Network isolation policy processing method and apparatus, computer device, readable storage medium, and program product
By constructing an asset attribute database and a role-based access control model, combined with entity authentication and network traffic analysis, and dynamically adjusting isolation strategies, the problems of lagging information collection and weak prevention and control in traditional network isolation strategies are solved, achieving efficient and accurate network security protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGDONG ELECTRIC POWER COMM CO LTD
- Filing Date
- 2026-04-24
- Publication Date
- 2026-07-14
Smart Images

Figure CN122394901A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and in particular to a network isolation strategy processing method, apparatus, computer equipment, readable storage medium, and program product. Background Technology
[0002] With the rapid development of information technology, enterprise network architectures are becoming increasingly complex, the scale of devices, users, and assets continues to expand, network boundaries are gradually blurring, and internal and external security threats are frequent. Network isolation has become a core means of ensuring network security. Effective network isolation strategies need to accurately identify the attributes of network assets, precisely control access permissions, and dynamically adapt to changes in the network security landscape.
[0003] In traditional network isolation strategy management solutions, asset information often relies on manual collection, which can easily lead to information omissions and delayed updates. This results in a lack of accurate data support for strategy formulation and a low accuracy of network isolation strategies. Summary of the Invention
[0004] Therefore, it is necessary to provide a network isolation policy processing method, apparatus, computer equipment, readable storage medium, and program product that can improve the accuracy of network isolation policies in response to the above-mentioned technical problems.
[0005] Firstly, this application provides a method for processing network isolation strategies, including:
[0006] Collect environmental and entity information within the target network, and construct an asset attribute database for the target network based on the environmental and entity information;
[0007] Based on the asset attribute database and the preset role-based access control model, an initial network isolation policy is generated for the target network.
[0008] Upon receiving a network access request from a target entity, authentication is performed on the target entity to obtain the entity authentication result corresponding to the target entity;
[0009] Based on the entity authentication result, the initial network isolation policy is bound to permissions, a target isolation policy for the target entity is generated, and the target isolation policy is distributed to network devices in the target network.
[0010] Collect network traffic data when the network device executes the target isolation policy, identify abnormal behavior in the target network based on the network traffic data, and adjust the target isolation policy according to the abnormal behavior.
[0011] In one embodiment, generating an initial network isolation policy for the target network based on the asset attribute database and a preset role-based access control model includes:
[0012] Obtain asset importance data corresponding to the target network from the asset attribute database, divide the target network into different security level zones based on the asset importance data, and define interval access rules between each security level zone;
[0013] Based on the preset role-based access control model, corresponding role permissions are assigned to different access roles contained in the entity information.
[0014] The entity attributes in the entity information and the environmental attributes in the environment information are quantified to construct attribute evaluation logic for determining permissions.
[0015] Based on the interval access rules, the role permissions, and the attribute evaluation logic, an initial network isolation policy is generated for the target network.
[0016] In one embodiment, the step of distributing the target isolation policy to network devices in the target network includes:
[0017] An encrypted tunnel for communication with the network device is established by configuring interfaces, peer nodes, and routing rules in the network device.
[0018] Based on preset key elements of network communication, corresponding access control list rules are generated in the network device, and bypass blocking operations are performed in conjunction with the network switching device in the target network.
[0019] In the case of intercepting cross-border attack traffic at the target network boundary through the access control list rules, and intercepting lateral movement attack traffic within the target network through the bypass blocking operation, the target isolation policy is distributed to network devices in the target network through the encrypted tunnel.
[0020] In one embodiment, the bypass blocking operation performed in conjunction with the network switching device in the target network includes:
[0021] By utilizing the port mirroring function of the network switching device in the target network, the mirrored traffic data corresponding to the network switching device is obtained;
[0022] The mirrored traffic data is parsed to identify the attack characteristics corresponding to the lateral movement attack traffic. Furthermore, if it is determined based on the attack characteristics that a lateral movement attack exists within the target network, the address information of the attacked target and the attack source corresponding to the lateral movement attack is obtained.
[0023] A query request containing the address information of the attack source is sent to the network switching device corresponding to the attacked target; the query request is used to obtain the switch information and port status connected to the attack source.
[0024] Based on the switch information and the port status, a blocking instruction is generated, and the blocking instruction is sent to the switch connected to the attack source to perform a bypass blocking operation on the attack source.
[0025] In one embodiment, identifying abnormal behavior within the target network based on the network traffic data includes:
[0026] The network traffic data is input into a pre-trained deep learning model; the pre-trained deep learning model includes a load feature extraction network, a temporal feature extraction network, and a feature classification network; the network traffic data includes network load data and traffic statistics data.
[0027] The network load data is subjected to feature extraction by the load feature extraction network to obtain the corresponding load features, and the traffic statistics data is subjected to feature extraction by the time series feature extraction network to obtain the corresponding time series features.
[0028] The load characteristics and the time-series characteristics are fused to obtain the network traffic characteristics corresponding to the network traffic data;
[0029] The network traffic features are input into the feature classification network for classification processing, and the probability distribution results of each abnormal behavior category corresponding to the network traffic data are output.
[0030] Based on the probability distribution results, the abnormal behavior category to which the network traffic data belongs is determined, and based on the abnormal behavior category, the abnormal behavior within the target network is determined.
[0031] In one embodiment, identifying abnormal behavior within the target network based on the network traffic data includes:
[0032] The network traffic data is input into a pre-trained deep learning model; the pre-trained deep learning model includes a load feature extraction network, a temporal feature extraction network, and a feature classification network; the network traffic data includes network load data and traffic statistics data.
[0033] The network load data is subjected to feature extraction by the load feature extraction network to obtain the corresponding load features, and the traffic statistics data is subjected to feature extraction by the time series feature extraction network to obtain the corresponding time series features.
[0034] The load characteristics and the time-series characteristics are fused to obtain the network traffic characteristics corresponding to the network traffic data;
[0035] The network traffic features are input into the feature classification network for classification processing, and the probability distribution results of each abnormal behavior category corresponding to the network traffic data are output.
[0036] Based on the probability distribution results, the abnormal behavior category to which the network traffic data belongs is determined, and based on the abnormal behavior category, the abnormal behavior within the target network is determined.
[0037] Secondly, this application also provides a network isolation policy processing device, comprising:
[0038] A construction module is used to collect environmental and entity information within the target network, and to construct an asset attribute database of the target network based on the environmental and entity information.
[0039] The generation module is used to generate an initial network isolation policy for the target network based on the asset attribute database and a preset role-based access control model.
[0040] The authentication module is used to perform identity verification on the target entity upon receiving a network access request from the target entity, and obtain the entity authentication result corresponding to the target entity.
[0041] An isolation module is used to perform permission binding on the initial network isolation policy based on the entity authentication result, generate a target isolation policy for the target entity, and distribute the target isolation policy to network devices in the target network.
[0042] The adjustment module is used to collect network traffic data when the network device executes the target isolation policy, identify abnormal behavior in the target network based on the network traffic data, and adjust the target isolation policy according to the abnormal behavior.
[0043] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps of the above-described method.
[0044] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the above-described method.
[0045] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the above-described method.
[0046] The aforementioned network isolation policy processing methods, devices, computer equipment, computer-readable storage media, and computer program products construct an asset attribute database by collecting environmental and entity information within the target network, providing accurate asset information support for the subsequent generation of network isolation policies. Based on the asset attribute database and a pre-defined role-based access control model, an initial network isolation policy is generated, ensuring that policy formulation is based on accurate asset information and improving the matching degree between the isolation policy and the actual network environment. Upon receiving a network access request, identity verification is performed on the target entity, and the initial network isolation policy is bound to permissions based on the entity authentication result to generate a target isolation policy, realizing the association between the policy and entity identity and improving the targeting of access control. By collecting network traffic data when network devices execute the target isolation policy and identifying abnormal behavior within the target network based on the network traffic data, network security threats can be detected in a timely manner. Adjustments to the target isolation policy based on the identified abnormal behavior enable the isolation policy to respond to changes in the network security situation, improving the timeliness of policy optimization. Thus, from asset information collection, policy generation, identity verification, policy binding to traffic monitoring and dynamic policy adjustment, a complete network isolation policy management process is constructed, which can improve the accuracy and dynamic adaptability of network isolation policies and enhance network security protection capabilities. Attached Figure Description
[0047] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0048] Figure 1 This is a diagram illustrating the application environment of a network isolation strategy processing method in one embodiment.
[0049] Figure 2 This is a flowchart illustrating a network isolation strategy processing method in one embodiment;
[0050] Figure 3 This is a logic diagram of a network isolation strategy processing method in one embodiment;
[0051] Figure 4 This is a flowchart illustrating a network isolation strategy processing method in another embodiment;
[0052] Figure 5 This is a structural block diagram of a network isolation strategy processing device in one embodiment;
[0053] Figure 6 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0054] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0055] Traditional network isolation management solutions have several limitations: asset information relies heavily on manual collection, leading to data omissions and outdated updates, resulting in a lack of accurate data support for policy formulation; policy generation is often based on simple role-based access control (RBAC) mechanisms, failing to incorporate quantitative assessments of device, user, and environmental attributes, and network partitioning by department or region without tiered protection based on asset importance, leaving core assets at higher risk; in the authentication process, devices and users often use single-factor authentication, which is insufficiently secure, and the lack of automatic verification and revoke mechanisms after permission allocation makes it prone to abuse; policy deployment uses a distributed configuration model, with encrypted tunnels and access control lists (Access Control Lists). List (ACL) rules and bypass blocking technologies lack synergy, focusing protection primarily on attacks at the north-south boundary, with weak defense against lateral movement attacks. Furthermore, there is no verification of execution results after deployment, making it prone to empty deployments. At the same time, traditional solutions rely on preset rule engines to identify threats, which are insufficient for detecting new types of attacks. Policy adjustments require manual intervention, resulting in delayed responses. In addition, key and certificate management relies on manual operation, posing security risks, and the policy process log is incomplete, making it difficult to meet compliance audit requirements.
