Search

CN-121984852-A - Self-adaptive flow acquisition and evidence obtaining resource optimization system based on dynamic policy engine

CN121984852ACN 121984852 ACN121984852 ACN 121984852ACN-121984852-A

Abstract

The invention discloses a self-adaptive flow collection and evidence collection resource optimization system based on a dynamic policy engine, which relates to the technical field of computers, wherein the invention forms protocol semantic features by using structured telemetry data or plaintext request metadata output by observable points, and uniformly maps the protocol semantic features and service identity identifiers and risk alarms to the same collection policy instruction, so that evidence collection records have semantic fields such as identities, endpoints, methods, status codes, tracking identifiers and the like, and the invention extends from connection level observation to request level evidence links; in addition, the new instance initial time window full collection is triggered by the workload life cycle event, the continuous evidence collection window is maintained for the effective duration by the evidence collection context object, the association rule is used for stabilizing the anchor point and the variable dimension organization, the hit range is maintained continuously by adding or removing the workload instance identifier during the expansion and contraction, and the continuously covered evidence collection target set is abstracted from the instance short life cycle.

Inventors

  • TANG ZHIBIN
  • ZHANG LIFEN
  • WU JUNQI

Assignees

  • 北京简易网安科技有限公司

Dates

Publication Date
20260505
Application Date
20260206

Claims (10)

