Security service orchestration method, orchestrator and system

By using secure service orchestration methods and systems, the implementation of centralized security capabilities in 5G slicing networks has been solved, achieving comprehensive coverage and security for slicing networks, reducing deployment costs, and promoting the improvement of automated operation efficiency.

CN115696330BActive Publication Date: 2026-06-23CHINA TELECOM CORP LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD
Filing Date
2021-07-22
Publication Date
2026-06-23

Smart Images

  • Figure CN115696330B_ABST
    Figure CN115696330B_ABST
Patent Text Reader

Abstract

The present disclosure provides a security service orchestration method, an orchestrator and a system. The security service orchestration method comprises: obtaining a security policy table associated with a security device from a security device policy library; extracting protection target asset information, security policy information and security policy execution frequency information from the security policy table; comparing the protection target asset information with a protection target asset library to obtain slice network information; decomposing the security policy information at a protection target asset granularity to obtain a security policy detail table; merging the security policy detail table according to the slice network information to obtain a security policy table associated with the slice network; determining an execution period and an order of each security policy according to the security policy execution frequency information to generate a security orchestration table; issuing the security policy to the security device according to a task time sequence; and triggering a network orchestrator to adjust a corresponding slice network to the security device after the security policy takes effect, so as to control the security device to execute a security task.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of security, and in particular to a security business orchestration method, orchestrator, and system. Background Technology

[0002] Currently, many security applications are adopting centralized deployment to improve the utilization efficiency of security assets. For example, vulnerability scanners and website probing systems do not have high requirements for real-time performance and concurrency, so they are suitable for centralized deployment. Summary of the Invention

[0003] The inventors noted that the isolation characteristics of service networks in 5G slicing networks pose challenges to the implementation of centralized security capabilities. This is mainly reflected in two aspects: First, the isolation of protected assets in different network segments can lead to the network unreachability of single-point security devices. Second, if security devices are configured to connect to all networks simultaneously, this fully connected point will compromise the isolation characteristics of the slicing network, becoming a vulnerable point that hackers can exploit.

[0004] To this end, this disclosure provides a security service orchestration scheme that enables centralized security mechanisms to fully cover all network slices, reducing deployment standby costs while ensuring asset security.

[0005] According to a first aspect of the present disclosure, a security service orchestration method is provided, comprising: after receiving security device information to be orchestrated, obtaining a security policy table associated with the security device from a security device policy library; extracting protection target asset information, security policy information, and security policy execution frequency information from the security policy table associated with the security device; comparing the protection target asset information with a protection target asset library to obtain slice network information associated with the protection target asset; decomposing the security policy information at the protection target asset granularity to obtain a detailed security policy table classified according to different protection target assets; and according to the protection target asset information... The system generates associated slice network information, merges the detailed security policy tables to obtain a security policy table associated with the slice network, determines the execution cycle and order of each security policy in the security policy table associated with the slice network based on the security policy execution frequency information, and generates a security orchestration table, establishes a task sequence, and distributes the security policies in the security policy table associated with the slice network to the security device according to the task sequence, triggers the network orchestrator to perform network orchestration after receiving feedback information from the security device indicating that the security policy has taken effect, so as to adjust the corresponding slice network to the security device, and controls the security device to execute security tasks after the network orchestration is completed.

[0006] In some embodiments, after receiving execution duration information sent by the security device, the execution timing of each security policy in the security policy table associated with the slice network is adjusted according to the execution duration information, wherein the security device sends the execution duration information after the security task is completed.

[0007] In some embodiments, after obtaining the security policy table associated with the slice network, the security policy table associated with the slice network is checked; if there are no policy errors or conflicts in the security policy table associated with the slice network, the step of generating a security orchestration table is performed.

[0008] According to a second aspect of the present disclosure, a security service orchestrator is provided, comprising: a first processing module configured to, upon receiving security device information to be orchestrated, obtain a security policy table associated with the security device from a security device policy library, and extract protection target asset information, security policy information, and security policy execution frequency information from the security policy table associated with the security device; and a second processing module configured to compare the protection target asset information with a protection target asset library to obtain slice network information associated with the protection target asset, decompose the security policy information at the protection target asset granularity to obtain a detailed security policy table classified according to different protection target assets, and, based on the... The third processing module is configured to: 1) protect the slice network information associated with the target asset; 2) merge the detailed security policy tables to obtain a security policy table associated with the slice network; 3) determine the execution cycle and order of each security policy in the security policy table associated with the slice network based on the security policy execution frequency information, generate a security orchestration table, establish a task sequence, and distribute the security policies in the security policy table associated with the slice network to the security device according to the task sequence; 4) trigger the network orchestrator to perform network orchestration after receiving feedback information from the security device indicating that the security policy has taken effect, so as to adjust the corresponding slice network to the security device; and 5) control the security device to execute security tasks after the network orchestration is completed.

[0009] In some embodiments, the second processing module is further configured to, after receiving the execution duration information sent by the security device, adjust the execution timing of each security policy in the security policy table associated with the slice network according to the execution duration information, wherein the security device sends the execution duration information after the security task is completed.

[0010] In some embodiments, the second processing module is further configured to, after obtaining the security policy table associated with the slice network, check the security policy table associated with the slice network, and if there are no policy errors or conflicts in the security policy table associated with the slice network, then perform the operation of generating a security orchestration table.

[0011] According to a third aspect of the present disclosure, a full-service orchestrator is provided, comprising: a memory configured to store instructions; and a processor coupled to the memory, the processor being configured to execute instructions stored in the memory to implement the method as described in any of the above embodiments.

[0012] According to a fourth aspect of the present disclosure, a security service orchestration system is provided, comprising: a security service orchestrator as described in any of the preceding embodiments; a security device policy library configured to store security policy tables associated with security devices; a protection target asset library configured to store slice network information associated with protection target assets; a network orchestrator configured to perform network orchestration based on triggering operations of the security service orchestrator, so as to adjust the corresponding slice networks to the security devices; and a security device configured to send feedback information indicating that a security policy has taken effect to the security service orchestrator after the security policy sent by the security service orchestrator has taken effect, and further configured to execute security tasks under the control of the security service orchestrator after network orchestration is completed.

[0013] In some embodiments, the security device is also configured to send execution duration information to the security service orchestrator after the security task has been completed.

[0014] According to a fifth aspect of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions that, when executed by a processor, implement the method as described in any of the above embodiments.

[0015] Other features and advantages of this disclosure will become clear from the following detailed description of exemplary embodiments with reference to the accompanying drawings. Attached Figure Description

[0016] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0017] Figure 1 This is a flowchart illustrating a security service orchestration method according to an embodiment of the present disclosure;

[0018] Figure 2 This is a schematic diagram of the structure of a secure service orchestrator according to an embodiment of the present disclosure;

[0019] Figure 3 This is a schematic diagram of the structure of a secure service orchestrator according to another embodiment of the present disclosure;

[0020] Figure 4 This is a schematic diagram of the structure of a security service orchestration system according to an embodiment of the present disclosure. Detailed Implementation

[0021] The technical solutions of the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this disclosure, and not all embodiments. The following description of at least one exemplary embodiment is merely illustrative and is in no way intended to limit this disclosure or its application or use. All other embodiments obtained by those skilled in the art based on the embodiments of this disclosure without creative effort are within the scope of protection of this disclosure.

[0022] Unless otherwise specifically stated, the relative arrangement, numerical expressions, and values ​​of the components and steps set forth in these embodiments do not limit the scope of this disclosure.

[0023] At the same time, it should be understood that, for ease of description, the dimensions of the various parts shown in the accompanying drawings are not drawn according to actual scale.

[0024] Techniques, methods, and equipment known to those skilled in the art may not be discussed in detail, but where appropriate, such techniques, methods, and equipment should be considered part of the specification.

[0025] In all examples shown and discussed herein, any specific values ​​should be interpreted as merely exemplary and not as limitations. Therefore, other examples of exemplary embodiments may have different values.

[0026] It should be noted that similar labels and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be discussed further in subsequent figures.

[0027] Figure 1 This is a flowchart illustrating a secure service orchestration method according to an embodiment of the present disclosure. In some embodiments, the following secure service orchestration method is executed by a secure service orchestrator.

[0028] In step 101, after receiving the security device information that needs to be orchestrated, the security policy table associated with the security device is obtained from the security device policy library.

[0029] In step 102, the information on the protected target assets, security policy information, and security policy execution frequency information are extracted from the security policy table associated with the security device.

[0030] In step 103, the protection target asset information is compared with the protection target asset database to obtain the slice network information associated with the protection target asset.

[0031] In step 104, the security policy information is decomposed at the granularity of the protected target assets to obtain a detailed table of security policies classified according to different protected target assets.

[0032] In step 105, the security policy details are merged based on the slice network information associated with the protected target asset to obtain a security policy table associated with the slice network.

[0033] In some embodiments, after obtaining the security policy table associated with the slice network, the security policy table associated with the slice network is checked to prevent policy errors and conflicts. If there are no policy errors or conflicts in the security policy table associated with the slice network, the following steps for generating a security orchestration table are performed.

[0034] In step 106, the execution cycle and order of each security policy in the security policy table associated with the slice network are determined based on the security policy execution frequency information to generate a security orchestration table.

[0035] In step 107, a task sequence is established, and the corresponding security policies in the security policy table associated with the slice network are distributed to the security devices according to the task sequence.

[0036] In step 108, after receiving feedback information from the security device indicating that the security policy has taken effect, the network orchestrator is triggered to perform network orchestration in order to adjust the corresponding sliced ​​network to the security device.

[0037] In step 109, after the network orchestration is completed, the security device is controlled to perform security tasks.

[0038] In some embodiments, after receiving execution duration information sent by the security device, the execution timing of each security policy in the security policy table associated with the slice network is adjusted according to the execution duration information, wherein the security device sends the execution duration information after the security task is completed.

[0039] Figure 2 This is a schematic diagram of the structure of a secure service orchestrator according to an embodiment of this disclosure. Figure 2 As shown, the security service orchestrator includes a first processing module 21, a second processing module 22, and a third processing module 23.

[0040] The first processing module 21 is configured to, upon receiving security device information that needs to be orchestrated, retrieve a security policy table associated with the security device from the security device policy library, and extract the protected target asset information, security policy information, and security policy execution frequency information from the security policy table associated with the security device.

[0041] The second processing module 22 is configured to compare the protection target asset information with the protection target asset database to obtain the slice network information associated with the protection target asset, decompose the security policy information at the protection target asset granularity to obtain a detailed security policy table classified according to different protection target assets, and merge the detailed security policy tables according to the slice network information associated with the protection target asset to obtain a security policy table associated with the slice network.

[0042] The third processing module 23 is configured to determine the execution cycle and order of each security policy in the security policy table associated with the slice network based on the security policy execution frequency information, so as to generate a security orchestration table, establish a task sequence, and distribute the security policies in the security policy table associated with the slice network to the security device according to the task sequence. After receiving the feedback information of the security policy taking effect sent by the security device, it triggers the network orchestrator to perform network orchestration in order to adjust the corresponding slice network to the security device. After the network orchestration is completed, it controls the security device to execute security tasks.

[0043] In some embodiments, the second processing module 22 is further configured to adjust the execution timing of each security policy in the security policy table associated with the slice network according to the execution duration information after receiving the execution duration information sent by the security device, wherein the security device sends the execution duration information after the security task is completed.

[0044] In some embodiments, the second processing module 22 is further configured to, after obtaining the security policy table associated with the slice network, check the security policy table associated with the slice network, and if there are no policy errors or conflicts in the security policy table associated with the slice network, then perform the operation of generating a security orchestration table.

[0045] Figure 3 This is a schematic diagram of the structure of a security service orchestrator according to another embodiment of this disclosure. Figure 3 As shown, the security service orchestrator includes a memory 31 and a processor 32.

[0046] Memory 31 is used to store instructions, and processor 32 is coupled to memory 31. Processor 32 is configured to execute instructions based on memory storage, as shown in the example. Figure 1 The method involved in any of the embodiments.

[0047] like Figure 3As shown, the security service orchestrator also includes a communication interface 33 for exchanging information with other devices. Additionally, the security service orchestrator includes a bus 34, through which the processor 32, communication interface 33, and memory 31 communicate with each other.

[0048] The memory 31 may include high-speed RAM, and may also include non-volatile memory, such as at least one disk storage device. The memory 31 may also be a memory array. The memory 31 may also be divided into blocks, and the blocks may be combined into virtual volumes according to certain rules.

[0049] Furthermore, processor 32 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present disclosure.

[0050] This disclosure also relates to a computer-readable storage medium storing computer instructions that, when executed by a processor, implement... Figure 1 The method involved in any of the embodiments.

[0051] Figure 4 This is a schematic diagram of the structure of a secure service orchestration system according to an embodiment of this disclosure. Figure 4 As shown, the security service orchestration system includes a security service orchestrator 41, a security device policy library 42, a protection target asset library 43, a network orchestrator 44, and security devices 45. The security service orchestrator 41 is... Figure 2 or Figure 3 The security service orchestrator involved in any of the embodiments.

[0052] Security device policy library 42 is configured to store security policy tables associated with security devices. Protected target asset library 43 is configured to store slice network information associated with protected target assets.

[0053] Network orchestrator 44 is configured to perform network orchestration based on the triggering operation of security service orchestrator 41, so as to adjust the corresponding sliced ​​network to the security device.

[0054] Security device 45 is configured to send feedback information on the effectiveness of the security policy sent by security service orchestrator 41 to the security service orchestrator after the security policy takes effect, and is also configured to perform security tasks under the control of the security service orchestrator after network orchestration is completed.

[0055] In some embodiments, the security device 45 is further configured to send execution duration information to the security service orchestrator 41 after the security task is completed.

[0056] In some embodiments, the functional unit modules described above may be implemented as general-purpose processors, programmable logic controllers (PLCs), digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or any suitable combination thereof for performing the functions described herein.

[0057] By implementing this disclosure, the following beneficial effects can be obtained:

[0058] The collaborative orchestration technology proposed for integrated security capabilities in 5G slicing network scenarios solves the problem of its incompatibility with new slicing network scenarios, helps to promote the evolution of integrated construction solutions, and improves the application scope and utilization rate of integrated security solutions.

[0059] By using an orchestrator to coordinate security policies and network transformation, dynamic adaptation in 5G slicing network scenarios is achieved, which can promote the implementation of automated operation mechanisms and improve the efficiency of security operations.

[0060] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.

[0061] The description in this disclosure is provided for illustrative and descriptive purposes only and is not intended to be exhaustive or to limit the disclosure to its forms. Many modifications and variations will be apparent to those skilled in the art. The embodiments were chosen and described in order to better illustrate the principles and practical application of this disclosure and to enable those skilled in the art to understand this disclosure and to design various embodiments with various modifications suitable for a particular purpose.

Claims

1. A security service orchestration method, comprising: obtaining a security policy table associated with a security device from a security device policy library upon receiving security device information requiring orchestration; extracting protection target asset information, security policy information, and security policy execution frequency information from the security policy table associated with the security device; comparing the protection target asset information with a protection target asset library to obtain slice network information associated with a protection target asset; decomposing the security policy information at a protection target asset granularity to obtain a security policy detail table classified according to different protection target assets; merging the security policy detail table according to the slice network information associated with the protection target asset to obtain a security policy table associated with a slice network; determining an execution period and order of each security policy in the security policy table associated with the slice network according to the security policy execution frequency information to generate a security orchestration table; establishing a task timing and issuing the security policies in the security policy table associated with the slice network to the security device according to the task timing; triggering a network orchestrator to perform network orchestration to adjust the corresponding slice network to the security device upon receiving feedback information of security policy taking effect sent by the security device; and controlling the security device to perform a security task after the network orchestration is completed. 2.The method of claim 1, further comprising: adjusting an execution timing of each security policy in the security policy table associated with the slice network according to execution duration information sent by the security device, wherein the security device sends the execution duration information after a security task is completed. 3.The method of claim 1 or 2, further comprising: checking the security policy table associated with the slice network after obtaining the security policy table associated with the slice network; and if there is no policy error or conflict in the security policy table associated with the slice network, performing the step of generating a security orchestration table. 4.A security service orchestrator, comprising: a first processing module configured to obtain a security policy table associated with a security device from a security device policy library upon receiving security device information requiring orchestration, and extract protection target asset information, security policy information, and security policy execution frequency information from the security policy table associated with the security device; a second processing module configured to compare the protection target asset information with a protection target asset library to obtain slice network information associated with a protection target asset, decompose the security policy information at a protection target asset granularity to obtain a security policy detail table classified according to different protection target assets, and merge the security policy detail table according to the slice network information associated with the protection target asset to obtain a security policy table associated with a slice network. The third processing module is configured to determine the execution period and order of each security policy in the security policy table associated with the slice network according to the security policy execution frequency information, to generate a security arrangement table, to establish a task timing, and to issue the security policies in the security policy table associated with the slice network to the security device according to the task timing. After receiving feedback information about the security policy taking effect sent by the security device, the network arrangement is triggered to be performed by the network arranger so as to adjust the corresponding slice network to the security device. After the network arrangement is completed, the security device is controlled to execute the security task.

5. The security service arranger of claim 4, wherein, The second processing module is further configured to adjust the execution timing of each security policy in the security policy table associated with the slice network according to the execution duration information sent by the security device after receiving the execution duration information, wherein the security device sends the execution duration information after the security task is executed.

6. The security service arranger of claim 4 or 5, wherein, The second processing module is further configured to check the security policy table associated with the slice network after obtaining the security policy table associated with the slice network, and to perform the operation of generating the security arrangement table if there is no policy error and conflict in the security policy table associated with the slice network.

7. A security service arranger, comprising: a memory configured to store instructions; a processor coupled to the memory, the processor being configured to perform the method of any one of claims 1-3 based on the instructions stored in the memory.

8. A security service arrangement system, comprising: the security service arranger of any one of claims 4-6; a security device policy library configured to store a security policy table associated with the security device; a protected target asset library configured to store slice network information associated with the protected target asset; a network arranger configured to perform network arrangement according to the triggering operation of the security service arranger so as to adjust the corresponding slice network to the security device; the security device configured to send feedback information about the security policy taking effect to the security service arranger after the security policy taking effect sent by the security service arranger, and to execute the security task according to the control of the security service arranger after the network arrangement is completed.

9. The system of claim 8, wherein, the security device is further configured to send execution duration information to the security service arranger after the security task is executed.

10. A computer readable storage medium, wherein, The computer readable storage medium stores computer instructions, and the instructions are executed by the processor to implement the method of any one of claims 1-3.