in-one organization mode and the like.
Particularly, in the all-in-one arrangement mode, because the input data of the downstream response node is determined by the security event data output by the upstream response node, a user is confronted with the selection of a plurality of data sources when arranging, and if the number of the upstream response nodes is larger, the selection of the security event data by the downstream response node is more complicated, which greatly increases the use difficulty.
Moreover, since the downstream response node only supports the response operation of the security event data output by one upstream response node, under the condition that all the upstream response nodes have response operation requirements and the response operation requirements are the same, a plurality of downstream response nodes with the same function need to be arranged to process the security event data from different upstream response nodes, so that the response operation requirements of a plurality of upstream response nodes can be met, as shown in fig. 1, which is an arrangement diagram of an all-in-one arrangement mode in the prior art, since the upstream response node a and the upstream response node B have response operation requirements, two downstream response nodes C need to be arranged to meet the response operation requirements of the upstream response node a and the upstream response node B, but the method in the prior art causes the operation flow to be complicated and redundant, and, the utilization rate of a Central Processing Unit (CPU) is reduced.
In the embodiment of the application, a data aggregation method of an all-in-one arrangement mode is provided, in which a virtual node respectively acquires security event data output by each upstream response node, and combines the acquired security event data to generate a data set containing each security event data, so that a downstream response node acquires each security event data from the data set of the virtual node and performs corresponding response operation according to each security event data, thereby setting the virtual node, storing the security event data output by each upstream response node into the virtual node, the downstream response node acquires each security event data from the virtual node and performs corresponding response operation according to each acquired security event data, when each upstream response node needs to execute response operation defined by the downstream response node, a plurality of same downstream response operation nodes do not need to be arranged, the security event data of each upstream response node can be processed, the operation process is simplified, and for the SOAR engine, the security event data does not need to be acquired from each upstream response node, and only the security event data stored in the virtual node needs to be butted, so that the utilization rate of a CPU is reduced, and the execution efficiency is improved.
Based on the foregoing embodiment, referring to fig. 2, a flowchart of a data aggregation method for an all-in-one arrangement mode in the embodiment of the present application is specifically included:
step 200: and the virtual nodes respectively acquire the security event data output by each upstream response node.
The method in the embodiment of the application is applied to an all-in-one arrangement structure, the all-in-one arrangement structure comprises at least two upstream response nodes, a virtual node and a downstream response node, the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, the output end of the virtual node is connected with the input end of the downstream response node, when the at least two upstream response nodes execute response operations, security event data are output, and then the virtual node respectively obtains the security event data output by each upstream response node.
Wherein, the safety event data at least comprises one or any combination of the following: source IP, destination port, security event name, security event type.
The response operation of the upstream response node may be, for example, global blocking, host isolation, and the like, which is not limited in this embodiment of the application.
Further, before the virtual node respectively acquires the security event data output by each upstream response node, it first needs to define the data structure of the all-in-one arrangement mode, specifically, define the point information of each upstream response node and downstream response node, the edge information of the edge between the upstream response node and the downstream response node, the edge start point, and the edge end point.
The core fields of the point information of the upstream response node and the downstream response node at least include a node identifier and attribute information, for example, the point information may be defined by nodelist, the point information includes a node ID and attribute information, and the attribute information may be, for example, a blocking type, a device type, and the like, which is not limited in this embodiment of the application.
The edge information of the edge between the upstream response node and the downstream response node, the edge characterizing the connection line between the upstream response node and the downstream response node, may be defined by linelist, for example.
The edge starting point is provided at the upstream responding node, and may be defined, for example, by from.
The edge termination point is provided at the downstream response node, and may be defined, for example, by to.
For example, referring to fig. 3, which is a schematic diagram of a data structure of an all-in-one arrangement mode in an embodiment of the present application, an upstream response node a, an upstream response node B, an upstream response node C, and a downstream response node D are points, an edge start point is set at the upstream response node a, the upstream response node B, the upstream response node C, and an edge end point is set at the downstream response node D, and a connection line between the upstream response node a and the downstream response node D, a connection line between the upstream response node B and the downstream response node D, and a connection line between the upstream response node C and the downstream response node D are edges.