[0056] The network isolation strategy processing method provided in this application embodiment can be applied to, for example, Figure 1 In the application environment shown, the network isolation policy management system 100 includes:
[0057] Centralized policy controller 101 is used to dynamically generate, uniformly distribute, and adapt isolation policies;
[0058] The identity authentication and access management unit 102 is used for device and user identity verification and access binding;
[0059] The intelligent traffic monitoring unit 103 is used to collect network traffic characteristics in real time and identify abnormal behavior.
[0060] The multi-dimensional isolation execution unit 104 is used to achieve network isolation through encrypted tunnels, ACL blocking, and bypass blocking.
[0061] The key and certificate management unit 105 is used for key generation, storage, distribution, and full lifecycle management of certificates;
[0062] Log auditing and operation and maintenance unit 106 is used to record policy information throughout the entire process and provide automated operation and maintenance support.
[0063] In its implementation, the centralized policy controller 101 acts as the central hub, uniformly generating, distributing, and adapting policies to avoid policy conflicts caused by decentralized management and improve management efficiency. The identity authentication and access control unit 102 integrates dual authentication and access control logic, building a robust identity security defense for policy execution. The intelligent traffic monitoring unit 103 collects and analyzes traffic in real time, accurately identifying abnormal behavior and providing data support for policy adjustments. The multi-dimensional isolation execution unit 104 uses various technical means to ensure the accurate implementation and effectiveness of policies. The key and certificate management unit 105 implements full lifecycle management, providing cryptographic security. The log auditing and maintenance unit 106 records information throughout the entire process, meeting compliance auditing requirements. Information sharing and coordinated responses among these units construct a closed-loop system from data collection to auditing, adapting to complex network security situations.
[0064] For example, the centralized policy controller 101 can integrate attribute evaluation logic and dynamic adjustment logic, and can receive multi-dimensional information such as identity authentication results, traffic monitoring data, and policy execution feedback in real time. It can also perform comprehensive analysis by combining static data such as device type, user role, and asset importance in the asset attribute database, as well as dynamic data such as network topology changes, access frequency, and threat level. The centralized policy controller 101 supports automatic policy optimization triggered according to preset cycles, and can also adjust isolation rules in real time in response to abnormal alarms from the traffic intelligent monitoring unit 103, ensuring that the policy always adapts to the network security situation. It also has a policy version management function, which can record historical policy change trajectories and support policy rollback operations in abnormal situations.
[0065] By refining the functionality of the centralized policy controller, the dynamic adaptability and reliability of isolation policies can be significantly improved. The controller integrates dual logic for attribute evaluation and dynamic adjustment, combining multi-dimensional information such as authentication results and traffic monitoring data. It performs comprehensive analysis by combining static asset attribute data with dynamic data such as network topology and threat levels, making policy formulation and optimization more scientific. It supports automatic policy optimization according to preset cycles and can also adjust rules in real time in response to abnormal alarms from the intelligent traffic monitoring unit, ensuring that policies are always synchronized with the security posture and solving the problem of lagging traditional static policies. The controller's policy version management function can completely record historical change paths and support policy rollback in abnormal situations, avoiding security risks caused by policy misconfiguration and improving system fault tolerance. This design makes policy management more flexible and stable, providing core central support for network security protection.
[0066] For example, the identity authentication and access management unit 102 supports key pair allocation, digital certificate authentication, and multi-factor authentication. It dynamically allocates temporary permissions through access allocation logic, which determines temporary permissions based on user roles and access requests. This unit has a built-in device trust verification mechanism that periodically verifies the legality of device key pairs and automates the lifecycle management of digital certificates, including certificate issuance, renewal, revocation, and expiration warnings. Multi-factor authentication supports flexible combinations of knowledge factors, ownership factors, and inherent factors, and can dynamically adjust authentication strength according to the user's risk level. It also records the time, device, and location of each authentication, providing a basis for access control audits. Furthermore, after permission allocation, it evaluates user session behavior in real time; if an operation exceeding the permission scope is detected, it automatically triggers permission tightening or session termination.
[0067] By refining the functions of the identity authentication and access control unit, a fully intelligent identity and access control system has been constructed. This unit supports key pair allocation, digital certificate authentication, and multi-factor authentication. It incorporates a built-in device trust verification mechanism to periodically verify key legitimacy, achieving automated full lifecycle management of certificate issuance, renewal, and revocation, thus preventing security vulnerabilities caused by certificate expiration. Multi-factor authentication supports flexible combinations of knowledge, ownership, and inherent factors, dynamically adjusting authentication strength based on user risk levels, balancing security and convenience. This unit also records the time, device, and location information of each authentication, providing detailed evidence for access control audits. After access is assigned, this unit evaluates user session behavior in real time, automatically tightening permissions or terminating the session when unauthorized operations are detected, mitigating the risk of access abuse at the source and significantly improving the precision of identity and access control management.
[0068] For example, the traffic intelligent monitoring unit 103 can integrate traffic monitoring and collection tools, enabling it to collect multi-dimensional characteristic data of network traffic in real time, such as source and destination addresses, protocol types, port information, data transmission volume, and connection duration. The collected data is then analyzed in real time using anomaly detection algorithms. This unit supports the identification of various threat behaviors, including high-frequency access, abnormal port communication, illegal cross-regional connections, and sudden data transmissions. It can issue graded alarms based on threat type and severity level, and simultaneously establishes a real-time data transmission channel with the centralized policy controller, synchronizing alarm information and traffic characteristic data to the controller to trigger dynamic adjustments to isolation policies. Furthermore, this unit has traffic data storage capabilities, retaining raw traffic data and analysis results for a certain period, providing data support for security incident tracing and policy optimization.
[0069] By refining the functions of the intelligent traffic monitoring unit, the ability to perceive and respond to network threats can be significantly improved. This unit integrates traffic monitoring and collection tools, collecting multi-dimensional characteristic data such as source and destination addresses and data transmission volume in real time, providing comprehensive data support for anomaly analysis. Through anomaly detection algorithms, real-time analysis of the collected data can accurately identify various threat behaviors such as high-frequency access and unauthorized cross-regional connections, and issue graded alerts based on threat type and severity level, enabling operations and maintenance personnel to address risks in a targeted manner. This unit establishes a real-time data channel with the centralized policy controller, synchronizing alarm information and traffic characteristics, triggering dynamic adjustments to isolation policies, and achieving closed-loop threat handling. Its traffic data storage function retains raw data and analysis results for a certain period, providing a reliable basis for security incident tracing and policy optimization, effectively reducing the false negative rate and improving the accuracy of threat perception.
[0070] For example, the multi-dimensional isolation execution unit 104 may include an encrypted tunnel unit, an ACL concatenation blocking unit, and a bypass blocking unit. The encrypted tunnel unit is built based on the VPN protocol, supporting interface configuration, peer node management, and dynamic adjustment of routing rules. It ensures the confidentiality and integrity of data transmission within the tunnel through encryption algorithms. The ACL concatenation blocking unit automatically generates access control lists and can formulate blocking rules based on key elements such as source and destination IP addresses, communication protocols, and port numbers to accurately respond to north-south cross-border attacks. The bypass blocking unit works in conjunction with network switching equipment, acquiring VLAN internal traffic information to quickly block internal lateral movement attacks, supporting batch distribution and priority configuration of blocking rules. This unit also has a blocking effect verification function, detecting the attack source status in real time after executing the blocking operation. If the blocking is found to be ineffective, the blocking process is automatically re-executed, and the blocking result is synchronized to the log auditing and maintenance unit for recording.
[0071] By refining the functions of the multi-dimensional isolation execution unit, a comprehensive and highly reliable isolation execution system has been constructed. This unit includes an encrypted tunnel unit built on the VPN protocol, supporting dynamic configuration of interfaces, peer nodes, and routing rules, and ensuring the confidentiality and integrity of data transmission within the tunnel through encryption algorithms. The ACL concatenation blocking unit automatically generates access control lists, formulating rules based on key elements such as source and destination IPs and protocols to accurately respond to north-south cross-border attacks. The bypass blocking unit works in conjunction with network switching equipment to obtain VLAN internal traffic information, quickly blocking internal lateral movement attacks, supporting batch rule distribution and priority configuration to fill internal protection gaps. This unit has a blocking effect verification function, which detects the attack source status in real time and automatically re-executes the process if the blocking is ineffective, ensuring effective protection. The blocking results are synchronized to the log audit unit, forming a complete handling record, improving the reliability and traceability of isolation execution.
[0072] In one exemplary embodiment, such as Figure 2 As shown, a network isolation strategy processing method is provided, which is applied to... Figure 1 Taking the network isolation policy management system 100 in the example, the following is an explanation:
[0073] Step S202: Collect environmental and entity information within the target network, and construct an asset attribute database for the target network based on the environmental and entity information.
[0074] The target network can refer to various network environments such as enterprise internal networks, data center networks, and industrial control networks that require isolation policy management.