  1. 1. The self-adaptive flow collection and evidence obtaining resource optimization system based on the dynamic policy engine is applied to a zero-trust micro-service environment and is characterized by comprising the dynamic policy engine, a semantic analysis plug-in, a state access module, a policy distribution module and a collection executor deployed on a micro-service node side; The state access module is used for acquiring a workload life cycle event, service identity information, risk warning and asset importance labels; the semantic analysis plug-in is used for analyzing the structured telemetry data or the plaintext request metadata at the observable point and outputting protocol semantic features; The dynamic strategy engine is used for fusing the protocol semantic features, the service identity information, the risk alarms and the workload life cycle events, generating an acquisition strategy instruction comprising an acquisition target, acquisition granularity and acquisition duration, and transmitting the acquisition strategy instruction to a corresponding acquisition executor through the strategy distribution module; And the acquisition executor is used for executing acquisition of corresponding granularity at the observable points of the boundary car agent or the host machine network stack according to the acquisition strategy instruction and outputting evidence obtaining data.
  2. 2. The dynamic policy engine-based adaptive traffic collection and forensic resource optimization system according to claim 1 wherein the dynamic policy engine comprises a new instance trigger unit that satisfies the following logic: when the workload lifecycle event indicates creation of a new workload instance, and the service identity information or the asset importance tag associated with the new workload instance satisfies a preset risk condition, then a full-load acquisition instruction for an initial time window of the new workload instance is generated.
  3. 3. The dynamic policy engine-based adaptive traffic collection and forensic resource optimization system according to claim 1 wherein said dynamic policy engine comprises a forensic context maintenance module; The forensic context maintenance module is used for creating a forensic context object when the risk alarm or the protocol semantic feature indicates a potential attack starting point, wherein the forensic context object comprises a starting point identifier, an association rule and an effective duration; Within the effective duration, the dynamic policy engine generates an instruction for improving the acquisition granularity or full acquisition for the traffic meeting the association rule, wherein the association rule is organized according to a stable dimension and a variable dimension, the stable dimension comprises a service identity identifier, an asset importance tag, an interface endpoint mode, a request method and a status code interval, and the variable dimension comprises a workload instance identifier, a tracking identifier, a connection quintuple and a session time window; The association rule adopts a Boolean expression which takes a service identity identifier or a workload instance identifier as an entry condition, takes an interface endpoint mode or a tracking identifier as a constraint condition and takes a connection quintuple or a session time window as a boundary condition, the stable dimension adopts a combination with a relation, and the variable dimension adopts or a relation; The dynamic policy engine performs hierarchical matching on the traffic to be determined, the entry layer performs coarse screening based on the service identity identifier or the workload instance identifier, the constraint layer performs fine screening based on the interface endpoint mode and in combination with the tracking identifier or the connection quintuple, and outputs a hit traffic set and accordingly generates an instruction for improving the acquisition granularity or the total acquisition; When workload expansion and contraction or reconstruction occurs, the evidence obtaining context object takes a service identity identifier and an interface endpoint mode as a stable anchor point, and maintains the rule effective by adding a new workload instance identifier association relationship or removing a failure workload instance identifier association relationship; when the risk alarm or protocol semantic features point to the same attack link again within the effective duration, the dynamic policy engine executes union on each dimension value set in the association rule of the corresponding evidence obtaining context object and extends the effective duration, and an interface endpoint mode with smaller universal range is adopted when the interface endpoint modes conflict.
  4. 4. The adaptive traffic collection and evidence collection resource optimization system based on a dynamic policy engine according to claim 1, wherein the semantic analysis plug-in is a pluggable module, and supports analysis of access log, index or tracking data output by a service grid side car agent; the protocol semantic features at least comprise an application layer protocol type, an interface endpoint, a request method, a status code and a service identity.
  5. 5. The dynamic policy engine-based adaptive traffic collection and forensic resource optimization system according to claim 1 wherein the collection granularity comprises at least the following levels: The method comprises the steps of connecting a level stream record metadata acquisition, a request level metadata acquisition and a data packet acquisition, wherein the request level metadata acquisition is generated based on plaintext request metadata output by a side car agency or an application side, the data packet acquisition comprises data packet content filtered according to a strategy or data packet content truncated, and the truncation length is defined by a truncation length parameter in an acquisition strategy instruction.
  6. 6. The adaptive traffic collection and forensic resource optimization system based on a dynamic policy engine according to claim 1 wherein the dynamic policy engine comprises a stability control unit for setting a minimum hold time length and a threshold zone for switching of collection granularity; when the resource utilization rate is in the threshold value in-band fluctuation, keeping the current acquisition granularity unchanged; And when the resource utilization rate continuously meets the upgrading condition or the degrading condition and reaches the minimum holding time, switching the acquisition granularity and updating the acquisition duration.
  7. 7. The adaptive traffic collection and forensic resource optimization system based on a dynamic policy engine according to claim 1 wherein the dynamic policy engine is configured to receive a global state event and when the global state event indicates that the system enters a predefined high threat risk period or failover state, then generating enhanced collection instructions that cover a target asset collection or target traffic path, the enhanced collection instructions having a higher priority than the collection executor local rules.
  8. 8. The dynamic policy engine-based adaptive traffic collection and forensic resource optimization system according to claim 7 is characterized in that the dynamic policy engine distinguishes core assets from non-core assets according to a pre-configured business continuity graph when generating the enhanced collection instruction and allocates a resource guarantee quota to core asset related traffic while allowing non-core asset related traffic to degrade collection granularity or shorten collection duration when resources are insufficient; The service continuity graph is used as a preconfigured data object in the dynamic strategy engine and allows to be driven and updated by a state access module, the service continuity graph adopts nodes to represent asset nodes, service nodes or workload instance nodes, adopts directed edges to represent dependency relationships, calling relationships or deployment associated directed attribute graph structures, and the nodes carry service grades, asset importance labels, external exposure, historical alarm weights and affiliated tenants or environment information, and the edges carry calling frequency intervals, average time delay intervals, error code distribution, protocol type sets and interface endpoint sets; when a global state event indicates to enter a high threat risk period or a fail-over state, the dynamic policy engine constructs an enhanced acquisition instruction covering a target asset set or a target traffic path from an ingress exposure service to a core business asset based on a dependency path of the business continuity graph; The core asset carries out threshold value judgment according to the service grade, the dependency, the external exposure and the multi-index weighted score of the historical alarm weight, and carries out forced returning on the node with the service grade at the highest grade or marked as forced guarantee in the service continuity map; the dynamic policy engine distributes resource guarantee quota for the related flow of the core asset according to the core asset collection, keeps the resource guarantee quota and the collection granularity lower limit of the related flow of the core asset unchanged when the resources are insufficient, simultaneously allows the collection granularity of the related flow of the non-core asset to be degraded, shortens the collection duration time or reduces the upper limit of the cache, and distributes the resources released by degradation to the related flow of the core asset.
  9. 9. The adaptive traffic collection and forensic resource optimization system based on a dynamic policy engine according to claim 1 wherein the collection executor comprises a policy execution unit and a local buffer unit; The strategy execution unit is used for analyzing the acquisition strategy instruction and controlling acquisition granularity and acquisition duration; and the local buffer unit is used for executing buffering, uploading and clearing on the evidence obtaining data according to the acquisition strategy instruction, and the acquisition strategy instruction comprises at least one of a buffering upper limit parameter and a retention time length parameter.
  10. 10. The adaptive traffic collection and forensic resource optimization system based on a dynamic policy engine according to claim 1 wherein the collection executor reports execution receipt and heartbeat status to the dynamic policy engine; When the dynamic policy engine detects receipt timeout or heartbeat interruption, the dynamic policy engine issues a retry issuing instruction or a degradation acquisition instruction to the corresponding acquisition executor.