A specific example is used to describe the data structure of the all-in-one layout mode in this embodiment in detail, and refer to fig. 4, which is a schematic diagram of a layout interface in this embodiment.
Wherein, the security event _1 is a threat event, and the attribute data of the security event comprises a rule ID: 490082, rule name: APACHE _ HTTP _ SERVCER, association rule template: common template, associated event template: for the template of APACHE _ HTTP _ SERVCER, rule state: enable, aggregation window(s): 300, aggregation field: dip.
The upstream response nodes are A and B, global blocking _1 and host isolation _1, respectively.
The node identifier of the global block _1 is A, and the attribute data is a block type: IP plugging, the plugging object: source IP, blocking cause, eeee, device type: ADS _ V4.5R90F00, auto release: open, plugging time (min): 1.
the node identification of the host isolation _1 is B, and the attribute data comprises an isolation object: source IP, device type: ADS _ V4.5R90F00, quarantine reason: ww, auto release: open, isolation time (min): 1.
the node identifier of the downstream response node is C, and is notification early warning _1, where the attribute data is: subject matter: threat event generation, recipient: glj @1.com.cn, summary of contents: including secure time base information.
After the data structure is arranged, whether a plurality of to C edges are detected or not is judged based on the arranged data structure, if the plurality of to C edges are determined, a downstream response node C is determined to have a plurality of upstream response nodes, that is, whether one downstream response node corresponds to at least two upstream response nodes or not is judged, and if one downstream response node corresponds to at least two upstream response nodes, a virtual node join _ C is constructed at the moment.
It should be noted that the virtual node join _ C is invisible to the user, that is, the user cannot see the virtual node join _ C, whether the virtual node join _ C is seen by the user or the downstream response node C, where the join _ C is only used to receive each security event data output by each upstream response node, merge each security event data, and store each merged security event data, as shown in fig. 5, a is an upstream response node, B is another upstream response node, join _ C is a virtual node, and C is a downstream response node.
Step 210: and merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
In the embodiment of the application, after the virtual nodes respectively acquire the security event data output by each upstream response node, the security event data are merged and a data set containing the security event data is generated, then, the virtual nodes store the generated data set, and further, the downstream response nodes can acquire each security event data from the data set in the virtual nodes and perform corresponding response operation according to the security event data.
Specifically, when merging the security event data to generate a security event data set including the security event data, the method specifically includes:
s1: and acquiring data identifications corresponding to the safety event data.
Wherein each security event data corresponds to a data identifier.
In the embodiment of the application, each piece of security event data corresponds to one data identifier, so that after the security event data output by each upstream response node is obtained, the data identifier corresponding to each piece of security event data is obtained.
The data identifier corresponding to each security event data is used for distinguishing each security event data, and if the security event data are the same, the data identifiers are the same.
For example, suppose the security event data output by the upstream response node a is a1 and X respectively, the data corresponding to a1 is identified as 1, the data corresponding to X is identified as 2, the security event data output by the upstream response node B is B1 and X respectively, the data corresponding to B1 is identified as 3, and the data corresponding to X is identified as 2.
If the security event data output by each upstream responding node is the same, the data identifiers corresponding to the same security event data are also the same.
For example, assuming that the security event data output by the upstream response node a are a1 and Y, respectively, and the security event data output by the upstream response node B are B1 and Y, respectively, the data id corresponding to the security event data Y output by the upstream response node a is 1, and the data id corresponding to the security event data Y output by the upstream response node B is also 1.
S2: and according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data.
In the embodiment of the application, after the data identifier corresponding to the security event data output by each upstream response node is obtained, duplicate removal is performed on each security event data according to the data identifier corresponding to each security event data, that is, duplicate security event data is deleted for the obtained security event data regardless of which upstream response node the security event data is obtained from.