[0075] The environmental information includes network topology, network device configuration information, network bandwidth information, network area division information, and other information related to the network environment.
[0076] The entity information includes device information and user information. Device information includes the device type, device identifier, device location, and device access port of various devices in the network. User information includes user account, user role, and user permission level.
[0077] The asset attribute database stores attribute information for various assets within the target network. This information includes device attributes, user attributes, asset importance level, and asset security level. Asset importance level can be categorized based on the asset's impact on business operations; for example, the importance level of a core database server is higher than that of a regular office terminal. Asset security level can be categorized based on the sensitivity of the data stored or processed; for example, a server storing sensitive customer information has a higher security level than a server storing publicly available information.
[0078] In practice, environmental and entity information within the target network can be collected through telemetry technology. Telemetry technology includes device information collection based on simple network management protocol, topology discovery based on network traffic analysis, and user information synchronization based on lightweight directory access protocol.
[0079] In practice, the network isolation policy management system periodically sends information query requests to network devices within the target network. Upon receiving the query request, each network device returns its device information, including device type, device identifier, interface configuration, and routing table information, to the network isolation policy management system. The network isolation policy management system then parses the received device information, extracts device attribute information, and stores this information in the asset attribute database.
[0080] Meanwhile, the network isolation policy management system uses network traffic analysis technology to collect network traffic data within the target network. By analyzing information such as source address, destination address, and communication protocol in the network traffic data, it discovers the device connection relationships within the target network, constructs the network topology of the target network, and stores the network topology information in the asset attribute database as part of the environmental information.
[0081] The network isolation policy management system also synchronizes data with the enterprise's internal identity authentication server to obtain user information such as user accounts, user roles, and user permission levels, and stores the user information in the asset attribute database.
[0082] After collecting environmental and entity information, the network isolation policy management system assesses the importance level of various assets within the target network according to preset asset importance assessment rules. These rules can be based on factors such as asset type, the type of business the asset is used for, and the scope of the impact of asset failures on business operations. For example, core database servers and critical business application servers are set to a high importance level, while ordinary office terminals, printers, and other equipment are set to a low importance level.
[0083] The network isolation policy management system associates the assessed asset importance level with the corresponding asset attribute information and stores it in the asset attribute database, forming a complete asset attribute database containing information such as device attributes, user attributes, environmental attributes, and asset importance level.
[0084] By using telemetry technology to automatically collect environmental and entity information within the target network, the problem of information omission and update lag caused by traditional manual collection methods is avoided, providing accurate data support for the generation of subsequent isolation strategies.
[0085] Step S204: Based on the asset attribute database and the preset role-based access control model, generate an initial network isolation policy for the target network.
[0086] Role-based access control (RBAC) is an access control mechanism that associates access permissions with user roles. By assigning different access permissions to different roles, it achieves access control over network resources. The default RBAC model defines multiple user roles, each corresponding to a set of access permissions. These access permissions specify the range of network resources that role can access.
[0087] The initial network isolation policy refers to the isolation policy generated for the entire target network before any personalized adjustments are made. The initial network isolation policy includes various isolation rules such as network partition isolation rules, access permission isolation rules, and emergency isolation rules.
[0088] Step S206: Upon receiving a network access request from the target entity, perform authentication on the target entity and obtain the entity authentication result corresponding to the target entity.
[0089] In this context, the target entity refers to the entity that initiates the network access request, which includes the access device and the access account. The access device is the device attempting to access the target network, and the access account is the user account that initiates the access request through the access device.
[0090] A network access request refers to a request from a target entity to access a specific network resource within the target network. A network access request includes information such as the device identifier of the access device, the account identifier of the access account, and the identifier of the target resource to be accessed.
[0091] In practice, identity verification refers to the process of verifying the legitimacy of the target entity's identity. Identity verification includes device legitimacy authentication and user identity authentication.
[0092] The entity authentication result includes the device authentication result and the user authentication result, which is either authentication passed or authentication failed.
[0093] Step S208: Based on the entity authentication result, perform permission binding on the initial network isolation policy, generate a target isolation policy for the target entity, and distribute the target isolation policy to network devices in the target network.
[0094] In this context, permission binding refers to associating the initial network isolation policy with the entity authentication result, adjusting the access permissions of the initial network isolation policy based on the entity authentication result, and generating a personalized isolation policy for a specific target entity.
[0095] Among them, the target isolation policy refers to the isolation policy generated for a specific target entity after permission binding. The target isolation policy specifies the range of network resources that the target entity can access and the security rules that must be followed when accessing them.
[0096] In one possible implementation, the network isolation policy management system performs permission binding on the initial network isolation policy based on the entity authentication result, specifically including:
[0097] When the entity authentication result is successful, the network isolation policy management system retrieves the entity attribute information corresponding to the target entity from the asset attribute database. The entity attribute information includes the device type and security status of the access device, as well as the user role and user permission level of the access account.
[0098] The network isolation policy management system determines the range of network resources that a target entity can access based on entity attribute information and access permission isolation rules in the initial network isolation policy. For example, if the user role of the access account is a regular user, the target entity can only access business systems related to that user's work within the business security area; if the user role of the access account is a system administrator, the target entity can access all network resources within the target network.
[0099] The network isolation policy management system generates target isolation policies for target entities based on the defined network resource scope. The target isolation policy includes access permission information for the target entity, a list of allowed network resources, and security rules to be followed when accessing them.
[0100] When the entity authentication result is authentication failure, the network isolation policy management system rejects the network access request of the target entity, does not generate the target isolation policy, and returns an authentication failure message to the target entity.
[0101] Step S210: Collect network traffic data when the network device executes the target isolation policy, identify abnormal behavior in the target network based on the network traffic data, and adjust the target isolation policy according to the abnormal behavior.
[0102] Network traffic data refers to the characteristic data of network traffic passing through network devices during the execution of target isolation policies. Network traffic data includes network payload data and traffic statistics. Network payload data refers to the actual content transmitted in network data packets, while traffic statistics refer to the statistical characteristics of network traffic, such as source and destination addresses, protocol types, port information, data transmission volume, and connection duration.
[0103] Abnormal behavior refers to behaviors that violate security policies or pose security threats within the target network. Abnormal behavior includes various types such as high-frequency access, abnormal port communication, illegal cross-regional connections, and sudden data transmission.
[0104] In practice, collecting network traffic data when network devices execute target isolation policies can include: The network isolation policy management system acquires network traffic data through traffic monitoring tools and network traffic collection methods. Traffic monitoring tools include port mirroring-based traffic monitoring tools and network splitter-based traffic monitoring tools. Network traffic collection methods include full traffic collection and sampling collection. Full traffic collection refers to collecting all network traffic on the network device, while sampling collection refers to collecting a portion of the network traffic according to a certain proportion or rule.
[0105] In its implementation, the network isolation policy management system deploys a traffic collection agent on network devices. This agent monitors the network interfaces of the devices in real time, capturing network data packets passing through them. The agent then parses these captured packets, extracting information such as the five-tuple, packet length, and packet payload. This extracted information is then sent to the network isolation policy management system as network traffic data.
[0106] The network isolation policy management system aggregates and stores received network traffic data to form a network traffic database. This database stores all or part of the network traffic data within the target network over a specific time period, providing data support for subsequent anomaly detection and policy optimization.
[0107] In the aforementioned network isolation strategy processing method, an asset attribute database is constructed by collecting environmental and entity information within the target network, providing accurate asset information support for the subsequent generation of network isolation strategies. An initial network isolation strategy is generated based on the asset attribute database and a pre-defined role-based access control model, ensuring that strategy formulation is grounded in accurate asset information and improving the matching degree between the isolation strategy and the actual network environment. Upon receiving a network access request, identity verification is performed on the target entity, and the initial network isolation strategy is bound to permissions based on the entity authentication result to generate a target isolation strategy, thus establishing a link between the strategy and entity identity and enhancing the targeting of access control. By collecting network traffic data when network devices execute the target isolation strategy and identifying abnormal behavior within the target network based on this data, network security threats can be detected in a timely manner. Adjustments to the target isolation strategy are made based on the identified abnormal behavior, enabling the isolation strategy to respond to changes in the network security situation and improving the timeliness of strategy optimization. Thus, from asset information collection, strategy generation, identity verification, and strategy binding to traffic monitoring and dynamic strategy adjustment, a complete network isolation strategy management process is constructed, which improves the accuracy and dynamic adaptability of network isolation strategies and enhances network security protection capabilities.
[0108] In one exemplary embodiment, based on an asset attribute database and a preset role-based access control model, an initial network isolation policy for the target network is generated, including:
[0109] Obtain asset importance data corresponding to the target network from the asset attribute database, divide the target network into different security level zones based on the asset importance data, and define interval access rules between each security level zone; assign corresponding role permissions to different access roles contained in the entity information based on a preset role-based access control model; quantify the entity attributes in the entity information and the environmental attributes in the environment information, and construct attribute evaluation logic for determining permissions; generate an initial network isolation policy for the target network based on the interval access rules, role permissions, and attribute evaluation logic.
[0110] In practice, the network isolation policy management system assigns high-priority assets to the core security zone, medium-priority assets to the business security zone, and low-priority assets to the office security zone. The core security zone has the highest security level, and the office security zone has the lowest security level.
[0111] The network isolation policy management system defines interval access rules for each security level zone, which specify access restrictions between zones of different security levels. For example, devices in the office security zone are not allowed to directly access devices in the core security zone; devices in the office security zone need to undergo identity authentication and permission verification to access devices in the business security zone; and devices in the business security zone need to undergo multi-factor authentication and strict permission verification to access devices in the core security zone.
