Cloud firewall dynamic configuration method and system based on intelligent evaluation and automatic deployment
By employing a dynamic configuration method for cloud firewalls that combines intelligent evaluation and automated deployment, the problem of firewall selection relying on manual experience has been solved. This method automates and dynamically adjusts firewall resource configuration, improving configuration efficiency and accuracy, and optimizing resource utilization.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA ELECTRONICS CLOUD DIGITAL INTELLIGENCE TECH CO LTD
- Filing Date
- 2026-03-31
- Publication Date
- 2026-06-19
AI Technical Summary
The existing firewall selection mechanism relies on human experience, which leads to low efficiency, large decision-making errors, limitations of static adaptation, and lack of closed-loop optimization, making it impossible to achieve dynamic matching between firewall resource configuration and actual needs.
The cloud firewall dynamic configuration method, which uses intelligent evaluation and automatic deployment, collects network traffic data, extracts traffic feature vectors, performs multi-dimensional quantitative evaluation, generates firewall selection recommendation results, and automatically completes the deployment and dynamic adjustment of firewall instances.
It automates the entire firewall resource configuration process, improves configuration efficiency and accuracy, has dynamic and elastic adjustment capabilities, optimizes resource utilization, and achieves the optimal balance between security, performance, and cost.
Smart Images

Figure CN122247703A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of cloud firewall technology, and in particular to a dynamic configuration method, system, computer-readable storage medium, and electronic device for a cloud firewall based on intelligent assessment and automatic deployment. Background Technology
[0002] As enterprises accelerate their digital transformation, private cloud, with its advantages in data security, compliance, and customization, has become a critical infrastructure for deploying core businesses in industries with stringent security requirements, such as finance, government, and large-scale manufacturing. As a core component of the private cloud security protection system, firewalls undertake key functions such as boundary access control and malicious traffic interception; their selection directly affects the stability of business operations and the effectiveness of security protection.
[0003] Currently, mainstream cloud service providers offer firewall products with differentiated specifications to meet the needs of different scenarios, mainly including the following models:
[0004] Enterprise Edition: Designed for small and medium-sized business scenarios, it has basic access control capabilities, relatively low throughput (usually hundreds of megabits to gigabits), controllable cost, and is suitable for low-load environments with stable traffic.
[0005] Flagship version: Optimized for high-concurrency and high-sensitivity businesses, it supports 10 Gigabit throughput, microsecond-level low latency, and advanced threat detection (such as intrusion prevention and virus scanning) to meet the high requirements of scenarios such as financial transactions and real-time data processing;
[0006] Cluster mode: Achieves elastic scaling through horizontal expansion of multiple nodes, supporting millions of concurrent connections and terabyte-level throughput, suitable for ultra-large-scale businesses or critical systems requiring 24 / 7 high availability.
[0007] However, existing firewall selection mechanisms still heavily rely on manual experience. The specific process involves operations personnel manually collecting and analyzing historical traffic data (including peak bandwidth, maximum number of connections, average session rate, burst traffic frequency, etc.), business growth expectations, and security compliance requirements, then combining this data with the performance parameter documents provided by the vendor to make a matching judgment. This model has revealed the following significant shortcomings in practice:
[0008] 1. Inefficiency: Manually processing massive traffic data and comparing multi-dimensional indicators is time-consuming and difficult to respond to dynamic needs under rapid business iteration (such as a surge in traffic caused by promotional activities or the launch of new businesses).
[0009] 2. Large decision-making error: Manual estimation is easily affected by subjective experience bias, which may lead to two extreme problems: "underestimating traffic and causing firewall performance bottlenecks (packet loss, latency surge)" or "overestimating traffic and causing resource redundancy (waste of procurement costs)".
[0010] 3. Static adaptation limitations: After the firewall is deployed, it lacks the ability to dynamically adjust based on real-time traffic and cannot automatically trigger specification upgrades or downgrades according to business fluctuations, resulting in resource utilization deviating from the optimal range for a long time.
[0011] 4. Lack of closed-loop optimization: There is no feedback mechanism to link the actual protection effect after deployment (such as interception success rate, false alarm rate, and resource utilization rate) with the selection decision, making it difficult to iteratively optimize the selection strategy through historical data.
[0012] Furthermore, although some cloud platforms have introduced "auto-scaling" features for computing and storage resources (such as scaling up or down virtual machine instances based on CPU utilization), their core logic focuses on general resource scheduling and does not involve the characteristic analysis of security traffic or intelligent adaptation of firewall architecture / version. Currently, there is no mature solution capable of automatically evaluating, selecting, and deploying firewall types based on real-time security traffic characteristics (such as protocol distribution, attack type proportions, and traffic periodicity), leading to a persistent contradiction between firewall resource configuration and actual needs in private cloud scenarios. Summary of the Invention
[0013] To address the aforementioned problems in existing technologies, this application proposes a novel dynamic configuration method for cloud firewalls based on intelligent assessment and automatic deployment.
[0014] The present invention aims to provide a systematic solution that can perform intelligent assessment based on security traffic characteristics and automatically complete the selection, deployment and dynamic adjustment of firewall instances.
[0015] Specifically, this application provides the following technical solutions:
[0016] The first aspect of this application provides a dynamic configuration method for a cloud firewall based on intelligent assessment and automatic deployment, such as... Figure 1 As shown, the method includes:
[0017] S1. Collect network traffic data in the private cloud environment and extract traffic feature vectors. The traffic features include bandwidth, new connection rate, number of concurrent sessions, protocol distribution, and abnormal traffic features.
[0018] S2. Based on the traffic feature vector, call the evaluation engine to perform multi-dimensional quantitative evaluation and generate firewall selection recommendation results. The multi-dimensional quantitative evaluation includes performance matching evaluation, security requirement evaluation and cost-benefit evaluation.
[0019] S3. Based on the difference between the recommended results and the current deployment status, determine whether to trigger a firewall type change;
[0020] S4. When the change triggering conditions are met, automatically create a firewall instance of the target type and perform configuration migration and traffic switching;
[0021] S5. Collect the runtime data of the newly deployed instance and feed it back to the evaluation engine to optimize the evaluation model parameters.
[0022] Furthermore, in the method of this application, the collection of network traffic data in the private cloud environment in step S1 includes:
[0023] Deploy traffic collection agents at key network nodes in a virtual private cloud, wherein the key network nodes include at least one of a core switch bypass, a host virtual network interface card, and a service egress gateway.
[0024] Capture raw traffic data using NetFlow, sFlow, IPFIX, or eBPF.
[0025] The raw traffic data is collected and cached at a preset period, and the sampling interval is shortened when abnormal traffic is detected.
[0026] Furthermore, in the method of this application, the extraction of traffic feature vectors in step S1 includes:
[0027] Normalize and aggregate the raw traffic data;
[0028] A security threat score is generated based on an anomaly detection model, which calculates the probability of an attack based on at least one of the following anomaly characteristics: SYN packet ratio, ICMP traffic surge, and single IP request frequency.
[0029] A sliding window is used to calculate short-term, medium-term, and long-term flow trends.
[0030] Furthermore, in the method of this application, the multidimensional quantitative evaluation in step S2 includes:
[0031] Performance matching assessment: Calculate the performance stress index of current traffic relative to each firewall specification;
[0032] Security requirements assessment: Advanced protection requirements are flagged based on security threat scores and port scanning behavior;
[0033] Cost-benefit assessment: Estimate the unit flow protection cost under different selections;
[0034] Elastic scaling assessment: Based on time series models to predict future traffic growth trends, assess the necessity of cluster mode.
[0035] Furthermore, in the method of this application, the determination of whether a firewall type change is triggered in step S3 includes:
[0036] Verify that the recommended type matches the current deployment type;
[0037] Verify whether the recommendation results remain consistent across multiple consecutive evaluation periods;
[0038] Verify if any change operations are in progress;
[0039] Verify whether the current time period is within the allowed change window;
[0040] When all of the above conditions are met, a firewall type change is triggered.
[0041] Furthermore, in the method of this application, the automatic creation of a firewall instance of the target type in step S4 includes:
[0042] Call the private cloud management API to create a virtual firewall instance or cluster instance, wherein the cluster instance includes a primary / standby architecture or a load balancing architecture;
[0043] Migrate at least one of the following security policies from the original instance: access control lists, network address translation, and intrusion prevention rules.
[0044] Furthermore, in the method of this application, the execution of configuration migration and traffic switching in step S4 includes:
[0045] A gradual switching strategy is adopted, first directing some traffic to the new instance for health check verification;
[0046] Once verification is successful, update the routing table or virtual IP address to complete the full traffic switch.
[0047] After switching, monitor the connection failure rate and automatically roll back to the original instance if an anomaly occurs.
[0048] Furthermore, in the method of this application, the step S5 of collecting the runtime data of the newly deployed instance includes:
[0049] Monitor at least one of the following: CPU utilization, memory utilization, packet loss rate, network latency, and number of security events intercepted.
[0050] The deviation between the predicted indicators and the actual operating indicators is fed back to the evaluation engine to dynamically adjust the performance thresholds, safety scoring model parameters, and cost-benefit weights.
[0051] A second aspect of this application provides a cloud firewall dynamic configuration system based on intelligent assessment and automatic deployment, the system comprising:
[0052] The traffic acquisition module is used to collect network traffic data in the private cloud environment and extract traffic feature vectors. The traffic features include bandwidth, new connection rate, number of concurrent sessions, protocol distribution, and abnormal traffic features.
[0053] The intelligent evaluation module is used to call the evaluation engine to perform multi-dimensional quantitative evaluation based on traffic feature vectors and generate firewall selection recommendation results. The multi-dimensional quantitative evaluation includes performance matching evaluation, security requirement evaluation and cost-benefit evaluation.
[0054] The decision control module is used to determine whether to trigger a firewall type change based on the difference between the recommendation result and the current deployment status.
[0055] The automatic deployment module is used to automatically create firewall instances of the target type and perform configuration migration and traffic switching when the change triggering conditions are met.
[0056] The feedback optimization module is used to collect the running data of newly deployed instances and feed it back to the evaluation engine to optimize the evaluation model parameters.
[0057] The system implements the aforementioned steps of the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment during runtime.
[0058] A third aspect of this application provides an electronic device, including: a memory and a processor;
[0059] Memory: Used to store computer programs;
[0060] Processor: Used to execute the computer program to implement the steps of the aforementioned dynamic configuration method for cloud firewalls based on intelligent assessment and automatic deployment.
[0061] A fourth aspect of this application provides a computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, it implements the steps of the aforementioned dynamic configuration method for a cloud firewall based on intelligent assessment and automatic deployment.
[0062] In summary, compared with the prior art, the solution of the present invention has the following advantages:
[0063] (1) Achieve deep integration of intelligent assessment and automated deployment
[0064] This invention organically combines an intelligent evaluation algorithm based on multi-dimensional traffic characteristics with an automated firewall deployment mechanism, breaking through the technical limitations of traditional manual experience in specification selection. It achieves full-process automation from traffic analysis and demand assessment to instance deployment, significantly improving the efficiency and accuracy of private cloud firewall configuration.
[0065] (2) Construct a closed-loop optimized dynamic resource management mechanism
[0066] This invention constructs a complete closed-loop system of "data collection - intelligent evaluation - decision generation - automatic execution - performance feedback", which enables firewall resource configuration to have dynamic and elastic adjustment capabilities. It can automatically complete specification upgrades, downgrades or architecture switching according to actual business traffic changes, and realize refined and continuous optimization management of security resources.
[0067] (3) Use a multi-dimensional quantitative indicator system to drive selection decision-making
[0068] This invention introduces a multi-dimensional quantitative evaluation model that combines performance indicators (throughput, concurrent connections, latency), security indicators (threat detection capability, rule coverage, interception effectiveness), and cost indicators (resource consumption, licensing fees). This model is superior to traditional decision-making modes based on a single threshold or experience, ensuring that the selection results achieve the optimal balance between security, performance, and cost.
[0069] (4) Supports unified scheduling and orchestration of heterogeneous firewall architectures
[0070] This invention achieves compatible management and flexible orchestration of firewall instances of different specifications and architectures, such as enterprise edition, flagship edition, and cluster mode, through abstract resource description and unified scheduling interface. It has good technical versatility and scalability and can be adapted to the diverse product systems of mainstream cloud vendors.
[0071] (5) Private deployment adaptation capability in private cloud scenarios
[0072] This invention is specifically designed for the characteristics of private cloud environments, such as exclusive resources, network isolation, and compliance controllability. It solves the technical problem of difficulty in achieving automated deployment in private cloud scenarios due to the lack of standardized APIs and unified management planes of public clouds. It is particularly suitable for private infrastructure environments in industries such as finance, government, and large-scale manufacturing.
[0073] Other features and advantages of this application will be set forth in detail in the following description, or will become apparent through the implementation of the relevant technical solutions of this application. The objectives and other advantages of this application can be achieved through the technical features and means explicitly pointed out in the description, claims, and drawings, and will be obtained through the implementation of these technical contents. Attached Figure Description
[0074] To more clearly illustrate the technical solution of this application, the accompanying drawings involved in the description of this invention will be briefly introduced below. It should be noted that the drawings only show some embodiments of the invention. For those skilled in the art, other related drawings can be derived from these drawings without creative effort.
[0075] Figure 1This is a flowchart illustrating the overall implementation process of the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment according to the present invention.
[0076] Figure 2 This is a diagram illustrating the overall design architecture of the present invention.
[0077] Figure 3 This is a structural diagram of the cloud firewall dynamic configuration system based on intelligent assessment and automatic deployment according to the present invention.
[0078] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation
[0079] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. It should be noted that the described embodiments are only some embodiments of this application, and not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of this application without creative effort are within the protection scope of this application.
[0080] In this document, the term "comprising" and any variations thereof (such as "including," "including," etc.) are open-ended expressions and should be understood as "including but not limited to," meaning that the listed content is not exhaustive and may include other content not explicitly mentioned. The term "based on" should be understood as "at least partially based on," meaning that the basis or condition referred to may not be the only factor and may involve other relevant factors. The term "one embodiment" should be understood as "at least one embodiment," meaning that the described embodiment is not the only possible implementation, and other similar embodiments may exist.
[0081] In this application, the terms "a" and "a plurality of" are used to modify related elements or features, and their expression is illustrative rather than restrictive. Unless otherwise expressly stated in the context, "a" should be understood as "at least one," and "a plurality of" should be understood as "at least two." Those skilled in the art should reasonably interpret these terms based on the semantic and logical relationships of the context to ensure that they cover the possibility of "one or more."
[0082] Example: A method and system for dynamic configuration of a cloud firewall based on intelligent assessment and automatic deployment.
[0083] This solution operates in a cloud environment and aims to automatically select and deploy the most suitable firewall type (such as Enterprise Edition, Flagship Edition, or Cluster Mode) based on the actual network traffic characteristics of the user's business, achieving an optimal balance between security protection capabilities and resource costs. The overall design architecture and complete implementation process of this invention are as follows: Figure 2 As shown, it includes the following five stages.
[0084] Phase 1: Initialization and Configuration (System Preparation Phase)
[0085] Step 1: Deploy the Intelligent Traffic Agent
[0086] Deploy lightweight intelligent data collection agents on key network nodes within the private cloud VPC (such as core switch bypass, host virtual network interface card, business egress gateway, etc.).
[0087] The proxy supports NetFlow / sFlow / IPFIX, eBPF, kernel modules, and other methods to capture the following raw traffic data in real time:
[0088] (1) Input / output bandwidth (bps);
[0089] (2) TCP / UDP new connection rate (CPS);
[0090] (3) Number of concurrent sessions (Active Sessions);
[0091] (4) Protocol distribution (percentage of HTTP / HTTPS / DNS / SSH, etc.);
[0092] (5) Abnormal traffic characteristics (such as excessively high SYN ratio, ICMP flooding, port scanning behavior, etc.).
[0093] Step 2: Load the firewall specification knowledge base
[0094] The system has a pre-built structured knowledge base that stores the performance and functional parameters of each firewall version, for example:
[0095] {
[0096] Enterprise Edition: {
[0097] Maximum throughput: 1000
[0098] Maximum concurrent connections: 500,000
[0099] "Number of new creations per second": 5000
[0100] "Hourly rate": 1.2
[0101] },
[0102] "Flagship Edition": {
[0103] "Maximum throughput s": 10000,
[0104] Maximum concurrent connections: 5,000,000
[0105] "New creations per second": 50,000
[0106] "Hourly rate": 12.0
[0107] },
[0108] "Cluster version": {
[0109] Maximum throughput: 10G~100G
[0110] Maximum concurrent connections: 50,000,000
[0111] "New creations per second": 500,000
[0112] "Hourly Price": "Number of replicas * Price per replica"
[0113] }
[0114] }
[0115] Step 3: Configure evaluation strategy and change threshold
[0116] Administrators can customize or use the default policy, for example:
[0117] (1) Performance safety margin: An upgrade is triggered when the measured value is greater than 80% of the specification limit;
[0118] (2) Cost sensitivity: If the utilization rate is less than 30% for 24 consecutive hours, it is recommended to downgrade;
[0119] (3) Security incident response: If a DDoS attack is detected and lasts for more than 5 minutes, force a switch to the flagship version or cluster mode;
[0120] (4) If the packet loss or latency of the corresponding protection scenario exceeds the set threshold, an upgrade will be triggered.
[0121] Phase Two: Data Acquisition and Feature Extraction
[0122] Step 4: Periodically collect raw traffic data
[0123] The intelligent agent collects raw metrics at fixed intervals (e.g., every 60 seconds) and caches them locally;
[0124] Supports shortening the sampling interval in burst mode (e.g., switching to 10 seconds during an attack).
[0125] Step 5: Generate standardized traffic feature vectors
[0126] Anomaly detection model: An anomaly detection model is a machine learning algorithm system used to determine whether the current network traffic deviates from the "normal baseline", thereby identifying possible attack behaviors (such as DDoS, port scanning, brute-force attacks) or business anomalies (such as sudden crawling, protocol abuse).
[0127] (1) Generate a “security threat score” (attack_score)
[0128] Input: Collected traffic characteristics (such as SYN packet ratio, ICMP traffic surge, high-frequency requests from a single IP, etc.);
[0129] Output: A value between 0 and 1, representing the "abnormality" or "attack probability" of the current traffic.
[0130] (2) Drive firewall type upgrade decision
[0131] For example: when attack_score > 0.1 and lasts for 5 minutes → it is determined that the flagship version (including IPS / WAF) or cluster mode (anti-DDoS) with deep detection capabilities should be enabled.
[0132] Using only the enterprise version (without advanced protection) may not be effective in blocking attacks.
[0133] (3) Increase the weight of the "safety dimension" in the selection process.
[0134] Traditional selection only considers performance (bandwidth, CPS), while this solution introduces security requirement awareness capabilities through this model to achieve "on-demand activation of advanced protection".
[0135] For example:
[0136]
[0137] The original data is normalized and aggregated to form structured feature vectors, for example:
[0138] Flow characteristics = {
[0139] Average bandwidth: 850
[0140] Peak CPS in the last 5 minutes: 6200
[0141] Number of connection sessions: 480,000
[0142] HTTPS usage percentage: 0.75
[0143] Attack score: 0.12 # Output based on anomaly detection model
[0144] }
[0145] Optional: Use a sliding window to calculate short-term (5-minute), medium-term (1-hour), and long-term (24-hour) trends.
[0146] Phase Three: Intelligent Assessment and Decision Making
[0147] Step 6: Call the evaluation engine to perform multi-dimensional scoring.
[0148] The evaluation engine receives feature vectors and performs the following sub-evaluations in sequence:
[0149] Performance Match Rating: Calculates the "stress index" of current traffic on each firewall specification;
[0150] For example:
[0151] (1) Enterprise version CPS stress = 6200 / 5000 = 1.24 (exceeding the limit);
[0152] (2) Security requirement score: If the attack_score > 0.1 or there is high-frequency port scanning, then it is marked as requiring advanced protection;
[0153] (3) Cost-benefit analysis: Estimate the unit flow protection cost (RMB / Mbps) under different selections;
[0154] (4) Necessity of elastic scaling: If the traffic is predicted to double in the next hour (based on time series model), the cluster mode is recommended first.
[0155] Step 7: Generate recommended firewall types
[0156] Based on the scores from various dimensions, a weighted decision rule (with configurable weights) is used to output a unique recommendation type, as shown in the example below:
[0157] If the performance stress score is greater than 1.0 and the security score is greater than 0.8:
[0158] Recommended firewall type = Ultimate Edition
[0159] elif predicts future traffic growth > 2.0:
[0160] Recommended firewall type = Cluster version
[0161] elif The currently deployed firewall type is Ultimate and the average resource utilization over the past 24 hours has consistently been below 30%.
[0162] Recommended firewall: Enterprise Edition
[0163] else:
[0164] Recommended type = Keep current firewall type
[0165] Step 8: Determine if a deployment change has been triggered.
[0166] Check if the following conditions are met simultaneously:
[0167] (1) Recommended type ≠ Current deployment type;
[0168] (2) The recommendation results are consistent for N consecutive cycles (e.g., N = 2);
[0169] (3) No ongoing change operations;
[0170] (4) The business is in a window where changes are allowed (such as during off-peak trading hours).
[0171] If all conditions are met, proceed to the deployment phase; otherwise, log the process and continue monitoring.
[0172] Phase Four: Automated Deployment and Switchover
[0173] Step 9: Call the cloud platform API to create a new firewall instance
[0174] Based on the recommended type, call the dedicated cloud management API to perform the following operations:
[0175] (1) Enterprise Edition / Ultimate Edition: Create a single-instance virtual firewall (vFW);
[0176] (2) Cluster mode: Create a primary / standby or load-balanced cluster and automatically allocate the number of nodes;
[0177] (3) Synchronously configure security policies (ACL, NAT, IPS rules, etc.) and migrate them from the original instance.
[0178] Step 10: Perform traffic switching and verification
[0179] Adopt a gradual switching strategy:
[0180] (1) Gray-scale traffic redirection: First, redirect 5% of the traffic to a new instance;
[0181] (2) Health check: Verify that the new instance has CPU <70%, no packet loss, and latency <10ms;
[0182] (3) Full switch: If the verification is successful, update the routing table / VIP to point to the new instance;
[0183] (4) Rollback mechanism: If an anomaly occurs within 5 minutes (such as a connection failure rate > 1%), the instance will be automatically switched back to the original instance and an alarm will be triggered.
[0184] Step 11: Release old resources (optional)
[0185] If it is a downgrade or replacement operation, the old firewall instance will be automatically destroyed and computing and license resources will be released after the new instance has been running stably for ≥30 minutes.
[0186] Phase 5: Feedback and Optimization (Closed-Loop Learning)
[0187] Step 12: Record runtime data and optimize the model
[0188] Continuously monitor the actual operational metrics of newly deployed instances:
[0189] (1) CPU / memory utilization;
[0190] (2) Packet loss rate and latency;
[0191] (3) Number of security incidents intercepted.
[0192] The "predicted vs. actual" deviation is fed back to the evaluation engine for:
[0193] Dynamically adjust performance thresholds;
[0194] Optimize the attack scoring model;
[0195] Update cost-benefit weights (e.g., prioritize security over cost in business operations).
[0196] Figure 3 The image shows a cloud firewall dynamic configuration system based on intelligent assessment and automatic deployment proposed in this application. The system includes:
[0197] The traffic acquisition module is used to collect network traffic data in the private cloud environment and extract traffic feature vectors. The traffic features include bandwidth, new connection rate, number of concurrent sessions, protocol distribution, and abnormal traffic features.
[0198] The intelligent evaluation module is used to call the evaluation engine to perform multi-dimensional quantitative evaluation based on traffic feature vectors and generate firewall selection recommendation results. The multi-dimensional quantitative evaluation includes performance matching evaluation, security requirement evaluation and cost-benefit evaluation.
[0199] The decision control module is used to determine whether to trigger a firewall type change based on the difference between the recommendation result and the current deployment status.
[0200] The automatic deployment module is used to automatically create firewall instances of the target type and perform configuration migration and traffic switching when the change triggering conditions are met.
[0201] The feedback optimization module is used to collect the running data of newly deployed instances and feed it back to the evaluation engine to optimize the evaluation model parameters.
[0202] The above system implements the steps of the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment disclosed in this application when it is running.
[0203] The flowcharts and block diagrams in the accompanying drawings illustrate possible implementations of systems, methods, and computer program products according to various embodiments of this application, including architecture, functionality, and operation. In these figures, each block may represent a module, program segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should be noted that each block in the block diagrams and / or flowcharts, and combinations thereof, can be implemented using either a dedicated hardware-based system or a combination of dedicated hardware and computer instructions to achieve the specified function or operation.
[0204] like Figure 4 As shown in the illustration, an embodiment of this application also discloses an electronic device, including: a processor 310, a communication interface 320, a memory 330 for storing a processor-executable computer program, and a communication bus 340. The processor 310, communication interface 320, and memory 330 communicate with each other via the communication bus 340. The processor 310 executes the executable computer program to implement the steps of the aforementioned dynamic configuration method for a cloud firewall based on intelligent assessment and automatic deployment.
[0205] It is understood that, in addition to memory and a processor, this electronic device may also include input devices (such as a keyboard), output devices (such as a display), and other communication modules. These input devices, output devices, and other communication modules all communicate with the processor through I / O interfaces (i.e., input / output interfaces).
[0206] The operations described in this application can be implemented by writing computer program code using one or more programming languages or a combination thereof. The programming languages include, but are not limited to, the following types:
[0207] Object-oriented programming languages, such as Java, Smalltalk, C++, etc.
[0208] Conventional procedural programming languages, such as "C" or similar programming languages.
[0209] The execution methods of program code include, but are not limited to:
[0210] It runs entirely on the user's computer;
[0211] Part of it executes on the user's computer, and part of it executes on a remote computer;
[0212] Execute as a standalone software package;
[0213] It is executed entirely on a remote computer or server.
[0214] In scenarios involving remote computers, the remote computer can connect to the user's computer via any type of network, including but not limited to local area networks (LANs) or wide area networks (WANs). Furthermore, the remote computer can also connect to external computers through an internet service provider, for example, by utilizing the internet for connection.
[0215] Furthermore, this application also discloses a computer-readable storage medium, wherein when the instructions in the computer-readable storage medium are executed by a processor of an electronic device, the electronic device is able to perform the various steps of the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment disclosed in this application.
[0216] In the context of this application, a computer-readable storage medium refers to a tangible medium capable of storing computer program code and related data. Specific examples include, but are not limited to, the following:
[0217] (1) Portable computer disk: such as floppy disks and other removable magnetic storage media.
[0218] (2) Hard disk: including mechanical hard disks and solid-state hard disks and other fixed storage devices.
[0219] (3) Random Access Memory (RAM): A volatile storage medium used for temporary storage of data and program code.
[0220] (4) Read-only memory (ROM): a non-volatile storage medium used to store fixed programs and data.
[0221] (5) Erasable programmable read-only memory (EPROM) or flash memory: non-volatile storage media that supports multiple erasures and reprogrammings.
[0222] (6) Fiber optic storage devices: storage media based on fiber optic technology.
[0223] (7) Portable compact disc read-only memory (CD-ROM): a read-only medium that stores data in the form of an optical disc.
[0224] (8) Optical storage devices: such as DVDs, Blu-ray discs and other storage media based on optical principles.
[0225] (9) Magnetic storage devices: such as magnetic tapes, disks and other storage media based on magnetic principles.
[0226] (10) Any suitable combination of the above: for example, combining multiple storage media to meet different storage needs.
[0227] These computer-readable storage media can be used to store the program code and related data described in this application to support program execution and persistent data storage.
[0228] Specifically, according to embodiments of this application, the processes described in the flowcharts can be implemented as computer software programs. For example, embodiments of this application relate to a computer program product comprising a computer program carried on a non-transitory computer-readable medium. This computer program includes program code for executing the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment disclosed in this application. When this computer program is executed by a processing system, it can achieve the functions defined in the embodiments of this application.
[0229] While the foregoing discussion contains several specific implementation details, these details should not be construed as limiting the scope of this application. The above description is merely a preferred embodiment of this application and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of this application is not limited to technical solutions formed by specific combinations of the above-described technical features. Furthermore, this application should also cover other technical solutions formed by any combination of the above-described technical features or their equivalents without departing from the foregoing disclosed concept.
[0230] Those skilled in the art should also understand that modifications can be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features, without departing from the spirit and scope of the technical solutions of the embodiments of this application. These modifications or substitutions will not cause the essence of the corresponding technical solutions to deviate from the core spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment, characterized in that, The method includes: S1. Collect network traffic data in the private cloud environment and extract traffic feature vectors. The traffic features include bandwidth, new connection rate, number of concurrent sessions, protocol distribution, and abnormal traffic features. S2. Based on the traffic feature vector, call the evaluation engine to perform multi-dimensional quantitative evaluation and generate firewall selection recommendation results. The multi-dimensional quantitative evaluation includes performance matching evaluation, security requirement evaluation and cost-benefit evaluation. S3. Based on the difference between the recommended results and the current deployment status, determine whether to trigger a firewall type change; S4. When the change triggering conditions are met, automatically create a firewall instance of the target type and perform configuration migration and traffic switching; S5. Collect the runtime data of the newly deployed instance and feed it back to the evaluation engine to optimize the evaluation model parameters.
2. The method of claim 1, wherein, The collection of network traffic data in the private cloud environment mentioned in step S1 includes: Deploy traffic collection agents at key network nodes in a virtual private cloud, wherein the key network nodes include at least one of a core switch bypass, a host virtual network interface card, and a service egress gateway. Capture raw traffic data using NetFlow, sFlow, IPFIX, or eBPF. The raw traffic data is collected and cached at a preset period, and the sampling interval is shortened when abnormal traffic is detected.
3. The method of claim 1, wherein, The extraction of traffic feature vectors in step S1 includes: Normalize and aggregate the raw traffic data; A security threat score is generated based on an anomaly detection model, which calculates the probability of an attack based on at least one of the following anomaly characteristics: SYN packet ratio, ICMP traffic surge, and single IP request frequency. A sliding window is used to calculate short-term, medium-term, and long-term flow trends.
4. The method of claim 1, wherein, The multidimensional quantitative evaluation described in step S2 includes: Performance matching assessment: Calculate the performance stress index of current traffic relative to each firewall specification; Security requirements assessment: Advanced protection requirements are flagged based on security threat scores and port scanning behavior; Cost-benefit assessment: Estimate the unit flow protection cost under different selections; Elastic scaling assessment: Based on time series models to predict future traffic growth trends, assess the necessity of cluster mode.
5. The method of claim 1, wherein, Step S3, which involves determining whether a firewall type change has been triggered, includes: Verify that the recommended type matches the current deployment type; Verify whether the recommendation results remain consistent across multiple consecutive evaluation periods; Verify if any change operations are in progress; Verify whether the current time period is within the allowed change window; When all of the above conditions are met, a firewall type change is triggered.
6. The method of claim 1, wherein, The automatic creation of a firewall instance of the target type in step S4 includes: Call the private cloud management API to create a virtual firewall instance or cluster instance, wherein the cluster instance includes a primary / standby architecture or a load balancing architecture; Migrate at least one of the following security policies from the original instance: access control lists, network address translation, and intrusion prevention rules.
7. The method of claim 1, wherein, Step S4, which involves performing configuration migration and traffic switching, includes: A gradual switching strategy is adopted, first directing some traffic to the new instance for health check verification; Once verification is successful, update the routing table or virtual IP address to complete the full traffic switch. After switching, monitor the connection failure rate and automatically roll back to the original instance if an anomaly occurs.
8. The method according to claim 1, characterized in that, The step S5, which involves collecting runtime data from the newly deployed instance, includes: Monitor at least one of the following: CPU utilization, memory utilization, packet loss rate, network latency, and number of security events intercepted. The deviation between the predicted indicators and the actual operating indicators is fed back to the evaluation engine to dynamically adjust the performance thresholds, safety scoring model parameters, and cost-benefit weights.
9. A cloud firewall dynamic configuration system based on intelligent assessment and automatic deployment, characterized in that, The system implements the steps of the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment as described in any one of claims 1-8 during runtime, and the system includes: The traffic acquisition module is used to collect network traffic data in the private cloud environment and extract traffic feature vectors. The traffic features include bandwidth, new connection rate, number of concurrent sessions, protocol distribution, and abnormal traffic features. The intelligent evaluation module is used to call the evaluation engine to perform multi-dimensional quantitative evaluation based on traffic feature vectors and generate firewall selection recommendation results. The multi-dimensional quantitative evaluation includes performance matching evaluation, security requirement evaluation and cost-benefit evaluation. The decision control module is used to determine whether to trigger a firewall type change based on the difference between the recommendation result and the current deployment status. The automatic deployment module is used to automatically create firewall instances of the target type and perform configuration migration and traffic switching when the change triggering conditions are met. The feedback optimization module is used to collect the running data of newly deployed instances and feed it back to the evaluation engine to optimize the evaluation model parameters.
10. An electronic device, characterized in that, include: Memory and processor; Memory: Used to store computer programs; Processor: Used to execute the computer program to implement the steps of the cloud firewall dynamic configuration method based on intelligent assessment and automatic deployment as described in any one of claims 1-8.