Specifically, according to the data identifier corresponding to each security event data, if it is determined that there is a duplicate data identifier, the security event data corresponding to one of the data identifiers is deleted, thereby implementing deduplication of each security event.
For example, assuming that the security event data output by the upstream response node a is [ a1, a2, x ], the security event data output by the upstream response node B is [ B1, x ], and it is known that the security event data x output by the upstream response node a and the upstream response node B are duplicate security event data, one of the x is selected and the selected x is deleted, and assuming that the security event data output by the upstream response node a is selected to be deleted, at this time, the security event data output by each upstream response node acquired by the virtual node is a1, a2, B1, x, respectively.
S3: and merging the deduplicated safety event data to obtain a data set containing the safety event data.
In the embodiment of the application, after the duplicate-removed security event data are obtained, the security event data are merged to generate a data set containing the security event data.
For example, assuming that the output of the upstream response node a is [ a1, a2, x ] and the output of the upstream response node B is [ B1, x ], the data set join _ C in the virtual node is [ a1, a2, B1, x ].
In this way, the virtual node obtains the security event data output by each upstream response node, merges the data, and generates a data set, while the input of the downstream response node will be decoupled from each upstream response node, no matter how many upstream response nodes there are in the upstream flow block, i.e. no matter how many branches there are upstream, only one branch of the virtual node join _ C needs to be processed here.
Further, after merging the security event data to generate a data set including the security event data, determining whether each upstream response node completes the response, if each upstream response node performs the response completion operation, the downstream response node can acquire each security event data from the data set of the virtual node, and then determining whether each upstream response node completes the response, specifically including:
s1: and judging whether the node identifications corresponding to the upstream response nodes all appear in the data set.
In the embodiment of the application, after the upstream response node executes the corresponding response operation, the security event data after the response is completed is output to the virtual node, the virtual node receives the security event data output by the upstream response node, the security event data output by the upstream response node received by the virtual node carries a node identifier, the node identifier is an ID of the upstream response node, the node identifier is globally unique in the current flow and is used for representing which upstream response node the security event data originates from, if the upstream response node executes the corresponding response operation, if the upstream response node does not execute the corresponding response operation, the security event data after the response is completed cannot be output to the virtual node, and further the corresponding node identifier cannot be output to the virtual node, and only the virtual node receives the node identifiers corresponding to all the upstream response nodes, the upstream response nodes can be considered to respond completely, and then the downstream response nodes acquire the security event data from the virtual nodes and perform corresponding response operation according to the security event data, so that when the upstream response nodes perform response operation completely and really call the downstream response nodes, the data quoted by the downstream response nodes is only the security event data in the virtual nodes, and a specific source of an appointed upstream branch of a user is not needed, and the transparency of the user can be realized through the construction of the virtual nodes under the scene insensitive to the source branch of the security event, so that the whole arrangement process is simpler and clearer.
For example, suppose that in the process of scheduling, an upstream response node a and an upstream response node B are scheduled, the node identifier corresponding to the upstream response node a is a, the node identifier corresponding to the upstream response node B is B, after the upstream response node a performs a response operation, a completion check is triggered, that is, it is determined whether both the node identifiers a and B appear in the data set, if it is found that the node identifier B does not exist, the node identifier B waits, after the upstream response node B performs a response operation, a completion check is triggered again, and if both the node identifier a and the node identifier B appear in the data set, it is determined that both the upstream response node responds completely, and the downstream response node continues to perform.
S2: and if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction.
In the embodiment of the application, if it is determined that the node identifiers corresponding to the upstream response nodes all appear in the data set, it is determined that the upstream response nodes all execute the response completion operation, and then a response completion instruction is generated at this time.
S3: and sending the response completion instruction to the downstream response node so that the downstream response node acquires each safety event data from the data set according to the response completion instruction.