[0112] By dividing the target network into different security level zones based on asset importance and defining access rules between zones, key protection of core assets can be achieved, reducing the attack surface of core assets.
[0113] The network isolation policy management system assigns corresponding role permissions to different access roles contained in the asset attribute database based on a preset role-based access control model.
[0114] In the specific implementation, the preset role-based access control model defines multiple roles, including system administrator, business administrator, and ordinary user. The system administrator role has access and management permissions for all resources within the target network, the business administrator role has access and management permissions for resources related to specific business systems, and the ordinary user role only has access permissions for resources related to their own work.
[0115] The network isolation policy management system retrieves user role information for each user from the asset attribute database, assigns corresponding role permissions to each user based on the user role information and the role permission definitions in the role-based access control model, and stores the role permission information in the asset attribute database.
[0116] The network isolation policy management system quantifies the entity attributes and environmental attributes in the asset attribute database and constructs attribute evaluation logic for determining permissions.
[0117] Among them, entity attributes include device attributes and user attributes. Device attributes include device type, device security status, device access location, etc., while user attributes include user role, user risk level, user historical behavior, etc.; environmental attributes include access time, access location, network security status, etc.
[0118] Among them, the attribute evaluation logic is a logical rule that dynamically calculates access permissions based on entity attributes and environmental attributes. The attribute evaluation logic quantifies and scores entity attributes and environmental attributes, and determines whether to grant access permissions and what level of access permissions to grant based on the scoring results.
[0119] For example, the attribute evaluation logic of the network isolation policy management system is as follows:
[0120] A = f(U, E);
[0121] Where A represents access permissions, U represents user or device attributes, E represents environment attributes, and f is a function that determines access permissions based on user or device attributes and environment attributes.
[0122] In practice, the network isolation policy management system sets quantitative scoring rules for each entity attribute and environmental attribute. For example, a device type of "secure terminal" scores 10 points, while a device type of "unknown device" scores 0 points; a user role of "system administrator" scores 10 points, while a user role of "ordinary user" scores 5 points; access time during working hours scores 10 points, while access time outside of working hours scores 5 points; a network security posture of "normal" scores 10 points, while a network security posture of "threat present" scores 0 points.
[0123] The network isolation policy management system calculates an overall score based on entity attribute scores and environment attribute scores, and determines access permissions based on the overall score. For example, a total score of 80 or higher grants full access; a total score between 60 and 80 grants restricted access; and a total score less than 60 denies access requests.
[0124] By constructing attribute evaluation logic, the network isolation policy management system can dynamically determine access permissions based on entity attributes and environment attributes, avoiding the inflexible permission management problem caused by traditional fixed permission allocation methods.
[0125] The network isolation policy management system generates an initial network isolation policy for the target network based on interval access rules, role permissions, and attribute evaluation logic. Specifically, the initial network isolation policy includes network partition isolation rules, access permission isolation rules, and anomaly emergency isolation rules. Network partition isolation rules, generated based on interval access rules, specify access restrictions between areas with different security levels. For example, devices in the office security area are prohibited from directly accessing devices in the core security area. Access permission isolation rules, generated based on role permissions and attribute evaluation logic, specify the range of network resources that users with different roles or devices with different attributes can access, as well as the environmental conditions that must be met for access. For example, users with ordinary user roles can only access specific business systems in the business security area during working hours. Anomaly emergency isolation rules are used to quickly isolate abnormal entities when abnormal network behavior is detected. For example, when a device is detected to be engaging in lateral movement attacks, its network connection with other devices within the target network is immediately blocked.
[0126] By generating initial network isolation policies based on an asset attribute database and a role-based access control model, layered protection and fine-grained access control of the target network are achieved, improving the accuracy of the isolation policies.
[0127] Optionally, the network isolation policy management system can also incorporate business requirements and security level requirements when generating the initial network isolation policy. Specifically, the system receives business requirements input by the administrator, including access requirements for specific business systems and access requirements for specific user groups. Based on these requirements, the system adjusts the access permission isolation rules in the initial network isolation policy to meet operational needs. For example, if a business system needs to allow external partners access, the system adds access permission isolation rules for external partners to the initial network isolation policy, stipulating that external partners can only access specific functional modules of the specific business system through a specific network access point within a specific time period.
[0128] Meanwhile, the network isolation policy management system receives the security level requirements set by the administrator and adjusts the access restriction strength of each security level zone according to the security level requirements. For example, when the security level requirement is set to high, the network isolation policy management system tightens the access restrictions between security level zones, requiring all cross-zone access to undergo multi-factor authentication and strict permission verification; when the security level requirement is set to medium, the network isolation policy management system moderately relaxes the access restrictions, allowing some low-risk cross-zone access to only require basic identity authentication.
[0129] By combining business needs and security level requirements to generate an initial network isolation policy, a balance between security and business convenience is achieved in the isolation policy.
[0130] In an exemplary embodiment, the target entity includes an access device and an access account; performing authentication on the target entity to obtain the entity authentication result corresponding to the target entity includes: performing device legitimacy authentication on the access device using a pre-allocated key pair and a digital certificate, and performing user identity authentication on the access account using multiple authentication methods to obtain the entity authentication result corresponding to the target entity;
[0131] After binding permissions to the initial network isolation policy based on the entity authentication result and generating a target isolation policy for the target entity, the following steps are also included:
[0132] Configure the corresponding temporary permissions for the target isolation policy and the duration of the temporary permissions; if the duration of the temporary permissions exceeds the usage time, revoke the access permissions of the target isolation policy.
[0133] In its implementation, the network isolation policy management system assigns a key pair to an access device when the device first connects to the target network. This key pair includes a public key and a private key. The system stores the public key on the server and the private key on the access device. Simultaneously, the system issues a digital certificate to the access device. This digital certificate contains the device identifier, public key, certificate validity period, and other information. The digital certificate is digitally signed by the certificate authority of the network isolation policy management system.
[0134] When an access device initiates a network access request, it sends its digital certificate and a digital signature generated using its private key to the network isolation policy management system. Upon receiving the digital certificate and digital signature, the network isolation policy management system first verifies the validity of the digital certificate, including whether it is within its validity period and whether the digital signature is correct.
[0135] After the digital certificate verification is successful, the network isolation policy management system uses the public key in the digital certificate to verify the digital signature, checking whether the digital signature was generated by the corresponding private key. If the digital signature verification is successful, it indicates that the access device holds the corresponding private key, the device identity is legitimate, and the device authentication result is successful; if the digital certificate verification or digital signature verification fails, the device authentication result is failed.
[0136] By using key pairs and digital certificates to authenticate access devices, it is possible to effectively prevent unauthorized devices from forging identities to access the target network, thereby improving the security of device access management.
[0137] The network isolation policy management system employs multiple authentication methods to perform user authentication for access accounts. These methods include at least two of the following: knowledge factor authentication, ownership factor authentication, and intrinsic factor authentication. Knowledge factor authentication verifies user identity based on information known to the user, such as password authentication or security question authentication. Ownership factor authentication verifies user identity based on items possessed by the user, such as hardware token authentication or SMS verification code authentication. Intrinsic factor authentication verifies user identity based on biometric characteristics, such as fingerprint authentication or facial recognition authentication.
[0138] In practice, the network isolation policy management system determines the required combination of authentication methods based on the user risk level of the access account. The user risk level is determined based on factors such as user role, user history behavior, and the sensitivity of the resources accessed by the user.
[0139] For low-risk users, the network isolation policy management system uses a combination of knowledge-based verification and ownership-based verification, such as requiring users to enter a password and a mobile SMS verification code. For high-risk users or users accessing highly sensitive resources, the network isolation policy management system uses a combination of knowledge-based verification, ownership-based verification, and inherent-based verification, such as requiring users to enter a password, a dynamic password generated by a hardware token, and fingerprint verification.
[0140] The network isolation policy management system sends an authentication request to the access account, which then provides the corresponding authentication information based on the request. The system verifies the received authentication information; if all authentication methods pass, the user authentication result is successful; otherwise, the user authentication result is unsuccessful.
[0141] By employing multi-factor authentication to verify access accounts, unauthorized access caused by leaked account passwords can be effectively prevented, thereby enhancing the security of user identity authentication.
[0142] The network isolation policy management system combines device authentication results and user authentication results to obtain the entity authentication result corresponding to the target entity. The entity authentication result is successful only if both the device authentication result and the user authentication result are successful; if either the device authentication result or the user authentication result is unsuccessful, the entity authentication result is unsuccessful.
[0143] In one possible implementation, the network isolation policy management system records information such as the time, device, and location of each authentication during the authentication process, and stores the authentication records in the log auditing and maintenance unit to provide a basis for subsequent permission auditing and security incident tracing.
[0144] In its implementation, when the network isolation policy management system receives a network access request, it extracts the timestamp information, the IP address information of the access device, and the geographical location information obtained through IP address resolution. The system combines the timestamp information, IP address information, geographical location information, device identifier, account identifier, authentication method, and authentication result to form an authentication record, which is then sent to the log auditing and maintenance unit for storage. By recording detailed information for each authentication, administrators can trace user access behavior at any given moment, detect abnormal access patterns, and promptly identify potential security threats.
