CN-121984909-A - Multi-source security data intelligent distribution method and device, storage medium and electronic equipment

Abstract

The invention provides a multisource security data intelligent distribution method and device, a storage medium and electronic equipment, relates to the technical field of network security, constructs a multi-level organization architecture tree containing unique identifiers in a network security platform, configures adapters for all organization nodes and establishes a bidirectional mapping relation; the method comprises the steps of responding to a rule recommending operation, collecting organization attribute parameters, generating candidate routing rules by matching similar historical nodes based on a collaborative filtering algorithm, forming final rule after confirmation or fine adjustment, synchronizing to an internal routing engine of an adapter to take effect, matching execution resources from a resource pool according to an organization to which the task belongs when a security task is created, determining a distribution path of result data through the effective rule, and accurately distributing the result data to corresponding nodes according to an organization architecture tree to realize intelligent, compliance and efficient circulation of the security data.

Inventors

• ZHANG KAIYUE
• LI LEI
• Hao sai
• LI PEILUN
• ZHU ZHONGQI
• MENG XIANGZHEN
• LI YAN
• FENG SEN
• LUO QINGYONG
• Lv Rongnan
• GUO XINGXING
• YANG RUI
• CHEN LONG
• Wu Dihang
• RUI CHEN

Assignees

• 中国交通信息科技集团有限公司

Dates

Publication Date

20260505

Application Date

20251230

Claims (10)

1. 1. The intelligent multi-source secure data distribution method is characterized by comprising the following steps: The method comprises the steps of constructing a multi-level organization architecture tree in a network security platform, wherein organization nodes of the organization architecture tree comprise root nodes and child nodes, the root nodes represent upper management units, the child nodes represent lower units, and the root nodes and the child nodes are configured with unique organization identifiers; Configuring a corresponding adapter for each organization node, and establishing a bidirectional mapping relation between the organization node and the adapter, wherein the bidirectional mapping relation is used for the organization identifier associated to the organization node when the adapter receives the security data; responding to a triggering rule recommending operation, collecting attribute parameters of a current organization node, and generating a candidate routing rule based on a collaborative filtering algorithm to match historical organization nodes with similarity not lower than a preset threshold value, wherein the candidate routing rule defines the pushing paths and priorities of security data of different asset types or vulnerability grades among organization layers; Determining a final routing rule according to a confirmation instruction or a fine tuning instruction of the candidate routing rule; Synchronizing the final routing rule to a data routing engine built in a corresponding adapter, and controlling the final routing rule to be started to take effect; when a security task is created, matching corresponding task execution resources from a task resource pool according to an organization node to which the security task belongs, and determining a distribution path of security task result data through a valid routing rule; and distributing the security tasks to corresponding organization nodes according to the distribution paths and the multi-level organization architecture tree.
2. 2. The method for intelligently distributing multi-source security data according to claim 1, wherein said establishing a bi-directional mapping relationship between the organization node and the adapter comprises: Storing in configuration data of the organization node unique identification of one or more adapters to which it is bound; Explicitly recording the unique organization identification of the organization node served by the adapter in the configuration parameters of the adapter; when the structure of the multi-level organization architecture tree is changed, a configuration synchronization event is triggered, the organization identifier binding relation of the affected adapter is updated, and the corresponding data routing engine is informed of reloading the routing context.
3. 3. The intelligent multi-source security data distribution method according to claim 1, wherein the collecting attribute parameters of the current organization node comprises static service attribute parameters and dynamic operation data, wherein the static service attribute parameters comprise whether the static service attribute parameters are core service units, management authority ranges and asset scale levels; The generating a candidate routing rule based on the history organization nodes with the matching similarity not lower than a preset threshold value by the collaborative filtering algorithm comprises the following steps: Constructing a feature vector based on the static service attribute and the dynamic operation data by a collaborative filtering algorithm, and calculating cosine similarity between a current organization node and a historical organization node; And when the similarity is not lower than a preset threshold, taking the validated routing rules of the historical organization nodes as initial templates to generate candidate routing rules.
4. 4. The intelligent distribution method of multi-source secure data according to claim 1, wherein synchronizing the endplate routing rules to a data routing engine built-in to a corresponding adapter comprises: Pushing the final routing rule to the target adapter in the form of a structured policy object via an internal message bus; Analyzing the structured policy object through a data routing engine, and constructing a multidimensional matching table based on asset types, vulnerability levels and organization levels; When new safety data is received, the data routing engine extracts data meta-information in real time, queries the multidimensional matching table, determines a target push organization node list and transmission priority, and distributes the safety data to a corresponding message queue subject.
5. 5. The intelligent multi-source secure data distribution method according to claim 1, wherein the matching corresponding task execution resources from the task resource pool comprises: registering a plurality of task execution resources in a task resource pool in advance, wherein each task execution resource is marked with a attribution organization level, supported scanning equipment types, an API (application program interface) address and a maximum concurrency number; When a security task is created, screening task execution resources with attribution organization levels equal to or higher than the organization nodes and equipment types matched with each other according to the organization nodes to which the security task belongs; and if a plurality of matched resources exist, selecting the resource with the lowest current load to execute task scheduling according to the load balancing strategy.
6. 6. The intelligent distribution method of multi-source security data according to claim 1, further comprising, after determining the distribution path of the security task result data by validating the routing rule: Monitoring end-to-end transmission delay, task execution success rate and organization architecture change event of the safety data from the adapter to the target organization node; The method comprises the steps of monitoring a target condition, triggering an iterative optimization flow of a routing rule, wherein the target condition comprises any one or a combination of more than one of data transmission delay exceeding a preset threshold, newly adding a lower node in an organization structure and changing communication parameters of associated equipment, and the iterative optimization flow of the routing rule comprises the steps of recalculating a recommendation rule based on latest operation data, generating an optimization suggestion and pushing the optimization suggestion to an administrator interface, or directly replacing the current effective routing rule when an automatic optimization mode is started, and performing closed-loop self-adaptive adjustment.
7. 7. An intelligent multi-source secure data distribution device, comprising: The organization node of the organization architecture tree comprises a root node and a child node, wherein the root node represents an upper management unit, the child node represents a lower unit, and the root node and the child node are configured with unique organization identifiers; The system comprises a bidirectional mapping relation establishing module, a bidirectional mapping relation judging module and a data processing module, wherein the bidirectional mapping relation establishing module is used for configuring a corresponding adapter for each organization node and establishing a bidirectional mapping relation between the organization node and the adapter; The candidate route rule generation module is used for responding to the triggering rule recommendation operation, collecting attribute parameters of the current organization node, and generating candidate route rules based on the historical organization nodes with the matching similarity not lower than a preset threshold value of a collaborative filtering algorithm; The final edition route rule determining module is used for determining a final edition route rule according to the confirmation instruction or the fine adjustment instruction of the candidate route rule; the effective routing rule determining module is used for synchronizing the final routing rule to a data routing engine arranged in a corresponding adapter and controlling the final routing rule to be started as the effective routing rule; The distribution path determining module is used for matching corresponding task execution resources from the task resource pool according to the organization node to which the security task belongs when the security task is created, and determining the distribution path of the security task result data through the effective routing rule; And the task distribution module is used for distributing the security task to the corresponding organization nodes according to the multi-level organization architecture tree according to the distribution path.
8. 8. An electronic device, comprising: processor, and A memory for storing executable instructions of the processor; Wherein the processor is configured to perform the multi-source secure data intelligent distribution method of any one of claims 1-6 via execution of the executable instructions.
9. 9. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the multi-source secure data intelligent distribution method of any of claims 1 to 6.
10. 10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the multi-source secure data intelligent distribution method according to any one of claims 1-6.

Description

Multi-source security data intelligent distribution method and device, storage medium and electronic equipment Technical Field The disclosure relates to the technical field of network security, and in particular relates to a method and a device for intelligently distributing multi-source security data, a storage medium and electronic equipment. Background With the continuous deepening of network security supervision systems, large government enterprises generally adopt multi-level organization architecture (such as national level-provincial level-municipal level-regional county level) to uniformly manage security work of subordinate institutions. Under the background, massive security data generated by various security devices (such as a vulnerability scanner, an asset detection system, a log collector and the like) need to be efficiently and accurately circulated among different tissue layers so as to support situation awareness, risk research and judgment and emergency response of a superior unit. Currently, mainstream Security Information and Event Management (SIEM) platforms or Secure Operation Centers (SOCs) typically implement distribution of security data by configuring static routing rules or writing customized scripts. For example, an administrator needs to manually define policies such as "reporting a high-risk vulnerability of a certain city to a province hall", "core asset data is only locally preserved", and the like, and hard-code the policies into a data pipeline. However, this approach faces the following prominent problems in complex tissue scenarios: First, the organization architecture is highly dynamic, but the data attribution mechanism is stiff. Government and enterprise units often add, merge or cancel subordinate units due to mechanism reform and function adjustment, but the existing system lacks the capability of automatically mapping the organization structure change to data access and distribution logic, so that the newly established units cannot access a platform in time or historical data attribution is disordered, and responsibility tracing and authority control are affected. Second, routing rules are highly dependent on human experience, are costly to configure, and are prone to error. Different organizations have significant differences in business importance, asset size, device type, etc., and ideal distribution strategies should vary from "organization" to organization. However, the current system generally adopts a 'one-tool' or full-manual configuration mode, and an administrator needs to fill parameters such as a push path, priority, synchronous frequency and the like item by item, so that the efficiency is low, and the rationality and consistency of a strategy are difficult to ensure. Again, task scheduling is disjointed from data distribution and resource utilization is unbalanced. When security tasks such as vulnerability scanning and asset checking are executed, the task scheduling module usually operates independently of the data routing module, and cannot dynamically match execution resources according to organization levels and equipment capabilities, so that high-authority tasks are easily processed by low-authority resources, or high-performance equipment is idle and low-performance equipment is overloaded, and overall operation efficiency is affected. Finally, the system is difficult to continuously evolve due to lack of adaptive optimization capability. The routing rules in the existing scheme are fixed for a long time once configured, and cannot be dynamically adjusted according to actual running states (such as network delay, task success rate and equipment change), so that after the service load changes or the infrastructure is upgraded, the data distribution performance is reduced or even fails. Therefore, a multi-source intelligent secure data distribution method which is driven by taking an organization architecture as a core, supports intelligent rule recommendation, realizes task and data linkage and has self-adaptive optimization capability is needed, so as to solve the defects of the prior art in terms of flexibility, accuracy, automation and maintainability. It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art. Disclosure of Invention The disclosure provides a multisource security data intelligent distribution method and device, a storage medium and electronic equipment, which at least overcome the problems of information delay caused by lack of deep association of an adapter and an organization architecture and solidification of routing rules in the related art to a certain extent. Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the pract