In the embodiment of the application, if the virtual node determines that all the upstream response nodes complete responses, a response completion instruction is generated, and the response completion instruction is sent to the downstream response nodes, so that the downstream response nodes know that all the upstream response nodes complete responses according to the response completion instruction, acquire all the security event data from the data set of the virtual node, and further perform corresponding response operation according to all the security event data.
The response completion instruction is used for notifying the downstream response nodes, and each upstream response node executes the completion response operation.
Further, in this embodiment of the present application, a study and judgment node and a logic decision node may also be arranged before the upstream response node, where the study and judgment node is configured to obtain a currently detected security event information evidence result, and the logic decision node is configured to decide the security event, as shown in fig. 6, which is an arrangement schematic diagram including a logic decision module in this embodiment of the present application, a study and judgment evidence _1 and a logic decision _1 are arranged before the upstream response node is globally plugged, the currently detected security event information evidence result is obtained through the study and judgment evidence _1, and whether the currently detected security event successfully hits the information is determined through the logic decision _ 1.
For example, obtaining the currently detected security event intelligence forensics result, that is, the IP of the attacker is: 36.35.36.36, then, according to the IP blacklist, judging whether the IP of the attacker is one of the IPblacklists, if the IP of the attacker is one of the IPblacklists, determining that the forensics result of the currently detected security event is successful, then continuing to flow the following process, that is, each upstream response node starts to execute the corresponding response operation, if the IP of the attacker is not one of the IPblacklists, then discarding the security event.
For another example, before the upstream response node notifies the early warning, a logic decision _2 is set to decide whether the event type of the currently detected security event is a web vulnerability attack, and if the event type of the currently detected security event is determined to be the web vulnerability attack, the upstream response node notifies the early warning to execute corresponding response operation according to the security event.
In the embodiment of the application, the virtual nodes respectively acquire the security event data output by each upstream response node, and combine the acquired security event data to generate a data set containing each security event data, so that the downstream response nodes acquire each security event data from the data set of the virtual nodes, and perform corresponding response operation according to each security event data, compared with the prior art, in the all-in-one arrangement mode, a user does not need to designate a specific source of an upstream response node when arranging, but operates the security event transferred to the current block, and as for the upstream response node, which node of the plurality of upstream response nodes comes from does not need to care, the operation flow is simplified, the overall arrangement flow is simpler and clearer, and for the SOAR engine, the plurality of places are not needed to actively acquire the security event data, only the safety event data of the virtual nodes need to be docked, so that the CPU utilization rate is reduced, the execution efficiency is improved, and the resource utilization rate of the engine is more efficient.
Based on the same inventive concept, the embodiment of the application also provides a data aggregation device of the all-in-one arrangement mode, and the data aggregation device of the all-in-one arrangement mode can be a hardware structure, a software module or a hardware structure and a software module. Based on the above embodiments, referring to fig. 7, a schematic structural diagram of a data aggregation device with an all-in-one arrangement mode in the embodiment of the present application is shown, which specifically includes:
an obtaining module 700, configured to obtain security event data output by each upstream response node;
the processing module 710 is configured to combine the security event data, generate a data set including the security event data, so that a downstream response node obtains the security event data from the data set, and perform a corresponding response operation according to the security event data.
Optionally, when the security event data are combined to generate a data set including the security event data, the processing module 710 is specifically configured to:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
Optionally, after generating the data set including the security event data, the processing module 710 is further configured to:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
Optionally, the security event data at least includes one or any combination of the following: source IP, destination port, security event name, security event type.
Based on the above embodiments, fig. 8 is a schematic structural diagram of an electronic device in an embodiment of the present application.
An embodiment of the present application provides an electronic device, which may include a processor 810 (CPU), a memory 820, an input device 830, an output device 840, and the like, where the input device 830 may include a keyboard, a mouse, a touch screen, and the like, and the output device 840 may include a Display device, such as a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT), and the like.
Memory 820 may include Read Only Memory (ROM) and Random Access Memory (RAM), and provides processor 810 with program instructions and data stored in memory 820. In the embodiment of the present application, the memory 820 may be used to store a program of any one of the data aggregation methods of the all-in-one layout mode in the embodiment of the present application.