[0145] In an exemplary embodiment, after binding permissions to the initial network isolation policy based on the entity authentication result to generate a target isolation policy for the target entity, the method further includes: configuring corresponding temporary permissions and the usage time of the temporary permissions for the target isolation policy; and revoking the access permissions of the target isolation policy if the duration of the temporary permissions exceeds the usage time.
[0146] In practice, the network isolation policy management system configures temporary permissions for the target isolation policy based on the target entity's access needs and security policy requirements. Temporary permissions refer to access permissions that are valid for a specific period of time, and the validity period of the permission is defined by the usage time.
[0147] For example, when an external partner needs to access a specific business system within the enterprise, the network isolation policy management system configures temporary permissions in the target isolation policy generated for the external partner. The temporary permissions only allow the external partner to access the specific business system during the project cooperation period, and the permission usage time is set to the time period of the project cooperation.
[0148] The network isolation policy management system uses a permission validity period verification algorithm to perform real-time verification of the validity of temporary permissions:
[0149] V=g(P) temp (T)
[0150] Among them, P temp T represents temporary permissions, V represents the time limit, and g represents the validity of the temporary permissions.
[0151] In its implementation, the network isolation policy management system obtains the current time and compares it with the permission usage time. If the current time is within the permission usage time range, the permission validity V is valid, and the target entity can continue to use temporary permissions to access network resources. If the current time exceeds the permission usage time range, the permission validity V is invalid, and the network isolation policy management system automatically revokes the target isolation policy's access permissions, blocking the target entity's connection to the target network.
[0152] By configuring temporary permissions and permission usage time for the target isolation policy and verifying the validity of permissions in real time, it is possible to achieve automated management and automatic revocation of permissions, avoiding security risks caused by long-term validity of permissions.
[0153] In an exemplary embodiment, distributing the target isolation policy to network devices in the target network includes:
[0154] By configuring interfaces, peer nodes, and routing rules in network devices, an encrypted tunnel for communication between the network devices and the network devices is established. Based on preset key elements of network communication, corresponding access control list rules are generated in the network devices, and bypass blocking operations are performed in conjunction with network switching devices in the target network. When cross-border attack traffic at the boundary of the target network is intercepted by access control list rules, and lateral movement attack traffic within the target network is intercepted by bypass blocking operations, the target isolation policy is distributed to network devices in the target network through the encrypted tunnel.
[0155] Interface configuration refers to creating virtual network interfaces on network devices to establish encrypted tunnels. These virtual network interfaces are bound to physical network interfaces to carry network traffic through the encrypted tunnel. Peer nodes refer to the other end of the encrypted tunnel, i.e., the network isolation policy management system. Routing rules define the routing paths for network traffic transmitted through the encrypted tunnel.
[0156] In practice, the network isolation policy management system sends tunnel configuration instructions to network devices. These instructions include configuration information such as the interface identifier of the virtual network interface, the IP address of the peer node, the encryption algorithm type, and the routing rules.
[0157] After receiving the tunnel configuration command, the network device creates a virtual network interface based on the configuration information and binds the virtual network interface to the physical network interface. The network device configures peer node information and establishes a connection with the network isolation policy management system. Based on routing rules, the network device routes network traffic that needs to be transmitted through the encrypted tunnel to the virtual network interface.
[0158] The network isolation policy management system and network devices negotiate and determine the encryption algorithm and key to establish an encrypted tunnel. After the encrypted tunnel is established, all communication data between the network isolation policy management system and network devices is transmitted through the encrypted tunnel, ensuring the confidentiality and integrity of the communication data.
[0159] By establishing an encrypted tunnel, the security of policy distribution can be ensured by preventing eavesdropping or tampering during the distribution process. The network isolation policy management system generates corresponding access control list rules in network devices based on preset key network communication elements.
[0160] Key elements of network communication include source IP address, destination IP address, communication protocol, port number, packet length, and other characteristic information of network traffic. Access control list rules are traffic filtering rules formulated based on these key elements of network communication; they specify the types of network traffic that are allowed or denied access.
[0161] In practice, the network isolation policy management system determines the IP address, communication protocol, and port number of the target resources that the target entity is allowed to access, based on the access permission information in the target isolation policy.
[0162] The network isolation policy management system generates access control list rules based on the determined information. Each access control list rule contains multiple rule entries, and each entry specifies a type of traffic that is allowed or denied. For example, traffic whose source IP address is the destination entity IP address, whose destination IP address is the destination resource IP address, whose communication protocol is TCP, and whose destination port number is 443 is allowed to pass; traffic whose source IP address is the destination entity IP address, and whose destination IP address is another resource IP address, is denied to pass.
[0163] The network isolation policy management system distributes access control list rules to network devices via encrypted tunnels. Upon receiving the access control list rules, the network devices apply the rule entries to their traffic filtering modules. The traffic filtering modules then monitor network traffic passing through the devices in real time, determining whether the traffic is allowed based on the access control list rules. If the traffic matches a allowed rule, it is forwarded normally; otherwise, it is discarded.
[0164] Access control list (ACCUP) rules are primarily used to combat north-south cross-border attacks, which are attacks originating from outside the target network that attempt to cross the network boundary and access resources within the target network. By deploying ACCU rules on network boundary devices, attack traffic can be intercepted before it enters the target network, thus protecting the target network's security.
[0165] The network isolation policy management system works in conjunction with the network switching devices in the target network to perform bypass blocking operations.
[0166] Bypass blocking refers to a technical means of blocking specific network traffic by coordinating with network switching equipment without changing the main forwarding path of network devices. Bypass blocking is mainly used to deal with lateral movement attacks within the target network, that is, attacks in which an attacker, after successfully infiltrating a device within the target network, uses that device as a springboard to move laterally and access other devices within the target network.
[0167] In an exemplary embodiment, the bypass blocking operation is performed in conjunction with a network switching device in the target network, including: obtaining mirrored traffic data corresponding to the network switching device through the port mirroring function of the network switching device in the target network; parsing the mirrored traffic data to identify attack characteristics corresponding to lateral movement attack traffic; and, if it is determined based on the attack characteristics that a lateral movement attack exists within the target network, obtaining the address information of the attacked target and the attack source corresponding to the lateral movement attack; sending a query request containing the address information of the attack source to the network switching device corresponding to the attacked target; the query request is used to obtain the switch information and port status connected to the attack source; generating a blocking command based on the switch information and port status; and sending the blocking command to the switch connected to the attack source to perform a bypass blocking operation on the attack source.
[0168] In its implementation, the network isolation policy management system obtains mirrored traffic data corresponding to the network switching devices in the target network through the port mirroring function. Port mirroring refers to the function of the network switching device copying the network traffic of a specified port and sending the copied traffic to the monitoring port. The network isolation policy management system sends mirroring configuration commands to the network switching device, specifying the ports to be mirrored and the destination port of the mirrored traffic. The network switching device then copies the network traffic of the specified ports and sends it to the network isolation policy management system according to the mirroring configuration commands.
[0169] The network isolation policy management system analyzes the received mirrored traffic data to identify the attack characteristics corresponding to lateral movement attack traffic. Attack characteristics include the same source IP address making connection attempts to a large number of different destination IP addresses on the same port within a short period of time, brute-force attacks using specific protocols, and abnormal internal network domain name resolution requests. The network isolation policy management system has a built-in attack detection engine with preset attack characteristic rules for various lateral movement attacks.
[0170] The network isolation policy management system analyzes mirrored traffic data in real time through an attack detection engine, matching the mirrored traffic data with attack signature rules. If the mirrored traffic data matches a certain attack signature rule, the network isolation policy management system determines that a lateral movement attack exists and extracts information such as the attack source IP address, attack source MAC address, and the attacked target IP address from the lateral movement attack traffic.
[0171] When the network isolation policy management system determines that a lateral movement attack exists within the target network based on attack characteristics, it obtains the address information of the attacked target and the attack source corresponding to the lateral movement attack.
[0172] The network isolation policy management system sends a query request containing the attack source address information to the network switching device corresponding to the attacked target.
[0173] In practice, the network isolation policy management system determines the network switching device connected to the attacked target based on the target's IP address. The system then sends a query request to that network switching device, containing the attack source's IP address and MAC address.
[0174] After receiving a query request, the network switching device looks up the switch port information corresponding to the MAC address of the attack source in its own MAC address table, and returns the query results to the network isolation policy management system. The query results include information such as the switch identifier, switch port number, and port status of the attack source.
[0175] The network isolation policy management system generates blocking commands based on switch information and port status, and sends the blocking commands to the switch connected to the attack source to perform bypass blocking operations on the attack source.
[0176] In practice, blocking commands include those based on source MAC addresses and those based on source IP addresses. A source MAC address-based blocking command marks the attacking source MAC address as "deny forwarding" in the network switch's MAC address table, preventing the network switch from forwarding network traffic originating from the attacking source MAC address. A source IP address-based blocking command configures access control list rules on the network switch to deny network traffic originating from the attacking source IP address.
[0177] The network isolation policy management system selects an appropriate blocking method based on the specific circumstances of the attack source. If the attack source accesses the network switching device through a fixed port, the network isolation policy management system generates a port shutdown command to directly shut down the switch port accessed by the attack source, achieving physical isolation.
[0178] The network isolation policy management system generates blocking commands and sends them over the network to the switch connected to the attack source. Upon receiving the blocking command, the switch executes the blocking operation, cutting off the network connection between the attack source and other devices within the target network, thus preventing the further spread of the lateral movement attack.
[0179] By working in conjunction with network switching equipment to perform bypass blocking operations, it is possible to quickly isolate the attack source without affecting normal network traffic, effectively respond to lateral movement attacks within the target network, and fill the gaps in traditional perimeter protection.
[0180] The network isolation policy management system, after intercepting cross-border attack traffic at the target network boundary through access control list rules and intercepting lateral movement attack traffic within the target network through bypass blocking operations, distributes the target isolation policy to network devices in the target network through encrypted tunnels.
[0181] In practice, the network isolation policy management system encapsulates the target isolation policy into a policy configuration file. The policy configuration file contains information such as the access permissions of the target entity, the list of network resources that are allowed to be accessed, and the security rules that need to be followed when accessing them.
[0182] The network isolation policy management system sends policy configuration files to network devices via an encrypted tunnel. Upon receiving the policy configuration file, the network device parses it and updates its own forwarding rules, access control rules, and other configurations based on the information in the policy configuration file.
[0183] After updating its configuration, the network device returns a confirmation message indicating that the policy deployment is complete to the network isolation policy management system. Upon receiving the confirmation message, the network isolation policy management system performs a post-deployment verification operation on the network device.
[0184] In practice, the network isolation policy management system sends test traffic to network devices. This test traffic simulates scenarios where a target entity accesses both permitted and prohibited network resources. The system then monitors the network devices' processing of the test traffic to verify whether they are correctly handling the traffic according to the target isolation policy.
[0185] If the network device correctly allows test traffic accessing permitted resources and correctly blocks test traffic accessing prohibited resources, the policy deployment verification passes, and the target isolation policy is successfully issued and takes effect. If the network device fails to process the test traffic correctly, the policy deployment verification fails, and the network isolation policy management system re-executes the policy issuance process or sends an alarm message indicating a policy deployment error to the administrator.
[0186] By validating the policy deployment, we can avoid issues such as fake or empty policy deployments, ensuring that each target isolation policy can effectively play its role.
[0187] In one possible implementation, when issuing target isolation policies, the network isolation policy management system can also adopt different policy issuance methods according to the type and function of the network device.
[0188] For example, for network devices that support software-defined networking protocols, the network isolation policy management system directly issues flow table rules to the network devices through the software-defined network controller. These flow table rules specify the actions the network devices take to handle different types of network traffic. For traditional network devices, the network isolation policy management system issues configuration commands to the network devices through a command-line interface or network configuration protocol. The network devices then update their own configurations according to these commands.
[0189] By adopting a policy delivery method that adapts to different network device types, the adaptability and compatibility of the target isolation policy in heterogeneous network environments can be improved.
[0190] In an exemplary embodiment, identifying abnormal behavior within a target network based on network traffic data includes: inputting network traffic data into a pre-trained deep learning model; the pre-trained deep learning model includes a load feature extraction network, a temporal feature extraction network, and a feature classification network; the network traffic data includes network load data and traffic statistics; extracting features from the network load data using the load feature extraction network to obtain corresponding load features, and extracting features from the traffic statistics using the temporal feature extraction network to obtain corresponding temporal features; fusing the load features and temporal features to obtain network traffic features corresponding to the network traffic data; inputting the network traffic features into the feature classification network for classification processing, and outputting the probability distribution results of each abnormal behavior category corresponding to the network traffic data; determining the abnormal behavior category to which the network traffic data belongs based on the probability distribution results, and determining the abnormal behavior within the target network based on the abnormal behavior category.
[0191] Pre-trained deep learning models refer to deep learning models that are trained in advance using a large amount of network traffic data and are capable of identifying abnormal behavior patterns in network traffic. Pre-trained deep learning models include payload feature extraction networks, temporal feature extraction networks, and feature classification networks.
[0192] The load feature extraction network is used to extract features from network load data, the time series feature extraction network is used to extract features from traffic statistics, and the feature classification network is used to classify the extracted features and identify the abnormal behavior categories to which network traffic belongs.
[0193] In its implementation, the network isolation policy management system first preprocesses the network traffic data. For network payload data, the system extracts the first certain number of bytes of payload content from each network data packet, such as the first 784 bytes, and converts the payload content into a two-dimensional array format, simulating an image input format.
[0194] For traffic statistics, the network isolation policy management system aggregates multiple network packets belonging to the same network flow into a flow record based on the five-tuple information, and extracts flow statistical features from the flow record such as flow duration, average and variance of packet interval, maximum, minimum and average packet length, ratio of uplink to downlink bytes, and distribution of TCP flag bits.
[0195] The network isolation policy management system extracts features from network load data through load feature extraction to obtain the corresponding load features.
[0196] In the specific implementation, the load feature extraction network adopts a convolutional neural network structure. The network load data is input into the convolutional neural network in the form of grayscale images. After processing through multiple convolutional and pooling layers, the spatial features in the network load data are extracted. The last layer of the convolutional neural network is a global average pooling layer, which outputs a fixed-dimensional load feature vector, such as a 128-dimensional load feature vector.
[0197] The payload feature vector characterizes the content characteristics of network payload data. Different types of network traffic have different payload feature patterns. For example, there are significant differences in the payload features of normal web browsing traffic and malware communication traffic.
[0198] The network isolation policy management system extracts features from traffic statistics through time-series feature extraction to obtain the corresponding time-series features.
[0199] In its implementation, the temporal feature extraction network employs a combination of a Long Short-Term Memory (LSTM) network and fully connected layers. Traffic statistics are arranged in chronological order to form temporal data, which is then input into the LTM network. The LTM network captures long-term dependencies in the temporal data and extracts the temporal variation features of the traffic statistics. The LTM network outputs the hidden state of the last time step, which is processed by the fully connected layers to obtain a fixed-dimensional temporal feature vector, such as a 64-dimensional temporal feature vector.
[0200] Temporal feature vectors characterize the temporal statistical features of network traffic. Different types of abnormal behavior exhibit different patterns in temporal statistical features. For example, scanning attacks are characterized by a large number of connection attempts in a short period of time, while data leakage is characterized by continuous large-volume uploads.
[0201] The network isolation policy management system fuses load characteristics and time-series characteristics to obtain network traffic characteristics corresponding to network traffic data.
[0202] In its implementation, the network isolation policy management system concatenates the load feature vector with the time-series feature vector to form a fused feature vector. For example, concatenating a 128-dimensional load feature vector with a 64-dimensional time-series feature vector yields a 192-dimensional fused feature vector.
[0203] The fusion feature vector combines the content features of network payload data with the temporal features of traffic statistics, enabling a more comprehensive characterization of network traffic characteristics and improving the accuracy of abnormal behavior identification.
[0204] The network isolation policy management system inputs network traffic characteristics into a feature classification network for classification processing and outputs the probability distribution results of each abnormal behavior category corresponding to the network traffic data.
[0205] In its implementation, the feature classification network employs a multi-layer fully connected neural network structure. Feature vectors are input into the multi-layer fully connected neural network, undergo multiple non-linear transformations, and the final layer uses a Softmax activation function to output the probability distribution of each abnormal behavior category.
[0206] The abnormal behavior categories include normal traffic categories and various abnormal traffic categories, such as normal, scanning attacks, brute-force attacks, lateral movement, and data breaches. The probability distribution results include a probability value for each category, representing the likelihood that network traffic data belongs to that category.
[0207] The network isolation policy management system determines the abnormal behavior category of network traffic data based on the probability distribution results, and then determines the abnormal behavior within the target network based on the abnormal behavior category.
[0208] In practice, the network isolation policy management system compares the probability values of each abnormal behavior category and selects the category with the highest probability value as the category to which the network traffic data belongs. If the category with the highest probability value is a normal traffic category, and the probability value of this category is greater than a preset normal threshold, such as 0.8, then the network isolation policy management system determines that the network traffic data is normal traffic and there is no abnormal behavior.
[0209] If the category with the highest probability value is an abnormal traffic category, or if the probability value of a normal traffic category is less than the normal threshold, the network isolation policy management system determines that the network traffic data exhibits abnormal behavior. Based on the abnormal traffic category, the network isolation policy management system determines the specific type of abnormal behavior, such as scanning attacks or brute-force attacks.
[0210] The network isolation policy management system will record the abnormal behavior information it identifies, including the type of abnormal behavior, the source and destination addresses of the abnormal traffic, and the time of occurrence, to the log auditing and operation and maintenance unit, and generate abnormal behavior alarms to send alarm notifications to the administrator.
[0211] By employing deep learning models to analyze network traffic data, it can autonomously learn abnormal patterns in network traffic, identify new types of attacks that are difficult for traditional rule engines to detect, and improve the accuracy and coverage of abnormal behavior identification.
[0212] In one possible implementation, the deep learning model is trained using supervised learning. The network isolation policy management system uses a labeled historical traffic dataset to train the deep learning model. This historical traffic dataset contains network traffic data with known category labels, which identify the abnormal behavior category to which the network traffic data belongs.
[0213] The network isolation policy management system divides the historical traffic dataset into training and validation sets. The training set is used to optimize the parameters of the deep learning model, and the validation set is used to evaluate the performance of the deep learning model. The training objective of the deep learning model is to minimize the classification cross-entropy loss function. The optimizer used is the Adam optimizer, and the batch size is set to 64 and the training epochs are set to 50.
[0214] After the deep learning model is trained, the network isolation policy management system will deploy the trained model to the traffic intelligent monitoring unit to identify abnormal behavior in network traffic in real time.
[0215] The network isolation policy management system also supports online incremental learning of deep learning models. During actual operation, the system periodically collects new network traffic data, which is then categorized by administrators or security experts, forming a new labeled dataset. The system uses this new labeled dataset to fine-tune the deep learning model, updating its parameters to adapt to changes in network traffic behavior and continuously improve the accuracy of anomaly detection.