Description

Self-adaptive flow acquisition and evidence obtaining resource optimization system based on dynamic policy engine Technical Field The invention relates to the technical field of computers, in particular to a self-adaptive flow acquisition and evidence obtaining resource optimization system based on a dynamic policy engine. Background In a micro-service system with zero trust architecture, services are typically run on an orchestration platform in the form of container workloads, which can be frequently created, destroyed, and migrated as load changes. In order to realize identity verification and transmission confidentiality between services, east-west communication often adopts a bidirectional transmission layer security protocol to encrypt and authenticate based on identity, so as to form an operating environment with full link encryption, distributed attack surfaces and dynamic change of instance topology. Aiming at the security monitoring and post evidence obtaining of the environment, the prior art mainly adopts two paths, namely a first path, a service grid data plane agent is deployed on a communication path between services, policy execution is carried out on connection and requests through the agent, access logs, indexes and tracking information are output, a second path, a network flow record or flow observable system is deployed, aggregation statistics is carried out on the connection, and network layer and transmission layer metadata such as source/destination addresses, ports, protocols, byte numbers, packet numbers, time stamps and the like are derived for situation analysis and alarming. In the scene of bidirectional encryption adopted by east-west communication, network flow records are mainly counted at a connection level, collected contents are mainly concentrated in network quintuple, flow count and other information, and semantic elements such as an application layer protocol field, an interface path, a request method, a call chain identifier, a service identity and the like are difficult to directly obtain. When the attack is performed in the legal encryption channel, the behavior details of the request level are difficult to restore only by the connection level statistical information, and the associated evidence of the request semantics and the identity dimension is difficult to form in the evidence obtaining process. There are also ways in the prior art to obtain plaintext content through decryption detection or deep packet inspection, but this involves decryption and re-encryption, certificate and key management, and trust boundary adjustment, with additional computational overhead and performance costs. On the other hand, the output of access logs and request metadata based on the service grid agent can obtain finer granularity observable information, but additional CPU, memory and forwarding delay overhead is introduced at each workload bypass deployment agent, and under high concurrency or high protocol resolution requirements, the overhead increases with configuration and load changes. When the system is in sudden load and triggers rapid expansion and contraction, if the acquisition side adopts a self-adaptive control mechanism based on a fixed resource threshold, frequent switching and unstable change can occur between modes such as full acquisition and sampling acquisition, and if connection and request of a newly added instance at the initial stage of starting are just in a mode switching window, observation notch risks exist, so that the restoration of initial intrusion context and a transverse moving path is influenced after investigation. To reduce the unstable variation, some systems introduce acquisition buffers, smoothing windows, or deferred aggregation policies to suppress short-term fluctuations, but with the corresponding additional storage overhead, data landing and retrieval overhead, and possibly increase the latency available to forensic data. In the process of security event handling where a fast response is required, the contradiction between forensic integrity, resource efficiency and response aging still exists. Disclosure of Invention The embodiment of the application provides a self-adaptive flow acquisition and evidence obtaining resource optimization system based on a dynamic policy engine, which is used for solving the problems of missed acquisition caused by micro-service semantic deletion and expansion and contraction jitter in mTLS encryption scenes, and the additional overhead and time delay caused by buffer smoothing. The embodiment of the invention provides a self-adaptive flow acquisition and evidence collection resource optimization system based on a dynamic policy engine, which is applied to a zero-trust micro-service environment and comprises the following steps: The system comprises a dynamic policy engine, a semantic analysis plug-in, a state access module, a policy distribution module and an acquisition executor deployed on the side of a mi