The processor 810 is configured to execute the data aggregation method of any one of the all-in-one arrangement modes according to the obtained program instructions by calling the program instructions stored in the memory 820.
Based on the foregoing embodiments, in the embodiments of the present application, a computer-readable storage medium is provided, on which a computer program is stored, and the computer program, when executed by a processor, implements the data aggregation method of the all-in-one orchestration mode in any of the above method embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A data aggregation method of an all-in-one layout mode is applied to an all-in-one layout framework, the all-in-one layout framework comprises at least two upstream response nodes, a virtual node and a downstream response node, output ends of the at least two upstream response nodes are connected with an input end of the virtual node, and an output end of the virtual node is connected with an input end of the downstream response node, and the method comprises the following steps:
the virtual nodes respectively acquire the security event data output by each upstream response node;
and merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
2. The method of claim 1, wherein merging the security event data to generate a data set comprising the security event data, comprises:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
3. The method of claim 2, wherein after generating the data set including the security event data, further comprising:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
4. A method according to any of claims 1-3, wherein the security event data comprises at least one or any combination of: source IP, destination port, security event name, security event type.
5. The data aggregation device of the all-in-one layout mode is applied to an all-in-one layout framework, and the all-in-one layout framework comprises at least two upstream response nodes, a virtual node and a downstream response node, wherein the output ends of the at least two upstream response nodes are connected with the input end of the virtual node, and the output end of the virtual node is connected with the input end of the downstream response node, and the device comprises:
the acquisition module is used for respectively acquiring the security event data output by each upstream response node;
and the processing module is used for merging the safety event data to generate a data set containing the safety event data so that a downstream response node acquires the safety event data from the data set and performs corresponding response operation according to the safety event data.
6. The apparatus of claim 5, wherein when merging the security event data to generate a data set comprising the security event data, the processing module is specifically configured to:
acquiring data identifications corresponding to the safety event data, wherein each safety event data corresponds to one data identification;
according to the data identification corresponding to each safety event data, carrying out duplicate removal on each safety event data;
and merging the deduplicated safety event data to obtain a data set containing the safety event data.
7. The apparatus of claim 6, wherein after generating the data set comprising the security event data, the processing module is further to:
judging whether node identifications corresponding to the upstream response nodes are all present in the data set;
if the node identifications are determined to be present in the data set, determining that the response of the upstream response nodes is completed, and generating a response completion instruction;
and sending the response completion instruction to a downstream response node, so that the downstream response node acquires the safety event data from the data set according to the response completion instruction.
8. The apparatus of any of claims 5-7, wherein the security event data comprises at least one or any combination of: source IP, destination port, security event name, security event type.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any of claims 1-4 are implemented when the program is executed by the processor.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when being executed by a processor realizes the steps of the method of any one of claims 1 to 4.