[0216] In one exemplary embodiment, the network isolation policy management system adjusts the target isolation policy based on abnormal behavior, specifically including:
[0217] The network isolation policy management system adjusts the access permissions of the target isolation policy based on the identified abnormal behavior using a dynamic adjustment algorithm. The dynamic adjustment methods include:
[0218] P adj =h(B,S);
[0219] Among them, P adj Here, B represents the adjusted permissions, S represents the security policy, and h is a function that dynamically adjusts permissions based on user or device behavior and the security policy.
[0220] In practice, user or device behavior B is characterized by abnormal behavior identification results, which include information such as the type and severity of the abnormal behavior. Security policy S includes the current target isolation policy and preset policy adjustment rules. These rules specify the policy adjustment measures to be taken for different types and severityes of abnormal behavior.
[0221] For example, when a target entity is detected to be engaging in scanning attacks, the network isolation policy management system determines, based on policy adjustment rules, that access permissions for that target entity should be tightened. The network isolation policy management system adjusts the target entity's corresponding isolation policy, narrowing the range of network resources the target entity is allowed to access, or increasing the authentication strength requirements for access.
[0222] When a data breach is detected in a target entity, the network isolation policy management system determines, based on policy adjustment rules, that the target entity's network connection should be immediately blocked. The system then revokes the corresponding isolation policy for the target entity, issues a blocking command to the network devices, disconnects the target entity from the target network, and prevents further data breaches.
[0223] When frequent abnormal behavior is detected in a certain area within the target network, the network isolation policy management system determines, based on policy adjustment rules, that the overall security level of that area should be upgraded. The system adjusts the network partition isolation rules in the initial network isolation policy, tightening access restrictions between that area and other areas, requiring all requests to access that area to undergo strict identity authentication and permission verification.
[0224] The network isolation policy management system will redistribute the adjusted target isolation policy or the initial network isolation policy to the network devices. The network devices will update their configurations according to the adjusted policy and execute the adjusted isolation policy.
[0225] By employing dynamic adjustment algorithms to adjust isolation strategies in real time based on abnormal behavior, threat response can be automated and real-time, significantly shortening threat response time and enhancing the security protection capabilities of the target network.
[0226] In one possible implementation, after adjusting the isolation policy, the network isolation policy management system also records the policy adjustment information to the log auditing and maintenance unit. The network isolation policy management system also supports policy version management and rollback functions, assigning a version number to each generated or adjusted isolation policy and storing the policy content of that version in the policy version repository. Through policy version management and rollback functions, security risks caused by incorrect policy configuration can be avoided, improving the system's fault tolerance and reliability.
[0227] In one possible implementation, the network isolation policy management system can also automatically trigger the optimization of isolation policies according to a preset period. Specifically, the network isolation policy management system sets a trigger period for policy optimization, such as daily, weekly, or monthly. When the trigger period is reached, the network isolation policy management system automatically initiates the policy optimization process. During the policy optimization process, the network isolation policy management system comprehensively analyzes information such as network traffic data, abnormal behavior identification results, and policy execution feedback within a certain time period to evaluate the execution effect of the current isolation policy. By periodically and automatically triggering policy optimization, it is possible to ensure that the isolation policy always adapts to the security posture of the target network, continuously improving the effectiveness of network security protection.
[0228] In one possible implementation, the network isolation policy management system also supports multiple abnormal behavior alert mechanisms. Specifically, the system categorizes abnormal behaviors into different alert levels based on their threat type and severity. For low-severity abnormal behaviors, the system generates a general alert, which is recorded in the log auditing and maintenance unit, allowing administrators to view and handle it during routine maintenance. For medium-severity abnormal behaviors, the system generates a critical alert, notifying the administrator via pop-up windows, email, etc., requiring timely attention and action. For high-severity abnormal behaviors, the system generates an emergency alert, simultaneously notifying the administrator via pop-up windows, email, SMS, etc., requiring immediate action to prevent further escalation of the security incident.
[0229] In one possible implementation, the distribution process of the target isolation policy can be further refined by adding a policy pre-verification step. Specifically, before distributing the target isolation policy to network devices, the network isolation policy management system first performs a pre-verification of the target isolation policy in a virtual environment.
[0230] The network isolation policy management system constructs a virtual network environment that is consistent with the target network topology. The virtual network environment contains virtual network devices, virtual hosts and other virtual entities, and the configuration of the virtual entities is consistent with the configuration of the corresponding entities in the real target network.
[0231] The network isolation policy management system applies target isolation policies to virtual network devices in a virtual network environment and simulates the access behavior of target entities in the virtual network environment, including access to allowed resources and access to prohibited resources.
[0232] The network isolation policy management system monitors the processing results of virtual network devices on simulated access behaviors, verifying whether the virtual network devices correctly process access requests according to the target isolation policy. If the virtual network devices correctly process all simulated access behaviors, the pre-verification passes, and the network isolation policy management system distributes the target isolation policy to the network devices in the real target network.
[0233] If a virtual network device fails to properly handle certain simulated access behaviors, the pre-verification fails. The network isolation policy management system analyzes the reasons for the pre-verification failure, adjusts the target isolation policy, and re-performs the pre-verification until it passes before being sent to the real network device.
[0234] By pre-validating policies in a virtual environment, errors in policy configuration can be detected without affecting the operation of the real network, thus preventing erroneous policies from impacting the real network and further improving the reliability of policy distribution.
[0235] For the convenience of those skilled in the art, Figure 3 An exemplary logic diagram of a network isolation strategy processing method is provided.
[0236] In another embodiment, such as Figure 4 As shown, a network isolation strategy processing method is provided, which is applied to... Figure 1 Taking the network isolation policy management system 100 in the example, the following steps are included:
[0237] Step S402: Collect environmental and entity information within the target network, and construct an asset attribute database for the target network based on the environmental and entity information.
[0238] Step S404: Obtain asset importance data corresponding to the target network from the asset attribute database; divide the target network into different security level zones based on the asset importance data; define interval access rules between each security level zone; assign corresponding role permissions to different access roles contained in the entity information based on a preset role-based access control model; quantify the entity attributes in the entity information and the environmental attributes in the environment information, and construct attribute evaluation logic for determining permissions; generate an initial network isolation policy for the target network based on the interval access rules, role permissions, and attribute evaluation logic.
[0239] Step S406: Upon receiving a network access request from the target entity, the access device is authenticated using a pre-allocated key pair and digital certificate, and the access account is authenticated using multiple authentication methods to obtain the entity authentication result corresponding to the target entity.
[0240] Step S408: Based on the entity authentication result, perform permission binding on the initial network isolation policy to generate a target isolation policy for the target entity; configure the corresponding temporary permissions and the usage time of the temporary permissions for the target isolation policy; if the duration of the temporary permissions exceeds the usage time, revoke the access permissions of the target isolation policy.
[0241] Step S410: By configuring interfaces, peer nodes, and routing rules in the network device, an encrypted tunnel for communication with the network device is established; based on preset key elements of network communication, corresponding access control list rules are generated in the network device.
[0242] Step S412: Obtain mirrored traffic data corresponding to the network switching device through the port mirroring function of the network switching device in the target network; parse the mirrored traffic data to identify the attack characteristics corresponding to the lateral movement attack traffic; and, if it is determined that there is a lateral movement attack in the target network based on the attack characteristics, obtain the address information of the attacked target and the attack source corresponding to the lateral movement attack; send a query request containing the address information of the attack source to the network switching device corresponding to the attacked target; generate a blocking command based on the switch information and port status; and send the blocking command to the switch connected to the attack source to perform a bypass blocking operation on the attack source.
[0243] In step S414, after intercepting cross-border attack traffic at the target network boundary through access control list rules and intercepting lateral movement attack traffic within the target network through bypass blocking operations, the target isolation policy is distributed to network devices in the target network through an encrypted tunnel.
[0244] Step S416: Collect network traffic data when the network device executes the target isolation strategy, and input the network traffic data into a pre-trained deep learning model; extract features from the network load data through a load feature extraction network to obtain the corresponding load features, and extract features from the traffic statistics data through a time series feature extraction network to obtain the corresponding time series features; fuse the load features and time series features to obtain the network traffic features corresponding to the network traffic data; input the network traffic features into a feature classification network for classification processing, and output the probability distribution results of each abnormal behavior category corresponding to the network traffic data; determine the abnormal behavior category to which the network traffic data belongs based on the probability distribution results, and determine the abnormal behavior within the target network based on the abnormal behavior category.
[0245] Step S418: Adjust the target isolation strategy based on the abnormal behavior.
[0246] It should be noted that the specific limitations of the above steps can be found in the specific limitations of a network isolation strategy processing method described above.
[0247] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0248] Based on the same inventive concept, this application also provides a network isolation policy processing apparatus for implementing the network isolation policy processing method described above. The solution provided by this apparatus is similar to the implementation scheme described in the above method; therefore, the specific limitations in one or more network isolation policy processing apparatus embodiments provided below can be found in the limitations of the network isolation policy processing method described above, and will not be repeated here.
[0249] In one exemplary embodiment, such as Figure 5 As shown, a network isolation policy processing device is provided, comprising:
[0250] The construction module 510 is used to collect environmental information and entity information within the target network, and to construct an asset attribute database of the target network based on the environmental information and the entity information.
[0251] The generation module 520 is used to generate an initial network isolation policy for the target network based on the asset attribute database and a preset role-based access control model.
[0252] The authentication module 530 is used to perform identity verification on the target entity upon receiving a network access request from the target entity, and obtain the entity authentication result corresponding to the target entity.
[0253] The isolation module 540 is used to perform permission binding on the initial network isolation policy based on the entity authentication result, generate a target isolation policy for the target entity, and distribute the target isolation policy to network devices in the target network.
[0254] The adjustment module 550 is used to collect network traffic data when the network device executes the target isolation policy, identify abnormal behavior in the target network based on the network traffic data, and adjust the target isolation policy according to the abnormal behavior.
[0255] In one embodiment, the generation module 520 is specifically used to obtain asset importance data corresponding to the target network in the asset attribute database, divide the target network into different security level zones based on the asset importance data, and define interval access rules between each security level zone; assign corresponding role permissions to different access roles contained in the entity information based on the preset role-based access control model; quantify the entity attributes in the entity information and the environmental attributes in the environment information, and construct attribute evaluation logic for determining permissions; and generate the initial network isolation policy for the target network according to the interval access rules, the role permissions, and the attribute evaluation logic.
[0256] In one embodiment, the isolation module 540 is specifically used to establish an encrypted tunnel for communication with the network device by configuring interfaces, peer nodes, and routing rules in the network device; generate corresponding access control list rules in the network device based on preset key network communication elements; and coordinate with the network switching device in the target network to perform a bypass blocking operation; when the cross-border attack traffic at the boundary of the target network is intercepted by the access control list rules, and the lateral movement attack traffic inside the target network is intercepted by the bypass blocking operation, the target isolation policy is distributed to the network devices in the target network through the encrypted tunnel.
[0257] In one embodiment, the isolation module 540 is specifically configured to: acquire mirrored traffic data corresponding to the network switching device through the port mirroring function of the network switching device in the target network; parse the mirrored traffic data to identify the attack characteristics corresponding to the lateral movement attack traffic; and, if it is determined based on the attack characteristics that a lateral movement attack exists within the target network, acquire the address information of the attacked target and the attack source corresponding to the lateral movement attack; send a query request containing the address information of the attack source to the network switching device corresponding to the attacked target; the query request is used to acquire the switch information and port status connected to the attack source; generate a blocking instruction based on the switch information and the port status; and send the blocking instruction to the switch connected to the attack source to perform a bypass blocking operation on the attack source.
[0258] In one embodiment, the adjustment module 550 is specifically used to input the network traffic data into a pre-trained deep learning model; the pre-trained deep learning model includes a load feature extraction network, a temporal feature extraction network, and a feature classification network; the network traffic data includes network load data and traffic statistics data; the load feature extraction network extracts features from the network load data to obtain corresponding load features, and the temporal feature extraction network extracts features from the traffic statistics data to obtain corresponding temporal features; the load features and the temporal features are fused to obtain network traffic features corresponding to the network traffic data; the network traffic features are input into the feature classification network for classification processing, and the probability distribution results of each abnormal behavior category corresponding to the network traffic data are output; the abnormal behavior category to which the network traffic data belongs is determined according to the probability distribution results, and the abnormal behavior within the target network is determined according to the abnormal behavior category.
[0259] In one embodiment, the target entity includes an access device and an access account; the authentication module 530 is specifically used to perform device legitimacy authentication on the access device using a pre-allocated key pair and a digital certificate, and to perform user identity authentication on the access account using multiple authentication methods to obtain the entity authentication result corresponding to the target entity. The isolation module 540 is specifically used to configure corresponding temporary permissions and the usage time of the temporary permissions for the target isolation policy; if the duration of the temporary permissions exceeds the usage time, the access permissions of the target isolation policy are revoked.
[0260] Each module in the aforementioned network isolation strategy processing device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in the processor of a computer device in hardware form or independent of it, or stored in the memory of the computer device in software form, so that the processor can call and execute the operations corresponding to each module.
[0261] In one exemplary embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 6As shown, this computer device includes a processor, memory, input / output interfaces (I / O), and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores network data. The I / O interfaces are used for exchanging information between the processor and external devices. The communication interface is used for communicating with external terminals via a network connection. When the computer program is executed by the processor, it implements a network isolation strategy processing method.
[0262] Those skilled in the art will understand that Figure 6 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0263] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in the above-described method embodiments.
[0264] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the steps in the above method embodiments.
[0265] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above method embodiments.
[0266] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.
[0267] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.
[0268] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.
[0269] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A method for processing network isolation strategies, characterized in that, The method includes: Collect environmental and entity information within the target network, and construct an asset attribute database for the target network based on the environmental and entity information; Based on the asset attribute database and the preset role-based access control model, an initial network isolation policy is generated for the target network. Upon receiving a network access request from a target entity, authentication is performed on the target entity to obtain the entity authentication result corresponding to the target entity; Based on the entity authentication result, the initial network isolation policy is bound to permissions, a target isolation policy for the target entity is generated, and the target isolation policy is distributed to network devices in the target network. Collect network traffic data when the network device executes the target isolation policy, identify abnormal behavior in the target network based on the network traffic data, and adjust the target isolation policy according to the abnormal behavior.
2. The method according to claim 1, characterized in that, The initial network isolation policy for the target network is generated based on the asset attribute database and a preset role-based access control model, including: Obtain asset importance data corresponding to the target network from the asset attribute database, divide the target network into different security level zones based on the asset importance data, and define interval access rules between each security level zone; Based on the preset role-based access control model, corresponding role permissions are assigned to different access roles contained in the entity information. The entity attributes in the entity information and the environmental attributes in the environment information are quantified to construct attribute evaluation logic for determining permissions. Based on the interval access rules, the role permissions, and the attribute evaluation logic, an initial network isolation policy is generated for the target network.
3. The method according to claim 1, characterized in that, The step of distributing the target isolation policy to network devices in the target network includes: An encrypted tunnel for communication with the network device is established by configuring interfaces, peer nodes, and routing rules in the network device. Based on preset key elements of network communication, corresponding access control list rules are generated in the network device, and bypass blocking operations are performed in conjunction with the network switching device in the target network. In the case of intercepting cross-border attack traffic at the target network boundary through the access control list rules, and intercepting lateral movement attack traffic within the target network through the bypass blocking operation, the target isolation policy is distributed to network devices in the target network through the encrypted tunnel.
4. The method according to claim 3, characterized in that, The bypass blocking operation performed in conjunction with the network switching equipment in the target network includes: By utilizing the port mirroring function of the network switching device in the target network, the mirrored traffic data corresponding to the network switching device is obtained; The mirrored traffic data is parsed to identify the attack characteristics corresponding to the lateral movement attack traffic. Furthermore, if it is determined based on the attack characteristics that a lateral movement attack exists within the target network, the address information of the attacked target and the attack source corresponding to the lateral movement attack is obtained. A query request containing the address information of the attack source is sent to the network switching device corresponding to the attacked target; the query request is used to obtain the switch information and port status connected to the attack source. Based on the switch information and the port status, a blocking instruction is generated, and the blocking instruction is sent to the switch connected to the attack source to perform a bypass blocking operation on the attack source.
5. The method according to claim 1, characterized in that, The step of identifying abnormal behavior within the target network based on the network traffic data includes: The network traffic data is input into a pre-trained deep learning model; the pre-trained deep learning model includes a load feature extraction network, a temporal feature extraction network, and a feature classification network; the network traffic data includes network load data and traffic statistics data. The network load data is subjected to feature extraction by the load feature extraction network to obtain the corresponding load features, and the traffic statistics data is subjected to feature extraction by the time series feature extraction network to obtain the corresponding time series features. The load characteristics and the time-series characteristics are fused to obtain the network traffic characteristics corresponding to the network traffic data; The network traffic features are input into the feature classification network for classification processing, and the probability distribution results of each abnormal behavior category corresponding to the network traffic data are output. Based on the probability distribution results, the abnormal behavior category to which the network traffic data belongs is determined, and based on the abnormal behavior category, the abnormal behavior within the target network is determined.
6. The method according to claim 1, characterized in that, The target entity includes an access device and an access account; the step of performing identity verification on the target entity to obtain the entity authentication result corresponding to the target entity includes: The access device is authenticated using a pre-allocated key pair and digital certificate, and the access account is authenticated using multiple authentication methods to obtain the entity authentication result corresponding to the target entity. After performing permission binding on the initial network isolation policy based on the entity authentication result to generate a target isolation policy for the target entity, the method further includes: Configure the corresponding temporary permissions for the target isolation policy and the usage time of the temporary permissions; If the duration of the temporary permission exceeds the permission usage time, the access permission of the target isolation policy shall be revoked.
7. A network isolation strategy processing device, characterized in that, The device includes: A construction module is used to collect environmental and entity information within the target network, and to construct an asset attribute database of the target network based on the environmental and entity information. The generation module is used to generate an initial network isolation policy for the target network based on the asset attribute database and a preset role-based access control model. The authentication module is used to perform identity verification on the target entity upon receiving a network access request from the target entity, and obtain the entity authentication result corresponding to the target entity. An isolation module is used to perform permission binding on the initial network isolation policy based on the entity authentication result, generate a target isolation policy for the target entity, and distribute the target isolation policy to network devices in the target network. The adjustment module is used to collect network traffic data when the network device executes the target isolation policy, identify abnormal behavior in the target network based on the network traffic data, and adjust the target isolation policy according to the abnormal behavior.
8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.