CN-122020638-A - Auditable workflow of auditable network security intelligent agent and construction method thereof

Abstract

The invention relates to the technical field of network security and audit, and discloses auditable workflow of auditable network security intelligent agents and a construction method thereof. The method comprises the steps of receiving a security task request, generating a unique identifier, creating a session context containing multiple types of policy rules, analyzing tasks, generating a tool call sequence through tool route matching, carrying out risk level assessment on tool calls in the sequence, triggering an approval process when the thresholds are exceeded, dynamically selecting an isolation environment and executing the tool sequence according to approval results and sandbox policies, capturing output and system states in real time in the execution process, recording state differences through a difference tracking algorithm, generating an audit event stream, and finally integrating all events, approval records and results to form a structural audit log and storing the structural audit log in an associated mode. The invention realizes the dynamic approval triggering based on real-time risk and the fine granularity audit on the level influence of the tool operating system.

Inventors

• BAI YINGDONG
• XU MENG
• LI WEIZHU
• LIU WEI
• WANG ZIHAO

Assignees

• 北京灵云数科信息技术有限公司

Dates

Publication Date

20260512

Application Date

20251231

Claims (10)

1. 1. The auditable workflow construction method for the auditable network security agent is characterized by comprising the following steps of: Receiving a security task request submitted by a user or an upstream system, storing the security task request into a task queue, and sequencing the priorities to generate a unique task identifier; Creating a session context object based on the unique task identifier, the session context object comprising an approval policy rule set, a sandbox quarantine policy rule set, a security tool configuration rule set, and a working directory path; analyzing a security task request in a session context object, matching tool definitions in a security tool registry through a tool routing algorithm, and generating a security tool call sequence; Aiming at each tool call in the security tool call sequence, carrying out risk level assessment according to an approval strategy rule set, triggering an approval process when the risk level exceeds a threshold value, generating an approval request event and waiting for approval decision; determining sandbox isolation level by adopting a dynamic environment selection algorithm according to the approval decision result and the sandbox isolation policy rule set, and executing a security tool call sequence in the selected sandbox environment; Capturing tool output flow, system state change and file modification operation in real time in the execution process, recording system state differences before and after the execution by a difference tracking algorithm, and generating an audit event flow; integrating the audit event stream, the approval decision record and the tool execution result to form a structured audit log, and storing the session context object and the audit log in a database in an associated manner.
2. 2. The auditable workflow construction method of auditable network security agents of claim 1, wherein the storing and prioritizing security task requests into task queues generates unique task identifiers, comprising: Performing format verification on the received security task request, and eliminating the security task request which does not accord with the grammar specification; Extracting key fields of the verified security task request, including task types, resource requirements and time stamps; calculating priority weight according to task types and resource requirements, and dynamically sequencing the security task requests by adopting a weighted polling algorithm; distributing a globally unique task identifier for each sequenced security task request, wherein the task identifier comprises a timestamp hash and a serial number; pushing the secure task request with the task identifier to the designated position of the task queue and triggering a task scheduler ready signal.
3. 3. The auditable network security agent auditable workflow construction method of claim 2, wherein the creating a session context object based on the unique task identifier, the session context object comprising an approval policy rule set, a sandbox quarantine policy rule set, a security tool configuration rule set, and a working directory path, comprises: Loading an approval strategy rule set corresponding to the task type from a strategy database according to the task identifier, wherein the approval strategy rule set defines a risk threshold and an approval triggering condition; loading a sandbox isolation policy rule set from an environment configuration file, wherein the sandbox isolation policy rule set designates available sandbox types and isolation level mapping relations; Querying a security tool registry to obtain an available tool list, and generating a security tool configuration rule set in combination with task requirements, wherein the security tool configuration rule set constrains a tool calling parameter and a parallel execution strategy; determining a working directory path according to the task identifier and the user authority, and setting directory access authority rules; the approval policy rule set, the sandbox quarantine policy rule set, the security tool configuration rule set, and the working directory path are packaged as session context objects and bound to the task identifier.
4. 4. The auditable workflow construction method of claim 3, wherein the parsing the security task request in the session context object matches the tool definition in the security tool registry by means of a tool routing algorithm, generating a security tool call sequence, comprising: extracting text description of a security task request from a session context object, and identifying key operation intention and parameters by adopting a natural language analysis algorithm; carrying out semantic similarity matching on the key operation intention and tool definitions in a safe tool registry, and screening out a candidate tool set; According to the parallel strategy and resource limitation in the safety tool configuration rule set, carrying out dependency analysis on the candidate tool set to generate a tool call dependency graph; Determining a tool execution sequence by adopting a topology sequencing algorithm based on the tool call dependency graph, and distributing call parameters to form a safe tool call sequence; The security tool call sequence is associated with the session context object and the tool execution state tracking interface is reserved.
5. 5. The auditable workflow construction method of claim 4, wherein for each tool call in the sequence of security tool calls, risk level assessment is performed according to an approval policy rule set, and when the risk level exceeds a threshold, an approval process is triggered, an approval request event is generated and an approval decision is awaited, specifically comprising: extracting command parameters and target resources of the current tool call from the safe tool call sequence; according to the risk calculation rules in the approval policy rule set, extracting characteristics of command parameters and target resources, and calculating a risk scoring value; Comparing the risk score value with a risk threshold value preset in the approval policy rule set, and if the risk score value exceeds the risk threshold value, generating an approval request event, wherein the approval request event comprises tool calling details and the risk score value; sending an approval request event to an approval queue, and starting a timeout timer to wait for approval decision; if the approval decision is received within the timeout period, the approval state called by the tool is updated, and if the approval decision is overtime, the approval state is automatically processed according to the default strategy.
6. 6. The auditable workflow construction method of claim 5, wherein the security tool call sequence is executed in a selected sandbox environment by determining a sandbox isolation level using a dynamic environment selection algorithm based on an approval decision and a sandbox isolation policy rule set, comprising: analyzing the approval decision result, and acquiring the authorization state and the constraint condition called by the tool; Generating a sandbox selection candidate list according to the sandbox isolation strategy rule set and the resource requirements called by the tool; calculating the resource cost and isolation effect of each candidate sandbox by adopting a cost minimization algorithm, and selecting the optimal sandbox type; Initializing a sandbox environment according to the optimal sandbox type, and configuring network rules, file system mounting points and process isolation strategies; executing tool commands in the initialized sandboxed environment according to the order of the safety tool call sequence, and monitoring the use condition of execution process resources.
7. 7. The auditable workflow construction method of claim 6, wherein the real-time capturing of tool output stream, system state change and file modification operations during execution, recording system state differences before and after execution by a difference tracking algorithm, generating an audit event stream, specifically comprising: before the tool is executed, snapshot is carried out on a file system under a working directory path, and file hash values and metadata are recorded; capturing a standard output stream and a standard error stream in the tool execution process in real time, and adding a time stamp and a tool identifier; monitoring file system operations during tool execution, including file creation, modification, and deletion operations; After the tool is executed, snapshot is carried out on the file system again, comparison is carried out with the snapshot before execution, and a content comparison algorithm is adopted to generate a change record with a unified difference format; the tool output stream, file system change records, and system resource monitoring data are combined into an audit event stream and ordered in chronological order.
8. 8. The auditable workflow construction method of claim 7, wherein the integrating audit event stream, approval decision record and tool execution result forms a structured audit log and stores session context objects and audit log associations to a database, comprising: Extracting key event types from the audit event stream, including a tool start event, a tool end event, a file change event and a resource use event; Inserting an approval request event and an approval response event in an approval decision record into an audit event stream according to a time line; Normalizing the execution result of each tool, and converting the normalization result into a standardized result format; encoding audit event streams, approval decision records and tool execution results into structured data packets by adopting an event serialization algorithm; the structured data package is associated with a task identifier of the session context object and is stored in compression to a history table of the audit database.
9. 9. The auditable network security agent auditable workflow construction method of claim 8, further comprising, after said forming a structured audit log: Periodically loading a history record table from an audit database, and counting task execution success rate and resource consumption mode; identifying an abnormal execution mode by adopting a cluster analysis algorithm based on the statistical result, and adjusting a risk threshold in an approval strategy rule set; Updating a session context object template according to the adjusted approval policy rule set for subsequent task processing; index optimization is carried out on the structured audit log in the audit database to support quick query according to the task identifier, the time range and the tool type, and the method specifically comprises the following steps: establishing a multi-level index structure for a structured audit log in an audit database, wherein the multi-level index structure comprises a task identifier main index, a time range auxiliary index and a tool type auxiliary index; when a query request is received, analyzing task identifier, time range and tool type fields in the query condition; locating the matched audit log records by adopting a range query algorithm according to the index structure, and filtering irrelevant data; paging and sorting the query results and generating a query abstract report; the query summary report is returned to the user interface or auditing system.
10. 10. An auditable network security agent auditable workflow constructed using a method of constructing an auditable network security agent auditable workflow according to any of claims 1 to 9, characterized in that the workflow comprises: The task receiving and scheduling module is used for receiving and verifying the security task request, sequencing the priority of the security task request, distributing a unique task identifier, and placing the task into a queue; the system comprises a policy and context management module, a security tool configuration rule set and a work directory path, wherein the policy and context management module is used for creating and managing a session context object for a task, and the object comprises an approval policy rule set, a sandbox isolation policy rule set, a security tool configuration rule set and a work directory path; The tool analysis and arrangement module is used for analyzing the security task request, and generating and managing a security tool call sequence by matching tool definition and dependency analysis; The risk assessment and approval module is used for assessing the risk level called by the tool, triggering and managing the approval process when the risk exceeds a threshold value, and waiting for and recording approval decisions; the sandbox environment and execution module is used for dynamically selecting and initializing the sandbox environment according to approval decisions and strategies and executing a security tool call sequence in the isolation environment; the execution process audit module is used for monitoring and capturing output, system state and file change in the tool execution process in real time and generating an audit event stream through difference comparison; The audit log integrating module is used for integrating audit event streams, approval decision records and tool execution results to form a structured audit log and completing associated storage; and the audit analysis and optimization module is used for carrying out analysis statistics on the historical audit log, optimizing the approval strategy and establishing an index for the stored audit log so as to support efficient inquiry.

Description

Auditable workflow of auditable network security intelligent agent and construction method thereof Technical Field The invention relates to the technical field of network security and audit, in particular to an auditable workflow of an auditable network security intelligent agent and a construction method thereof. Background In the field of automatic safety operation and maintenance, the realization of complex tasks by calling various safety tools through an agent has become a trend. The existing flow control technology generally adopts a unified and static approval strategy before task execution, and all high-authority or high-risk tool calls need to be approved in advance. The approval mode of the 'one-cut' is difficult to dynamically adjust according to the actual risks and the contexts of different tools, so that the approval process is stiff. The low-risk operation delays response due to waiting for approval, or the high-risk operation bypasses approval due to configuration omission, so that efficiency and safety are difficult to be compatible. Current security audit techniques rely primarily on log records of the tool's own output, or simple input-output capture of the execution environment. The audit log records the commands and returns results that the tool executes, but cannot effectively correlate and record the actual state impact that the tool executes on the underlying operating system. The concrete change of the file system, the connection change of the process network and the causal relation between specific tool calls are missing, so that the tracing of the postmortem security event and root cause analysis are difficult, and the audit chain is incomplete. The invention aims to solve the problems that the approval process in the prior art lacks dynamic adaptability based on real-time risks and audit records cannot be accurately related to tool operation and system state change. Disclosure of Invention The invention aims to provide auditable workflow of auditable network security intelligent agent and a construction method thereof, which are used for solving the problems in the background technology. In order to achieve the above object, the present invention provides a method for constructing auditable workflow of auditable network security agent, the method comprising: Receiving a security task request submitted by a user or an upstream system, storing the security task request into a task queue, and sequencing the priorities to generate a unique task identifier; Creating a session context object based on the unique task identifier, the session context object comprising an approval policy rule set, a sandbox quarantine policy rule set, a security tool configuration rule set, and a working directory path; analyzing a security task request in a session context object, matching tool definitions in a security tool registry through a tool routing algorithm, and generating a security tool call sequence; Aiming at each tool call in the security tool call sequence, carrying out risk level assessment according to an approval strategy rule set, triggering an approval process when the risk level exceeds a threshold value, generating an approval request event and waiting for approval decision; determining sandbox isolation level by adopting a dynamic environment selection algorithm according to the approval decision result and the sandbox isolation policy rule set, and executing a security tool call sequence in the selected sandbox environment; Capturing tool output flow, system state change and file modification operation in real time in the execution process, recording system state differences before and after the execution by a difference tracking algorithm, and generating an audit event flow; integrating the audit event stream, the approval decision record and the tool execution result to form a structured audit log, and storing the session context object and the audit log in a database in an associated manner. Preferably, the storing the secure task request in a task queue and performing priority ordering to generate a unique task identifier specifically includes: Performing format verification on the received security task request, and eliminating the security task request which does not accord with the grammar specification; Extracting key fields of the verified security task request, including task types, resource requirements and time stamps; calculating priority weight according to task types and resource requirements, and dynamically sequencing the security task requests by adopting a weighted polling algorithm; distributing a globally unique task identifier for each sequenced security task request, wherein the task identifier comprises a timestamp hash and a serial number; pushing the secure task request with the task identifier to the designated position of the task queue and triggering a task scheduler ready signal. Preferably, the creating a session context object based on the unique task