CN202010943671.7A 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode Active CN112202724B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010943671.7A CN112202724B (en) 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010943671.7A CN112202724B (en) 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode

Publications (2)

Publication Number Publication Date
CN112202724A true CN112202724A (en) 2021-01-08
CN112202724B CN112202724B (en) 2023-04-07

Family

ID=74014944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010943671.7A Active CN112202724B (en) 2020-09-09 2020-09-09 Data aggregation method and device of all-in-one arrangement mode

Country Status (1)

Country Link
CN (1) CN112202724B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472787A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Alarm information processing method, device, equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106605397A (en) * 2014-10-26 2017-04-26 迈克菲股份有限公司 Security orchestration framework
WO2017178068A1 (en) * 2016-04-15 2017-10-19 Nokia Solutions And Networks Oy Mechanism for modyfying security setting of a network service including virtual network parts
US20190155636A1 (en) * 2018-12-28 2019-05-23 Intel Corporation Technologies for hybrid virtualization and secure enclave policy enforcement for edge orchestration
CN109947534A (en) * 2019-03-12 2019-06-28 中山大学 A kind of Yunan County's global function scheduling system based on SDN
CN110213077A (en) * 2019-04-18 2019-09-06 国家电网有限公司 A kind of method, apparatus and system of determining electric power monitoring system security incident
CN110990233A (en) * 2019-11-28 2020-04-10 杭州安恒信息技术股份有限公司 Method and system for displaying SOAR by using Gantt chart
CN111010391A (en) * 2019-12-12 2020-04-14 杭州安恒信息技术股份有限公司 Vulnerability repairing method, device and related equipment
US20200259847A1 (en) * 2019-02-08 2020-08-13 Fortinet, Inc. Providing secure data-replication between a master node and tenant nodes of a multi-tenancy architecture

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106605397A (en) * 2014-10-26 2017-04-26 迈克菲股份有限公司 Security orchestration framework
WO2017178068A1 (en) * 2016-04-15 2017-10-19 Nokia Solutions And Networks Oy Mechanism for modyfying security setting of a network service including virtual network parts
US20190155636A1 (en) * 2018-12-28 2019-05-23 Intel Corporation Technologies for hybrid virtualization and secure enclave policy enforcement for edge orchestration
US20200259847A1 (en) * 2019-02-08 2020-08-13 Fortinet, Inc. Providing secure data-replication between a master node and tenant nodes of a multi-tenancy architecture
CN109947534A (en) * 2019-03-12 2019-06-28 中山大学 A kind of Yunan County's global function scheduling system based on SDN
CN110213077A (en) * 2019-04-18 2019-09-06 国家电网有限公司 A kind of method, apparatus and system of determining electric power monitoring system security incident
CN110990233A (en) * 2019-11-28 2020-04-10 杭州安恒信息技术股份有限公司 Method and system for displaying SOAR by using Gantt chart
CN111010391A (en) * 2019-12-12 2020-04-14 杭州安恒信息技术股份有限公司 Vulnerability repairing method, device and related equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
罗伟: "浅析网络安全新形势下如何完善提升应急响应机制", 《中国信息安全》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472787A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Alarm information processing method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN112202724B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN110704283A (en) Method, device and medium for uniformly generating alarm information
CN110609755A (en) Message processing method, device, equipment and medium for cross-block chain node
CN113282444B (en) Visualization method and device for debugging business process
CN109614164A (en) Realize plug-in unit configurable method, apparatus, equipment and readable storage medium storing program for executing
CN110781009A (en) Method and device for real-time communication of browser page
CN112202724B (en) Data aggregation method and device of all-in-one arrangement mode
CN111737275A (en) Database update event processing method and device and computer readable storage medium
CN112825525B (en) Method and apparatus for processing transactions
CN108846085A (en) A kind of ID generation method, device, electronic equipment and system
US10862908B2 (en) System and method for consensus ordering of broadcast messages
CN109688232B (en) Mirror image backtracking method, mirror image backtracking system and proxy server
CN111274032A (en) Task processing system and method, and storage medium
CN115951923A (en) Subscription event management method and related product
WO2020033048A1 (en) System and method for consensus ordering of broadcast messages
CN115793911A (en) Data processing method and device, electronic equipment and storage medium
CN109298956A (en) Document transmission method, device and terminal device
CN114253920A (en) Transaction reordering method, device, equipment and readable storage medium
CN110928672B (en) Task arranging method, device and equipment and storage medium
CN111080250B (en) Flow backspacing compensation method and device, storage medium and electronic equipment
CN112379952A (en) Method for implementing cross-process callback
CN112488462A (en) Unified pushing method, device and medium for workflow data
CN111106954A (en) Map-based topological node display method and device
CN111679899A (en) Task scheduling method, device, platform equipment and storage medium
US11693739B2 (en) Hang detection and remediation in a multi-threaded application process
CN111475316A (en) Persistence operation method, device, equipment and system for mimicry construction cloud service system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant